I'm quite early on in the ISO27001 proecess and I'm being asked to list out all of our interested parties, along with the Name of the law/regulation and the Description of the requirement.
It is suggested that we try to enter all the requirements because it wlil cause big delays later. However, it feels early on in the process and I don't necessarily know all the requirements yet.
Q: shoudl i go through all of the GDPR and other regulatory requirements, along with supplier and client documetns & contracts, to source all ther requierments in detail, or is this a top level excercise?
Should I be listing each client/ regluation and each requiermnt separately, or doing a top level summary of the regulation/ clients and their potential requiremetns?
I feel a little at sea - am I supposed to be led through this process more or is it up to me now to dive into the detail of regulators & client/supplier information management requiremetns?
Assign topic to the user
1 - should I go through all of the GDPR and other regulatory requirements, along with supplier and client documents & contracts, to source all their requirements in detail, or is this a top-level exercise?
Identification of legal requirements (e.g., laws, regulations, and contracts) can be time and resource-consuming, so you should consider prioritizing those most relevant to the organization. A quick interview with the managers of the areas included in the ISMS scope will help you (they do not need to list all requirements, but initially, those they consider most relevant for information security).
In most cases, these requirements will be enough to help you identify the majority of the entries needed to design and implement the Information Security Management System. In any case, you can always come back later to include a newly identified requirement (ISO 27001 does not require you to identify all requirements at once but to work continuously to identify them).
2 - Should I be listing each client / regulation and each requirement separately, or doing a top level summary of the regulation / clients and their potential requirements?
I feel a little at sea - am I supposed to be led through this process more or is it up to me now to dive into the detail of regulators & client/supplier information management requirements?
You should list the regulations separately because they are typically very different. Regarding clients, you can group the clients with the same requirements together (e.g., if you have the same agreement signed with all of them), or you should list them separately if their security requirements are very different.
For further information, see:
- Who are interested parties, and how can you identify them according to ISO 27001 and ISO 22301? https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Oct 18, 2023