Expert Advice Community

Register of requirements

  Quote
Created:   Oct 13, 2023 Last commented:   Oct 18, 2023

Register of requirements

I'm quite early on in the ISO27001 proecess and I'm being asked to list out all of our interested parties, along with the Name of the law/regulation and the Description of the requirement. 

It is suggested that we try to enter all the requirements because it wlil cause big delays later. However, it feels early on in the process and I don't necessarily know all the requirements yet. 
Q: shoudl i go through all of the GDPR and other regulatory requirements, along with supplier and client documetns & contracts, to source all ther requierments in detail, or is this a top level excercise? 

Should I be listing each client/ regluation and each requiermnt separately, or doing a top level summary of the regulation/ clients and their potential  requiremetns? 

 

I feel a little at sea - am I supposed to be led through this process more or is it up to me now to dive into the detail of regulators & client/supplier information management requiremetns? 

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 18, 2023

1 - should I go through all of the GDPR and other regulatory requirements, along with supplier and client documents & contracts, to source all their requirements in detail, or is this a top-level exercise?

Identification of legal requirements (e.g., laws, regulations, and contracts) can be time and resource-consuming, so you should consider prioritizing those most relevant to the organization. A quick interview with the managers of the areas included in the ISMS scope will help you (they do not need to list all requirements, but initially, those they consider most relevant for information security).

In most cases, these requirements will be enough to help you identify the majority of the entries needed to design and implement the Information Security Management System. In any case, you can always come back later to include a newly identified requirement (ISO 27001 does not require you to identify all requirements at once but to work continuously to identify them).

2 - Should I be listing each client / regulation and each requirement separately, or doing a top level summary of the regulation / clients and their potential requirements?

I feel a little at sea - am I supposed to be led through this process more or is it up to me now to dive into the detail of regulators & client/supplier information management requirements?

You should list the regulations separately because they are typically very different. Regarding clients, you can group the clients with the same requirements together (e.g., if you have the same agreement signed with all of them), or you should list them separately if their security requirements are very different.

For further information, see:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 13, 2023

Oct 18, 2023

Suggested Topics