A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)
To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.
Assign topic to the user
1 - To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document?
In the Information Security Policy, you can only state the commitment to fulfill legal requirements and refer to the document where the relevant legislative statutory, regulatory, and contractual requirements are listed.
You also need to implement your security policies and procedures, which will satisfy the identified legislative, statutory, regulatory, and contractual requirements.
These articles will provide you with further explanation:
- What is the ISO 27001 Information Security Policy, and how can you write it yourself? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/
- Information security policy – how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
2 - I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privilege" they would not share anything more than that first statement to reference?
Please note that while this statement may work for most situations, due to business or legal needs you may need to share part or the whole information with third parties (e.g., in case a supplier needs a better understanding of a security clause, or if legal authority demands it). In such cases, you should evaluate if the value of sharing the information overwhelms the risks. In this case, you should consider presenting only the minimum information required and add an NDA.
This article can provide related information:
- 3 reasons why ISO 27001 helps to protect confidential information in law firms https://advisera.com/27001academy/blog/2019/10/15/iso-27001-for-law-firms-3-ways-to-maintain-confidentiality/
Comment as guest or Sign in
Sep 06, 2022