left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Filling template List of Legal, Regulatory, Contractual and Other Requirements

  Quote
Guest
Guest user Created:   Oct 14, 2019 Last commented:   Oct 23, 2019

Filling template List of Legal, Regulatory, Contractual and Other Requirements

We acquired the ISO 22301 Documentation Toolkit some time ago and just started to implement the ISMS for our company. I was delegated the project manager role for this project and as this kind of project is completely new to me, I’m not sure whether I understand everything correctly. Right now we are at the stage of identifying the requirements and expectations of interested parties and I expect that people I’m about to interview will have trouble formulating their needs. I anticipate them going into much technical details about defining SLA, RTO, and RPO for their related Information Systems which, as I understand, must be done later. However, I’m not sure what can be mentioned as requirements and how to help interested parties formulate their requirements. Could you please share some experience, maybe in a form of real-life examples, for filling up the “List of Legal, Regulatory, Contractual and Other Requirements”, with the focus on internal Information Resource owners’ requirements?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 14, 2019

I'm assuming that since you bought the ISO 22301 Documentation Toolkit you are referring to implement BCMS and not ISMS.

As sources for identification of legal requirement, you must look for service level agreements, outsourcing contracts, laws, industry regulations, etc., and the precise requirements that must be fulfilled (e.g., the clauses).

An example of how to fill in the List of Legal, Regulatory, Contractual and Other Requirements, is this scenario:

A customer has a service level agreement with your company which defines, on clause 32-b, that in case of a disruptive incident, access to information system ABC must be restored to at least 30% of normal capacity in no more than 24 hours. In this case the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (recovering access to system ABC to at least 30% of normal capacity in no more than 24 hours)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: 24 hours after occurrence of disruptive incident which makes access to system ABC unavailable

This article will provide you further explanation about identifying requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/ (although this article is about information security, the same concept applies to business continuity)

Quote
0 1
Guest
Mihails Oct 22, 2019

If such kind of requirements has not been previously put down in any kind of internal paperwork, is it possible that some of requirements from internal interested parties be listed as a reference to a questionarie or interwiew transcript where this requirement is mentioned? With the questionarie or transcript registred and attached to the set of documents for BCM?

Quote
0 0
Expert
Rhand Leal Oct 23, 2019

ISO 22301 does not prescribe any format as the input source of legal, contractual and other requirements, so it is acceptable to use the transcript of questionnaires or interviews where they are mentioned. However, it is important to note that if they are related to provided products or services, instead of using the transcript as register, you should consider writing them on formal documents like contracts or service agreements, considering the potential use of legal disputes or actions.

Finally, all such requirements (no matter in which form are they expressed) have to be listed in List of legal, regulatory and contractual requirements.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 14, 2019

Oct 23, 2019