Creating the Register of Legal, Contractual, and Other Requirements
I'm in the process of creating the Register of Legal, Contractual, and Other Requirements.
Q: how specific do I need to be? Is this where I list all our clients, suppliers, etc etc or do I give more top-line information and detail the specific interested parties later on?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
First is important to note that in this module, you need to list only the requirements of customers and regulators you need to comply with. Requirements related to suppliers are handled only in case there are risks that justify handling them.
Considering that, you should list each regulation as a unique entry because they are typically related to a specific reference (e.g., data privacy in Europe refers to GDPR and in Brazil to LGPD).
Regarding clients, you can group the clients with the same requirements together (e.g. if you have the same agreement signed with all of them), or you should list them separately if their security requirements are very different.
Regarding the level of detail, you can include only a summary of the requirement and refer to another document where more detailed information can be found.
Comment as guest or Sign in
Oct 19, 2023