I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.
What detail is required
As far as legislation is concerned I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.
You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc are specifically relevant to ISO 27001. For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities.
There are quite a lot of acts etc that I have heard for but don’t know in detail e.g. the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!
Valid from and deadline dates
What are these dates aimed at?