Identify all interested personnel and affected parties.

Back

CONTROL ID
12845

CONTROL TYPE
Process or Activity

CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Analyze organizational objectives, functions, and activities., CC ID: 00598

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

AIs should establish a general framework for management of major technology-related projects. This framework should, among other things, specify the project management methodology to be adopted and applied to these projects. The methodology should cover, at a minimum, allocation of responsibilities,… (4.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
a list of the various authorities and stakeholders involved in the implementation of the national cybersecurity strategy; (Article 7 1(f), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
the relevant public and private stakeholders and infrastructure involved; (Article 9 4(e), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential … (§ 1. Step 1. ¶ 1, GRI 3: Material Topics 2021)
The organization should identify who its stakeholders are across its activities and business relationships and engage with them to help identify its impacts. (§ 1. Step 1. Stakeholders ¶ 1, GRI 3: Material Topics 2021)
When identifying its stakeholders, the organization should ensure it identifies any individuals or groups it does not have a direct relationship with (e.g., workers in the supply chain or local communities that live at a distance from the organization's operations) and those who are unable to articu… (§ 1. Step 1. Stakeholders ¶ 3, GRI 3: Material Topics 2021)
The number of employees, including whether they are full-time, part-time, non-guaranteed hours, permanent or temporary, and their demographic characteristics (e.g., age, gender, geographic location). (§ 1. Step 1. Activities ¶ 1 Bullet 5, GRI 3: Material Topics 2021)
The organization should draw a full list of individuals and groups whose interests are affected or could be affected by the organization's activities. Common categories of stakeholders for organizations are business partners, civil society organizations, consumers, customers, employees and other wor… (§ 1. Step 1. Stakeholders ¶ 2, GRI 3: Material Topics 2021)
Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their needs and requirements. (OCEG GRC Capability Model, v. 3.0, L1.2 Analyze External Stakeholder and Influencer Needs, OCEG GRC Capability Model, v 3.0)
Identify key external stakeholders, and influencers of opinion, and analyze and prioritize their needs and requirements. (OCEG GRC Capability Model, v. 3.0, L4.2 Analyze External Stakeholder and Influencer Needs, OCEG GRC Capability Model, v 3.0)
Research and analyze the organizations and key individuals involved within various stakeholder constituencies to understand their concerns and how best to relate to them. (OCEG GRC Capability Model, v. 3.0, L4.1 Understand Stakeholders, OCEG GRC Capability Model, v 3.0)
the interested parties that are relevant to the environmental management system; (§ 4.2 ¶ 1 a), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
identification of the auditee's representative(s) for the audit; (§ 6.3.2.2 ¶ 3 Bullet 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
the interested parties that are relevant to the compliance management system; (§ 4.2 ¶ 1 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
The organization should adopt appropriate methods of communication to ensure that the compliance message is heard and understood by all employees on an on-going basis. The communication should clearly set out the organization's expectation of employees and those noncompliances that are expected to b… (§ 7.4.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
with whom to communicate; (§ 7.4.1 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
the interested parties that are relevant to the BCMS; (§ 4.2.1 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
interested parties that are relevant to the information security management system; and (§ 4.2 ¶ 1 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations… (§ 6.6.3 ¶ 1, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
The governing body should define the organization's value generation objectives such that they fulfil the organizational purpose in accordance with the organizational values and the natural environment, social and economic context within which it operates. This should include iterations of identifyi… (§ 6.2.3.2 ¶ 1, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Defining the organizational purpose involves identifying the issues and stakeholders for which the organization exists to serve and the negative impacts that are to be avoided. When identifying these, the governing body should ensure that the following are considered: (§ 6.1.3.2 ¶ 1, ISO 37000:2021, Governance of organizations â Guidance, First Edition)
the interested parties that are relevant to the compliance management system; (§ 4.2 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
with whom to communicate; (§ 7.4 ¶ 1 c), ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
the other interested parties, in addition to workers, that are relevant to the OH&S management system; (§ 4.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
the interested parties that are relevant to the quality management system: (4.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
The organization shall monitor and review information about these interested parties and their relevant requirements. (4.2 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
the interested parties that are relevant to the compliance management system; (§ 4.2 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
with whom to communicate; (§ 7.4 ¶ 1 c), ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
Care should be taken to consider a list of stakeholders, including, but not limited to: (§ 6.3.3 ¶ 3, ISO/IEC 23894:2023, Information technology â Artificial intelligence â Guidance on risk management)
the stakeholders that are relevant to the IT asset management system; (Section 4.2 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
the interested parties that are relevant to the SMS and the services; (§ 4.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
The customers, users and other interested parties of the services shall be identified and documented. The organization shall have one or more designated individuals responsible for managing customer relationships and maintaining customer satisfaction. (§ 8.3.2 ¶ 1, ISO/IEC 20000-1:2018, Information technology â Service management âPart 1: Service management system requirements, Third Edition)
interested parties that are relevant to the information security management system; (§ 4.2 ¶ 1 a), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
with whom to communicate; (§ 7.4 ¶ 1 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
identify external interested parties; (§ 4.2 Guidance ¶ 1 Bullet 1, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
identify internal interested parties; and (§ 4.2 Guidance ¶ 1 Bullet 2, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The organization determines interested parties relevant to the ISMS and their requirements relevant to information security. (§ 4.2 Required activity, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
The cloud service customer should identify the authorities relevant to the combined operation of the cloud service customer and the cloud service provider. (§ 6.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
The organization shall include among its interested parties (see ISO/IEC 27001:2013, 4.2), those parties having interests or responsibilities associated with the processing of PII, including the PII principals. (§ 5.2.2 ¶ 2, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
Ensure specimen collection, management, and referral network and procedures are functional (Pillar 5 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
An example of an external stakeholder is a regulatory body that grants an entity a license to operate, but also has the authority to fine the entity or force it to shut down temporarily or permanently. Another example is an investor who provides the entity with capital but who can decide to take tha… (Considering External Environment and Stakeholders ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
According to paragraph .A12 of QM section 10A, matters to consider when evaluating the integrity of a client include the identity and business reputation of the principal owners of the service organization, key service organization management, and those charged with governance. (¶ 2.39, SOC 2Â® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
Identifies personnel (e.g., internal or third-party) with relevant skills and expertise. (App A Objective 13:7a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
The types of customers using the products and services. (App A Tier 1 Objectives and Procedures Objective 1:1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Identify the bank staff, customers, and technology service providers (if applicable) involved in the RDC function. Obtain and review reports of RDC volume (number of transactions and dollar ranges) for the financial institution as a whole and for individual customers. (App A Tier 2 Objectives and Procedures N.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Identify the financial institution staff members who perform periodic monitoring of RDC customer activity and describe the process used. (App A Tier 2 Objectives and Procedures N.9 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Identify organizational policy stakeholders. (T0116, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Identify the continuous monitoring stakeholders and establish a process to keep them informed about the program. (T0981, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Identify organizational policy stakeholders. (T0116, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Identify the continuous monitoring stakeholders and establish a process to keep them informed about the program. (T0981, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)