ISO 27001 requires all relevant legislative statutory, regulatory, contractual requirements related to information security to be identified and kept up-to-date, but what exactly are these legal requirements? And what’s the most effective way to define these for your Information Security Management System (ISMS)?
What are the ISMS legal requirements that ISO 27001 requires you to identify?
The requirement to comply with Information Security statutory and regulatory requirements, also expressed as legal requirements, occurs in various clauses of the ISO 27001 standard including:
- 4.2 Understanding the needs and expectations of interested parties… requirements of interested parties may include legal and regulatory requirements and contractual obligations.
- 5.2 Policy… includes a commitment to satisfy applicable requirements related to information security.
Annex A provides a reference set of generic information security controls and implementation guidance (ISO 27002:2022) on identifying your legal requirements including:
- 5.5 Contact with authorities… ensure appropriate flow of information takes place with respect to information security between the organisation and relevant legal, regulatory and supervisory authorities.
- 5.31 Legal, statutory, regulatory and contractual requirements… ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.
- 5.32 Intellectual property rights… ensure compliance with legal, statutory, regulatory and contractual requirements related to intellectual property rights and use of proprietary products.
- 6.1 Screening… background verification checks on all candidates should be carried out taking into consideration applicable laws and regulations.
- 8.10 Information deletion… prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion.
Examples of ISO 27001 Information Security related Legal requirements for your ISMS
Listing relevant statutory and regulatory requirements in a legal register within your Information Security Management System will help you determine how the requirements apply and what controls are in place to manage the requirement. Here’s a few examples of what you could include in your legal register:
Data Protection Act 2018 / GDPR Regulations
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). It defines the requirements applicable to the management of personal data.
Privacy and Electronic Communications Regulations 2003
Complements the general data protection regulation and sets out more-specific privacy rights and requirements on electronic communications.
The Copyright Designs and Patents Act 1988
Defines requirements to protect intellectual property including broadcast and public performance, copying, adapting, issuing, renting and lending copies to the public.
Other legal requirements to consider in your ISO 27001 legal register may include regulations relating to the availability of resources such as the Employment Rights Act 1996 (ERA) or the Coronavirus Act 2020.
Contractual agreements
Employment contracts, non-disclosure agreements and supplier agreements should include setting information security requirements and clearly stating the consequences of committing an information security policy violation. Responsibilities still valid after termination of employment should also be stated in terms and conditions of employment.
Legal Requirements of other countries
You will also need to consider relevant compliance requirements if you conduct business in other countries or use products and services from other countries where laws and regulations can affect the organisation. It is recommended to seek legal advice when ensuring compliance with relevant legislation and regulations, especially when encrypted information or cryptography tools are moved across jurisdictional borders.
Maintaining your ISO 27001 Information Security Legal register
The introduction of new legislation or changes to existing legislation should be identified and communicated to relevant employees as soon as possible. As an Information Security manager, you’ll need to:
- Determine whether a piece of amended legislation, or new legislation is relevant to your ISMS
- Determine how the requirements apply and what controls are in place to manage the requirement
- Determine that the organization is compliant with the legislation
- Undertake periodic reviews of Information Security legal requirements to ensure continued compliance of your Information Security Management System.
How Legal Compliance Manager Software can help you maintain your ISO 27001 ISMS legal register
One of the easiest ways to maintain your Information Security legal register is to use software such as the ISOvA Legal Compliance Manager, which provides you with a list of over 240 UK statutory and regulatory requirements.
Simply review questions such as ‘Do you sell to consumers?’ or ‘Do you employ people?’ to identify if the legislation is relevant to your organisation. Clicking on ‘further information’ will take you to a webpage that explains the purpose of the requirement with examples of evidence required - See Step 2: Legal Register for further information.
The ISOvA Legal Compliance Manager ensures that your ISMS automatically updates with the latest Information Security legislations or changes to existing legislations. ISOvA also provides a free legal updates newsletter with a summary of those changes.
