Fulflling control A.18.1.1

1 - Does Contractual requirements refer to any contract or service agreement we have made with a supplier; for example telecommunications, web hosting?

Answer: Contractual requirements refer to any contract or service agreement relevant to information security, established not only between your organization and suppliers, but with customers and employees too.

This article will provide you information about what to consider as contractual requirements:
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

2 - Should the list of re gulatory and legal requirements include those required by our clients? For example the Civil Contingencies Act needed for an emergency service or local council we would be providing a serve to.

Answer: Regulatory and legal requirements relevant to information security must consider requirements from any relevant interested party, such as customers, suppliers, regulators, governments, etc.
This article will provide you information about interested parties and their requirements:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/