Answer: For ISO 27001, stakeholders are known as interested parties and are people or entities that can affect, or be affected, by the Information Security Management System. Most common stakeholders are: - top management - employees - customers - suppliers - regulators - government
2 - How do we identify them?
Answer: The ISO 27001 interested parties are identified based on the analysis of organizational context (internal and external issues that can affect, or be affected, by the ISMS), and in the legal requirements (e.g, laws, regulations and contracts) the organization has to comply with.
Answer: The ISMS scope is normally defined in terms of information, locations, business units or process to be protected, not people or roles.
In most cases, the managers that have the highest position in the ISMS are included in the scope - e.g. if only one department is included in the scope then this is the head of the department; if the whole company is included in the scope then this is the CEO of the company.
What happens is that top managers take an essential role in the ISMS implementation, by setting directives and objectives and providing resources.