Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Register of Legal, Contractual, and Other Requirements - how detailed?

  Quote
Guest
Guest user Created:   Aug 20, 2021 Last commented:   Aug 20, 2021

Register of Legal, Contractual, and Other Requirements - how detailed?

I am stuck as to where to start on the Register of Requirements for this section.

One client may have 30+ contractual requirements.

1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field?

2 - Do I limit the items to just those that are security related ?

3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer.

Suggestions?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 20, 2021

1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field?

The way of handling this situation will depend on who will be responsible for fulfilling the requirements. If a single role will be responsible for all requirements, then you can include a single register. In case the specific requirements are to be treated by different roles (e.g., there are privacy requirements, continuity requirements, compliance, requirements, etc.), that it is better to split the requirements into different records.

To not make the description excessively long, you can only identify a clause instead of including all of its text.

2 - Do I limit the items to just those that are security related ?

For ISO 27001 compliance purposes you only need to include the requirements related to information security.

3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer.

Suggestions?

In cases like this one you only need to refer to the customer Standardized Information Gathering (SIG). You do not need to include in the platform each question, only the reference to the document that contains them so that the person responsible for fulfilling them can know where to find them.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 20, 2021

Aug 20, 2021