Looking through our List of Legal, Regulatory, Contractual and Other Requirements documents, we had a question. As a small company that deals with commercial driving fleets, are we expected to have a long list of these requirements? Of the list of requirements that were listed on the article linked in the actual document, none really applied to us. We do not operate in individual states that have these requirements, so we had very few there.
As a whole, it seems like we only have a few contractual requirements with our customers. Does that seem right?
First is important to note that the article linked to the template is only a starting point (it is updated by contributions of our readers and may not be fully updated). Our recommendation is for you to seek local legal advice so they can help you identify other legal requirements you need to consider for your ISO 27001 implementation (e.g., local laws and regulations).
ISO 27001 does not prescribe how long the list of Legal, Regulatory, and Contractual requirements must be. It is likely your list will be short since normally transportation companies are not security regulated, but they might have some privacy regulations that are applicable.