Filling documents

The purpose of this template is not to define requirements, only to identify where they can be found, who defined them, who are responsible for their implementation, and by which date.

Requirements are defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this annex.

For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

Considering that:
1 - Requirements for the procurement, commissioning, and approval for the use of non-organizational IT services may be determined by the IT manager together with the key users of such services and documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
2 - Requirements for the use of confidentiality agreements when passing on sensitive information may be determined by information owners, and their way of implementation documented in the “Information Classification Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management
6 - Requirements from business relationships (e.g., reporting obligations to the client) are documented in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in documents which will depend on the requirements defined.
7 - Requirements for key sovereignty may be determined by the IT manager together with the users of services that use these keys, and their way of implementation documented in the “Policy on the Use of Encryption”, located in folder 08_Annex_A_Security_Controls >> A.10_Cryptography.
8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.
9 - Extended requirements for the control and administration of networks are determined in contracts and service agreements, for which organizations usually already have their own defined templates, and their way of implementation documented in “Security Procedures for IT Department”, located in folder 08_Annex_A_Security_Controls >> A.12_Operations_Security.

Once requirements are defined and identified in the List of Legal Regulatory Contractual and Other Requirements:
3 - The procedures for user authentication are documented in the “Access Control Policy”, located in folder 08_Annex_A_Security_Controls >> A.9_Access_Control
4 - The requirements for development and test environments are documented in the “Secure development policy”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance
5 - Measures to meet the procurement and license management requirements with regard to intellectual property rights and the use of software products protected by copyright are documented in the “Appendix 1 – Specification of Information System Requirements”, located in folder 08_Annex_A_Security_Controls >> A.14_System_Acquisition_Development_and_Maintenance, and in the “IT Security Policy”, located in folder 08_Annex_A_Security_Controls >> A.8_Asset_Management.

This article will provide you a further explanation about requirements identification:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/