Expert Advice Community

Guest

Register of Legal, Contractual, and Other Requirements

  Quote
Guest
Guest user Created:   Jul 14, 2021 Last commented:   Jul 14, 2021

Register of Legal, Contractual, and Other Requirements

I needed more clarification on this section. What information needs to be listed in the register. For contractual, I am guessing this would be our customers since they have a contract with us, but would we have to list all our customers? there are too many and for privacy we cannot list any customers. If we can list just general Customer, should be okay. but not sure what other Parties need to be included.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 14, 2021

The content of this register is defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this document.

For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).

Regarding contracts, you need to consider not only contracts with customers but also with employees and suppliers, i.e., with all parts that are relevant to information security.

You do not need to list all your customers. You can list only the more relevant ones (e.g., those with the highest values, the strategic ones, etc.), which can be identified by codes to protect privacy.

If you have signed the same agreements with e.g. customers, you do not need to list each party separately - you can only list them together, e.g. "customers" and specify the security requirements from those standardized agreements.

This article will provide you a further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 13, 2021

Jul 13, 2021