Template content - List of Legal, Regulatory Contractual requirements
Now I have 2 questions if you could help me with these:
If I choose to use: 02.1 Appendix 1 (List of Legal, Regulatory Contractual requirements) right at the start of the Project (because also Annex A 18.1.1. control is likely to be applicable), could you explain me:
- 1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
- 2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?
Assign topic to the user
1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
The level of detail should be enough so the person in charge of ensuring that the ISMS fulfills such requirements is capable to understand what needs to be done, or where he/she can find this information. In general, a good approach would be to identify the name of the requirement, its general purpose, and the specific clauses to be fulfilled (in case there are too many of them you can try to mention only the main sections where they can be found). In case of contracts, you do not need to list each and every contract. You can group them by type, or include only those related to relevant interested parties.
2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?
By this requirement, you have to identify and document policies, procedures or plans that are used to fulfill such requirements. For example, if you have a requirement that data must be protected against unavailability, you can fulfill this requirement by informing that the organization's approach is the implementation of a backup process.
Comment as guest or Sign in
Nov 13, 2019