I have attended a number of your webinars and on many occasions, you have provided additional references for the implementing ISO 22301/27001. We are in the process of implementing ISO 22301. In my experience, I have not implemented or worked on the full scope of an ISO 22301 implementation as we are doing now at ***. The Project Manager here has requested: Activate your network to seek for someone working in a company that is ISO 22301 (preferably) or 27001 certified who'd accept to tell us how 4.2.2 was implemented
4.2.2 Legal and regulatory requirements
The organization shall:
a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources;
b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS;
c) document this information and keep it up to date.
I have not worked for a company that has achieved certifications. In my experience this information was identified as we worked through BIAs, BCPs, DRPs, etc. We have already done some identification of legal and regulatory requirements in an initial discovery for developing the Context of the Organization. Obviously this is not a one-and-done effort, but we have not developed a process.
Would you be able to share any insights/information on this?
The purpose of this document is to define the process of identification of interested parties, as well as statutory, regulatory, contractual, and other requirements related to information security and business continuity, and responsibilities for their fulfillment.
This article will provide you a further explanation about the identification of requirements (the same concepts apply to ISO 22301):