Regulatory compliance

Answer:

To ensure proper identification of regulations related to an ISMS scope in most cases you need expert support, either internal from experienced personnel who work on the processes included in the scope or external from legal consultants. Once these regulations are identified you can identify the clauses that are related to information security, and which security controls are needed to handle these clauses.

You can start by using this list of laws and regulations: Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

But please note that this list is not exhaustive.

Thank you so much for your answer. As an auditor, if your client's argument is "My only duty according to A.18.1 is to identify and list regulations related with the scope defined to my ISMS", and, if he/her is able to demonstrate that task, should I record that control as a conformity? I.e. the company includes only regulations related with the only one service (in scope) but they didnt list other general regulations, for instance labor laws applying to their employees.

If such general regulations do not have impact on the ISMS they can leave them out of the scope and the control would be compliant.