Contractual obligations

1 - I hope you are well and don’t mind me reaching out. I am in the process of drafting legal and contractual obligations for the company ISMS and wanted to ask if you would kindly be able to share an example of each?

I’m struggling to find examples online, particularly for contractual requirements and how this should be documented.

I’m assuming that the question is about legal and contractual obligations for suppliers.

Considering that, we are not legal experts, so what we can provide you are statements about what needs to be considered for the drafting of legal and contractual obligations. You should consult a legal expert for him to draft the legal clauses properly.

Here are some examples related to suppliers:

• Right to audit: the organization has the right to audit and test the security controls periodically, or upon significant changes to the relationship.
• Response time to vulnerabilities: provide, in a timely manner, proper treatment for known vulnerabilities that may impact the organization’s business.

Here are some examples related to contracts with employees:

• responsibilities regarding the classification and handling of information and information-related assets
• actions to be taken if security requirements are violated by the involved parties

For further information, see:

• Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
• What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

This material can also help you:

• Security Clauses for Suppliers and Partners https://advisera.com/27001academy/documentation/security-clauses-for-suppliers-and-partners/

2 - It would also be good to know in your experience, the average number of legal and contractual obligations a medium sized organisation would usually need to have.

Any help would be greatly appreciated.

Please note that there is no number or range to be considered as a reference. The number of legal and contractual obligations to be considered by an organization will depend on the results of risk assessment and applicable legal requirements (i.e., the laws, regulations, and contracts an organization must fulfill).