I would now have the question on the Risk Assessment / Treatment Methodology: what exactly must be included in the" list of legal, regulatory and contractual or other requirements "or what is the recommendation?
The list of legal, regulatory, and contractual or other requirements summarizes all requirements, interested parties, and responsible persons for complying with requirements that must be fulfilled by the ISMS.
An example of how to fill in the List of Legal, Regulatory, Contractual, and Other Requirements, is this scenario:
A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:
Interested party: Customer Jon Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours) Document: Service level agreement Person responsible for compliance: System ABC administrator Deadline: 24 hours after the occurrence of disruptive incident which makes access to system ABC unavailable