Register of Legal, Contractual, and Other Requirements
Assign topic to the user
The content of this register is defined by the interested parties (e.g., top management, customers, suppliers, employees, government agencies, etc.) which are relevant to your information security management system (ISMS), and are usually documented as laws, regulations, contracts, agreements, and other similar documents, which are identified in this document.
For example, you can have a service contract with your main customers where they require backup to be performed in a certain way and use a defined technology. In this template, you will identify the requirements (backup method and technology to be used), where they can be found (service contract ***), who defined them (customer), and who is responsible for it (e.g., IT manager), and the implementation deadline (e.g., end of October 2021).
Regarding contracts, you need to consider not only contracts with customers but also with employees and suppliers, i.e., with all parts that are relevant to information security.
You do not need to list all your customers. You can list only the more relevant ones (e.g., those with the highest values, the strategic ones, etc.), which can be identified by codes to protect privacy.
If you have signed the same agreements with e.g. customers, you do not need to list each party separately - you can only list them together, e.g. "customers" and specify the security requirements from those standardized agreements.
This article will provide you a further explanation about requirements identification:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Jul 13, 2021