Conformio - setting up people and departments

1 - I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.

Answer: Please note that the contracts in the list of requirements are those which prioritize the clauses your organization needs to comply with regarding interested parties (e.g., contracts with your customers).

Contracts that prioritize the clauses the interested parties need to comply with on your behalf are controlled through the Supplier Security Policy, which is provided by Conformio.

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

2 - What detail is required.

2.1 - As far as legislation is concerned, I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.

Answer: The level of detail must be sufficient to allow the designated person for complying with the requirement to understand what needs to be fulfilled, or where to find such information. Your example falls in the second type (i.e., you identify where the details to fulfill the clause can be found). An example for the first type would be including the information that a clause from a contract with a customer specifying that a full backup of all his information needs to be performed weekly.

2.2 - You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc., are specifically relevant to ISO 27001? For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. 

There are quite a lot of acts etc., that I have heard for but don’t know in detail e.g., the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!

Answer: Please note that the list of legislation provided in Conformio is a starting point. Since each organization can have different levels of compliance needs for each one, it is unfeasible to provide a more detailed analysis. Our recommendation is for companies to hire local expert advice to help identify your specific needs.

3 - Valid from and deadline dates

3.1 - What are these dates aimed at?

Answer: The valid from date refers to the date when the requirement was published (i.e., when the law/regulation was published).

The deadline date refers to the date by when the requirement must start to be enforced in the organization (in most cases it is related to an enforcement date defined in the law/regulation).