How to create item 4 of ISO 27001

I understand that you are referring to the list of legal requirements for ISO 27001.

Considering that, although the type of information to be gathered to fulfill requirements of section 4 (Organization Context) are basically the same for ISO 9001 to ISO 27001 (e.g., the requirement, responsible, due date, etc.), and by this, if the spreadsheet provided by your consultancy is compliant with ISO 9001, then it also complies with ISO 27001, the requirements for quality are very different from requirements for information security.

For example, for ISO 27001 the requirement would be to comply with LGPD, whereas for ISO 9001 the requirement would be to comply with some manufacturing-related regulation. So it would be better to list the legal, regulatory, and contractual requirements in separated documents for ISO 27001 and for ISO 9001.

To see how a document that lists the legal requirements for ISO 27001 looks like, I suggest you take a look at the free demo of  our List of Legal, Regulatory, Contractual and Other Requirements at this link: https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

This article will provide you a further explanation about the identification of requirements:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/