ISO 27001 & Regulatory laws

Any one ?

>1 - Hi, Just a quick one. Does being ISO 27001 compliant automatically means being regulatory & local laws compliant?

Answer: To be ISO 27001 compliant does not automatically ensure compliance with local regulations and laws. It is necessary that a representative of such legal requirements to assess the compliance (like a certification auditor would do to certify the implementation against ISO 27001).

>2 - Can a company be ISO 27001 compliant without being compliant with local & regulatory laws ?

Answer: If identified local regulations and laws are not applicable an organization can decide not to implement actions to be compliant with them and still be compliant with ISO 27001. If these local regulations and laws are identified as applicable , them the organization only will be compliant with ISO 27001 if it properly treats the requirements related to these regulations and laws.

This article will provide you further information:
- How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

Thx a lot for your answer Rhand. So we agree a company cannot get ISO 27001 certification if it is not compliant with regulations and laws.

But a company can be certified before a new regulation comes out (like GDPR). If it want it's ISO 27001 certification to be renewed, it shall get GDPR compliant before the next audit.

Got it right ?

A company cannot maintain ISO 27001 certification if it is not compliant with regulations and laws that it identifies that are applicable to it. If after the certification audit it identifies a new applicable legal requirement it must comply with (e.g., GDPR), then it has to plan to include this new legal requirement in its ISMS and provide evidences that related controls are already implemented by the next audit.

Thx a million !