“The training and course webinars were excellently presented to prospective candidates, offering clear and engaging content. The accompanying training materials were well-structured and easy to comprehend, effectively supporting understanding of the ISO 27001 standards.”
“This course is an absolute gem for anyone looking to deepen their understanding of ISO 27001. It's hands down the best place to access knowledge that’s otherwise hard to come by. The content is expertly delivered by world-class professionals, making it a truly worthwhile investment of time. I highly recommend it to anyone eager to learn and stay current in the field. Huge thanks to the team for sharing such valuable insights!”
“Module 2 - The planning phase
Recap quiz
ISO 27001 requires the identification of interested parties significant for the information security in your organization to be documented.
It is NOT false.
ISO 27001 does require the identification of interested parties and their requirements to be documented (i.e., maintained as documented information).
Here’s the key text from ISO/IEC 27001:2022, Clause 4.2:
“The organization shall determine the interested parties that are relevant to the information security management system and the requirements of these interested parties relevant to information security.
The organization shall determine which of these requirements will be addressed through the information security management system.”
And per Clause 4.3 and 7.5 (Documented information), ISO 27001 explicitly requires maintaining documentation for these determinations — meaning the analysis of interested parties and their relevant requirements must be recorded.
Or a mi misundertanding something?”
Dear Martin,
Thank you for your feedback and your review.
Please note that in clause 4.2, we have the expression "shall determine." In ISO standards, the expression "shall determine" does not mean that something must be documented.
"Shall" indicates a requirement, meaning that the organization is obligated to do something, in this case, determine relevant interested parties and their requirements. However, it does not imply that this determination must be documented.
In the context of ISO standards, documentation is required only when the expression "shall be documented" is used, or as per clause 7.5, when the organization decides that particular documentation is required. Other than that, you do not need to document anything.
If you have any further questions that we can help with, do not hesitate to contact us at support@advisera.com.
Kind regards,
Advisera Team
