Power/ Interest Matrix of Interested Parties

Introduction

Effective implementation of Information Security Management System (ISMS) according to ISO 27001 is not solely using technical controls and policies. Stakeholder engagement has become one of the most important areas of ISMS effectiveness-yet it is often ignored. Organizations must learn how to identify, analyze, and periodically review the needs and requirements of interested parties (stake holders) that have the potential of influencing, or being influenced by information security practices. To cope with this web of relationships, the Power/Interest matrix is a very effective tool.

What Is the Power/Interest Matrix?

The Power/Interest (P/I) Matrix is a straightforward, but very effective tool that was originally created by Colin Eden and Fran Ackermann to map stakeholders based upon their interest in a specific outcome or in an initiative, and their power over (or within) the organization. When used against ISO 27001, it helps to clarify how to assign resource, effort, and communications with respect to information security management as regards different parties involved or impacted by this.

Axes Description:

Power: The influence the stakeholder has over the ISMS, policy decisions or security outcomes. This may be formal power (e.g., executives), expertise/skills in a field, or ability to stop the initiatives.

Interest: interest is the degree of concern held or to be affected by the information security outcomes of the organization by the stakeholders. Interest can be high due to concerns of customers of possible data security violation, regulatory enforcement agencies putting in effect the compliance related risks or authorized dealers facing shared risks.

The Four Quadrants 

1. High Power, High Interest: Key Players- manage closely.
   
   
2. Big Power, Low Rates: Maintain Satisfied.
   
   
3. Low Power High Interest Keep Informed.
   
   
4. Low Power, Low Interest: Check with Minimum Wastage.

Developing the Power/Interest Matrix of the ISMS/ISO 27001

Step 1: Determine All Stakeholders

The first step in the planning of the qualitative method should be the collecting of the exhaustive list of all the interested parties both internal and external. These mostly involve:

• The top management and board
• Compliance and IT teams
• Employees
• Clients and customers
• Vendors and suppliers
• Regulatory bodies
• Investment partners, shareholders, trade associations
• Competitors, media and the populace
  

Step 2: Evaluate power and interest

To each stakeholder

Evaluate Power: Examine the power such as the authority to make decisions, control budget, influence regulations, and power to set or veto security policies.

Assess Interest: Determine how much the stakeholder is interested in ISMS effects, e.g. risk exposure, compliance requirements, or reputation.

Such evaluation can include interviews, surveys, reviews of past incidents, and consultations with interested parties, as well as analyses of contractual and regulatory materials.

Step 3: Place Stakeholders on the Matrix

Put each stakeholder in one of these 4 quadrants of the matrix:

• High Interest Low Interest heard
• Powerful Force Players Being contented
• Low Power Be Informed Monitor (Minimal Action)

Deep Dive: The Four Types of Stakeholders

1. High Power/High Interest Key Players

Who?

Senior executives, CISOs, senior compliance officers, major clients whose data security is covered by terms, key regulators.

Why Do They Criticize?

They are involved with strategic decision-making, push resource control, sway policy, or have a basic skin in the game. Their advocation or criticism can make or break your ISMS

Best Practices of Engagement:

• Be involved early in policy and risk management.
• Post regular, in-depth updates.
• Seek input on the controls and resources required.
• Incident response drills and post-mortems.
• Maintain quality two-way communications.

2. High Power/Low Interest: Keep Satisfied

Who?

The board members not directly involved in ISMS, other investors, external auditor with the highest level.

Why They are the Best

These may make decisions about the rest of the budget or policy-making, although they are not involved on an everyday basis. Discontent, even though security is a marginal issue, can become a stumbling block.

Best Practices:

• Periodically report on ISMS success and ROI.
  
• Respond to concerns before they become serious.
  
• Avoid giving lots of details- provide strategic victories and security guarantees.

3. Be Informed (Low Power/High Interest)

Who?

Hands on employees, technical employees, other department managers without ISMS control, most users, limited partners, select clients.

Why They are the Best

They enforce daily security measures, identify flaws, and can be friend or foe.

Best Practices:

• Offer systematic, convenient refresher course.
• Promote the reporting of any risk or incident.
• Seek recommendations and comments.
• Promote the culture of security awareness.

4. Monitor (minimum effort) (low power/low interest)

Who?

Ordinary users, competitors, who are far away, media, non-primary partners, not processing privacy-sensitive information.

Why They are the Best

They typically are of negligible short-term risk and contribution, although may occasionally become large when an incident goes public or a major regulatory shift occurs.

Best Practices:

• Passive monitoring is acceptable- put alerts on significant changes.
• Be able to uphold basic public conversations and move swiftly in case of any alterations in their interests and power positions.

Using the Matrix: Theory to Practice in ISMSs

1. Alignment of ISMS Initiatives- By understanding who are the key players, organizations can be able to ensure that ISMS targets and projects are aligned to what really matters most to those who hold the information to be highly influential. This makes executive purchase and budgetary commitments more probable.

2. Optimal Resource Allocation- Prioritize the focus of education, communication, awareness measures and change management initiatives on the stakeholders who have the biggest impact on the results of ISMS. Avoid committing too many resources to groups that have little impact or interest.

3. Proactive Policy/ISS Management- The matrix assists in the identification of where risks may occur due to stakeholder disengagement or resistance. As an illustration, failure to inform a regulatory body (high power, high interest) can result in one risking an audit failure or penalty. On the other hand, low-power stakeholders who are not satisfied with the status quo are much more likely to make noise but not to undertake policy change.

4. Promotion of Certification and Continued Improvement- The Power/Interest Matrix makes plain the rationale behind stakeholder engagement, something auditors like to see as evidence of systematic, risk-based management, a core attribute of ISO 27001. It makes the ISMS fast and adaptable to changes, because stakeholders are able to reclassify categories upon a new threat, regulation, or business change.

5. Response to Change Management- In times of fast change (e.g., regulation changes, mergers, large incidents), the matrix helps to recalibrate in the correct manner, what people will be engaged in when, and the right people will be performing the right task at the right time.

Advantages Of The Power/Interest Matrix In ISMS/ISO 27001

Certainty and Precision: Reduces complex relationships to what is truly important in terms of risk, compliance and strategic support.

• Proactive Management: Eliminates the last possible minute at the end of a deal. Enables allies to be identified early, gives time to build support and enables opponents to be mitigated ahead of time.
  
  
• Audit Readiness: Witnesses a mature and documented stakeholder engagement model, which is essential in bid to meet the requirements of ISO 27001 certification.
  
  
• Increased Resilience: Aids in ensuring that those who would be best placed to support or affect the ISMS are identified and managed contributing to high rates of system resilience.
  
  
• Resource Efficiency: It maximizes returns of its time, investments and training by allocating them at the point where they give a real difference.

Conclusion

In the ISO 27001 ISMS management process, it will become clear that technical controls and processes will merely form part of the solution; resilience and compliance also relies substantially on people's understanding and influencing processes. The Power/Interest Matrix makes the engagement of stakeholders a more practical approach rather than a theoretical approach in the way organizations develop effective and sustainable information security governance.