Scope of legal and contractual requirements
Hi, In this list https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
for France and the European Union, there are mainly regulations regarding personal data protection. In my understanding, ISO27001 requires to list all the regulations that apply to the business of the company seeking the ISO certification, which would be much wider.
For example, our company provides a billing software. I would have listed all french regulations related to billing and not only data protection. Is my interpretation of the norm too wide ?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that ISO 27001 requires only requirements relevant to information security, not all the regulations in a country.
Additionally, please note that the list in the article you mentioned is not fully up-to-date because it depends on voluntary contributions from our readers – therefore, it is likely that not all regulations for each country are listed (some even may have been withdrawn). To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Comment as guest or Sign in
Sep 23, 2020