Compliance list

Employee working in a public place is not an interested party, because he/she is part of your company – this person will have to comply with the security policies and procedures that your company develops. Therefore, the security requirements will come from within your company, n ot from an interested party.

By the way, you will be able to define the security rules for an employee working in public place after you perform the risk assessment and treatment, this article will explain you the concept: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

To learn more about interested parties read these articles:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-require ments-of-interested-parties-in-iso-27001/

These materials will also help you regarding security controls:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thank you very much for your reply. As i understood (i'm examining your book and cism guide), an interested party simply means "Person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity". So, for example, should an employee of OTHER company who provides financial support to my company and connects to my company's network be listed as interested party (because he/she can impact my company's security) ?? In this case what is the requirement? Or it must be handled on risk management step?

In this case the interested party is the company that is the supplier of financial support.

However, they probably do not have any security requirements for your company; on the other hand, you will security requirements for them - this is something you have to define during the risk assessment and risk treatment process.

In other words, you are a significant interested party to them, not the other way round.

Many thanks.