left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements

  Quote
Guest
Guest user Created:   Dec 09, 2021 Last commented:   Dec 09, 2021

How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements

Do you have a specific company example of how to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements"? Unfortunately, the description in the document does not help me, nor do the linked articles. We need concrete examples to apply this to our company. - The same applies to the definition of the ISMS scope. Unfortunately, the linked articles do not help here either. Do you have an example from a company of what the definition can look like?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 09, 2021

Here is a practical example of how to fill the List of Legal, Official, Contractual and Other Requirements template:

Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC is restricted to customer personnel only. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use
Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate the same way described in the example (i.e., identifying interested party, requirement, document, etc.). For the identification of specific requirements for your organization we recommend you seek expert legal advice. 

Regarding the example for the ISMS scope, it can be defined in terms of information, location or process to be protected, and here are some examples:

  • The ISMS scope is the customer and Research and Development data of organization ABC.
  • The ISMS scope is the Headquarters of organization ABC.
  • The ISMS scope is the software and development process of organization ABC.

By the way, included in your toolkit you have access to a video tutorial that can help you develop the scope, with real data examples.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 09, 2021

Dec 09, 2021