Procedure for Identification of Requirements

1 - We have two Business units. One located in site A and the other here in the site B.

The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations?

You only need to include legal requirements from your site A that may define information security requirements for your site B.

For example, if both sites exchange information, and a customer contract signed with site A states that information needs to be protected in a specific way (e.g., by using a specific cryptographic technology), then a reference to this contract need to be included in the list of legal requirements of site B, the one to be certified.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Another question, do we need to specify names and type of customer contract?

ISO 27001 does not prescribe which information needs to be recorded in a list of requirements, so you can define the information that better suits your needs. You can either use type of contract, when you have, for example, many contracts which follow the same model, or naming them specifically, when it is important to track the requirements of a specific customer.