Expert Advice Community

Guest

Template content - List of Legal, Regulatory Contractual requirements

  Quote
Guest
Jan Zilliacus Created:   Nov 13, 2019 Last commented:   Nov 13, 2019

Template content - List of Legal, Regulatory Contractual requirements

Now I have 2 questions if you could help me with these:

If I choose to use: 02.1 Appendix 1 (List of Legal, Regulatory Contractual requirements) right at the start of the Project (because also Annex A 18.1.1. control is likely to be applicable), could you explain me:

  • 1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
  • 2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 13, 2019

1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?

The level of detail should be enough so the person in charge of ensuring that the ISMS fulfills such requirements is capable to understand what needs to be done, or where he/she can find this information. In general, a good approach would be to identify the name of the requirement, its general purpose, and the specific clauses to be fulfilled (in case there are too many of them you can try to mention only the main sections where they can be found). In case of contracts, you do not need to list each and every contract. You can group them by type, or include only those related to relevant interested parties. 

2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?

By this requirement, you have to identify and document policies, procedures or plans that are used to fulfill such requirements. For example, if you have a requirement that data must be protected against unavailability, you can fulfill this requirement by informing that the organization's approach is the implementation of a backup process.

Quote
0 0
Guest
Jan Zilliacus Nov 13, 2019

OK, thank you for your answer Rhand!

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 13, 2019

Nov 13, 2019

Suggested Topics