Identifying Legal Requirements

Answer: The most common ways to gather this kind of information is by interviewing people involved in the process (e.g., operators, technical staff, process owners, contract managers, legal support, etc.), reading the available documentation, and by doing an Internet search. By applying these three methods you will have a good base for which legal, regulatory and other requirements you must comply.

2 - And what if my organization has several locations in different countries?"

Answer: The methods described are still applicable, but you have to ensure to collect this information also from people living in those countries, not only from someone who made an Internet search, because they generally have a closer and better view of what is relevant and needed in terms of requirements.

This article will provide you fu rther explanation about identifying requirements:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

These materials will also help you regarding identification of legal requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/