Ensuring contractual and regulatory requirements are met

Answer: This means a company has to be compliant with:
- All the agreements it has signed with its buyers and partners - e.g. service level agreements (SLAs), contractual clauses about access control, intellectual property, encryption of data, etc.
- Regulatory and legislation - e.g. with privacy laws like GDPR, specific regulations for particular industries (e.g. health, financial, etc. )

These articles will help you:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

We received these questions:

>1- Is this documentation mandatory?

Answer: According to ISO 27001, clause 7.5.1 b), documents considered by the organization as necessary for the effectiveness of the ISMS must be considered mandatory.

Said that, contracts, regulations, and laws that may be used as inputs to the risk management process or to define requirements for security controls must be considered mandatory.

>2 - Does this need to be stated in the security policy or can it be left out?

Answer: You can include an overall statement about complying with legal and contractual requirements, but I recommend that you keep this information separate from the Information Security Policy, because otherwise you might need to update the Policy too often.