Filling template List of Legal, Regulatory, Contractual and Other Requirements
We acquired the ISO 22301 Documentation Toolkit some time ago and just started to implement the ISMS for our company. I was delegated the project manager role for this project and as this kind of project is completely new to me, I’m not sure whether I understand everything correctly. Right now we are at the stage of identifying the requirements and expectations of interested parties and I expect that people I’m about to interview will have trouble formulating their needs. I anticipate them going into much technical details about defining SLA, RTO, and RPO for their related Information Systems which, as I understand, must be done later. However, I’m not sure what can be mentioned as requirements and how to help interested parties formulate their requirements. Could you please share some experience, maybe in a form of real-life examples, for filling up the “List of Legal, Regulatory, Contractual and Other Requirements”, with the focus on internal Information Resource owners’ requirements?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I'm assuming that since you bought the ISO 22301 Documentation Toolkit you are referring to implement BCMS and not ISMS.
As sources for identification of legal requirement, you must look for service level agreements, outsourcing contracts, laws, industry regulations, etc., and the precise requirements that must be fulfilled (e.g., the clauses).
An example of how to fill in the List of Legal, Regulatory, Contractual and Other Requirements, is this scenario:
A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:
Interested party: Customer Jon
Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: 24 hours after occurrence of disruptive incident which makes access to system ABC unavailable
This article will provide you further explanation about identifying requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ (although this article is about information security, the same concept applies to business continuity)
If such kind of requirements has not been previously put down in any kind of internal paperwork, is it possible that some of requirements from internal interested parties be listed as a reference to a questionarie or interwiew transcript where this requirement is mentioned? With the questionarie or transcript registred and attached to the set of documents for BCM?
ISO 22301 does not prescribe any format as the input source of legal, contractual and other requirements, so it is acceptable to use the transcript of questionnaires or interviews where they are mentioned. However, it is important to note that if they are related to provided products or services, instead of using the transcript as register, you should consider writing them on formal documents like contracts or service agreements, considering the potential use of legal disputes or actions.
Finally, all such requirements (no matter in which form are they expressed) have to be listed in List of legal, regulatory and contractual requirements.
Comment as guest or Sign in
Oct 23, 2019