Expert Advice Community

A.18.1.1 Identification of applicable legislation and contractual requirements

  Quote
suoira Created:   Aug 31, 2022 Last commented:   Sep 06, 2022

A.18.1.1 Identification of applicable legislation and contractual requirements

A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)

 

To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 06, 2022

1 - To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document?

In the Information Security Policy, you can only state the commitment to fulfill legal requirements and refer to the document where the relevant legislative statutory, regulatory, and contractual requirements are listed.

You also need to implement your security policies and procedures, which will satisfy the identified legislative, statutory, regulatory, and contractual requirements.

These articles will provide you with further explanation:

2 - I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privilege" they would not share anything more than that first statement to reference?

Please note that while this statement may work for most situations, due to business or legal needs you may need to share part or the whole information with third parties (e.g., in case a supplier needs a better understanding of a security clause, or if legal authority demands it). In such cases, you should evaluate if the value of sharing the information overwhelms the risks. In this case, you should consider presenting only the minimum information required and add an NDA.

This article can provide related information:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 31, 2022

Sep 06, 2022

Suggested Topics