In the context of an organization’s Information Security Management System (ISMS), interested parties refer to individuals or entities who have a vested interest in the success of the organization’s ISMS, either positively or negatively. While most organizations focus on positive interested parties, it is equally important to identify and address negative interested parties who may seek to exploit weaknesses in the ISMS or cause it to fail.

Positive interested parties may include customers, employees, suppliers, and legal authorities, among others. They have a positive stake in the success of the organization’s ISMS and want to see it achieve its objectives. On the other hand, negative interested parties may include competitors, malicious hackers, disgruntled employees or ex-employees, and others who may seek to exploit or undermine the ISMS.

Identifying and addressing negative interested parties is critical to risk management and ISMS success. For instance, failure to properly protect confidential business plans could lead to leakage and exploitation by competitors, resulting in the loss of customers and stakeholder confidence.

ISO 27001 Clause 4.2 requires organizations to identify and list the requirements of all relevant interested parties, including negative interested parties. For example, a malicious hacker’s requirement may be to hack the organization’s computers or applications and access sensitive data. Organizations must implement robust access controls and cryptographic controls to prevent such an attack.

A truly holistic approach to stakeholder and risk management in ISO 27001 requires addressing both positive and negative interested parties. By doing so, an organization can develop a comprehensive risk management plan that effectively addresses all potential risks to the ISMS.

Mark O’Kane – GRC Consultant @ iSTORM