Expert Advice Community

Guest

Who is qualified to determine compliance with laws and regulations?

  Quote
Guest
rich_iso_consultant Created:   Aug 23, 2017 Last commented:   Aug 23, 2017

Who is qualified to determine compliance with laws and regulations?

I’ve successfully led organizations to certification to ISO 9001, 22301, and 27001. I’ll admit to what may be an elephant in the room for many of us in the industry, that I was able to get through the requirement for complying with all applicable laws and regulations by showing a list of laws like the one below from this site and documenting a policy and statement that we comply with all of them. To be honest, I don’t know how anyone can understand all the requirements of these laws or the completeness of the list and verify that we’re in compliance. It takes months and many tens of thousands of dollars to understand and ensure conformance to one ISO standard. I’ve now been asked to review a list of laws from a country where we plan to do business. I can push it to our legal department, but it seems an absurd exercise. Is it really possible for anyone to ensure applicability and compliance to this list and the similar lists for other countries, especially someone in an ISO management system role who is not a lawyer? 6 CFR Part 29 Procedures for Handling Critical Infrast ructure Information – Department of Homeland Security ACH Rules Book of 2001 (National Automated Clearing House Association – NACHA) Adam Walsh Child Protection and safety Act of 2006 Cable Communications Policy Act (Cable Act) of 1984 California SB 1386 Security of Non-encrypted Customer Information of 2003 (State of California) and progeny The Californian Online Privacy Protection Act of 2004 Children’s Internet Protection Act (CIPA) of 2001 Children’s Online Privacy Protection Act (COPPA) of 1998 Communications Assistance for Law Enforcement Act (CALEA) of 1994 Computer Fraud and Abuse Act (CFAA) of 1986 (FTC – Federal Trade Commission) Computer Security Act of 1987 – (Superseded by the Federal Information Security Management Act (FISMA) Consumer Credit Protection Act (CCPA) of 1992 Section 2001 Title IX – Electronic Funds Transfer Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 Deleting Online Predators Act of 2006 The Digital Millennium Copyright Act of 1998 Driver’s Privacy Protection Act of 1994 Electronic Communications Privacy Act (ECPA) of 1986 Electronic Freedom of Information Act (E-FOIA) of 1996 Electronic Fund Transfer Act (EFTA) (OCC) Fair and Accurate Credit Transactions Act (FACTA) of 2003 Family Education Rights and Privacy Act (FERPA; also know as the Buckley Amendment) of 1974 Federal Acquisition Regulation: Electronic Funds Transfer Final Rule (Securities and Exchange Commission) Federal Information Security management Act (FISMA) of 2002 (FTC) Federal Trade Commission Act (FTCA) of 1999 FERC COOP 2007: FERC RM01-12-00 (FERC – Federal Energy Regulatory Commission) FFIEC FIL 67-97/82-96 (FFIEC – Federal Financial Institutions Examination Council) FFIEC Policy SP-5 (FFIEC – Federal Financial Institutions Examination Council) FIPA – Florida Information Protection Act of 2014 Foreign Corrupt Practices Act 1977 (P.L 95-213) Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999 Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule #7. Contingency Plan 164.308 (a)(7)(i) Inter-Agency Policy of 1997 from Federal Financial Institutions Examination Council (FFIEC) Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System of 2003 – Federal Reserve System; OCC (Office of the Comptroller of the Currency); SEC (Securities and Exchange Commission) Internet Gambling Prohibition and Enforcement Act IRS Procedure 91-59 (superseded IRS Procedure 86-19) (IRS – Internal Revenue Service) Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth of 2010 Minnesota Plastic Card Security Act (PCSA) of 2007 NASD Rule 108 (Sept 9, 02) and SR-NASD 2002-112 (March 10 2003)(Release No. 34-48503: File NO SR-NASD-2002-108)(NASD (North American Securities Dealers Association) / SEC) NASD Rule 3500: Emergency Preparedness Part 3510: Business Continuity Plans (NASD) NASD Rule 3500: Emergency Preparedness Parts 3520: Emergency Contact information (NASD) NERC(North American Electric Reliability Corporation)(CIP) Critical Infrastructure Protection – Cyber Security Nevada Security of Personal Information Law of 2005 NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC – Commodity Futures Trading Commission) NYSE Rule 446 : Business Continuity and Contingency Planning (NYSE – New York Stock Exchange) OCC 2001-47. Third Party Relationships of 2001 (OCC – Office of the Comptroller of the Currency) Privacy Act of 1974 (SUSC552a) Privacy Protection Act (PPA) of 1980 Public Law 110-53 Title IX (PS Prep) Right to Financial Privacy Act (RFPA) of 1978 Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public Company Accounting Oversight Board)) Sarbanes-Oxley Act of 2002 : Section 409 (PCAOB) Securities and Exchange Act, Sections 32(a) and (b) (SEC) Telecommunications Act of 1996 Telephone Consumer Protection Act (TCPA) of 1991 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001 Video Privacy Protection Act of 1988 discussion and overview Washington State HB 1149: Protecting consumers from breaches of security of 2009
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
karanbirsingh Aug 23, 2017
According to my experience, It's the compliance officer who is responsible for determining all the applicable laws.
Quote
0 0
Expert
Rhand Leal Aug 24, 2017
In fact this is a complex question, basically a balance between the costs and effort related to perform such a task and the risk of not being in compliance with legal requirements (with impacts ranging from financial fines, disruption of business operations to prison).

And you are right in the thinking that hardly a single person will be capable to cover all these requirements and ensure compliance with them, specially if it is not a lawyer (even whole groups of experts may find this a difficult task).

Now, regarding ISO management systems, they do not define how you should perform this compliance assurance, only that you must assure compliance with what you identified as relevant, and together with the concept of managing risks and opportunities now incorporated to the new releases of ISO management standards, you have a way to handle this situation.

Considering the assessment of risks and opportunities, you can identify, let's say, the 20 legal requirements most relevant to your organization, and work on them, assuming the risk of not being compliant with all the re st until the next assessment cycle. For an ISO management system this is perfectly acceptable (you have identified the risk and consciously made a decision).

Particularly, what I have seen about legal requirements is that local requirements sometimes repeat the national requirements, or include a few additional points, so one approach is to identify the main national requirements and start from there to identify the local ones.
Quote
0 2

Comment as guest or Sign in

HTML tags are not allowed

Aug 22, 2017

Aug 24, 2017