ISO 27001 A.18.1.1: How to satisfy Legal, Regulatory, Contractual, and other requirements

From an information security management point of view, complying with the required laws, regulations and contractual obligations can be as much of a challenge as dealing with the ever-evolving threat landscape and new forms of attacks.  What many organizations fail to understand is that both are equally important.

Mandatory requirements can come in the form of labour laws, IT-related safety requirements, intellectual property rights\copyrights laws, privacy, data encryption and protection laws; this never-ending list can be quite intimidating. Are you taking every step necessary to ensure laws and regulations are being followed?

Laws and regulations are living entities that may vary depending on industry branch, country, and the type of information, among other aspects. Depending on your industry type, your business may be quite familiar with regulations or entirely new to them. The frequency of security related incidents and magnitude of its impact have made governments around the world aware of the need of protecting people and business against the improper management of sensitive information.

Obviously, this is an evolving theme, as technology becomes ubiquitous, the necessary laws and regulations never cease to arise. One simple example is the case of the recent Cybersecurity Disclosure Act of 2017, an American bill that proposes to have periodic mandatory reports on cyber security expertise at board level for publicly traded companies.

It is important to understand that failing to adopt reasonable security measures exposes a company not only to cybercriminals, but also may incur into hefty fines or penalties from the regulators, lawsuits for negligence, and undesired media exposure that may negatively affect the image, brand and ultimately value of the company.

But what is the best way to do it?

How should you keep up with the evolving rules that may change the way a company does business in a somewhat short period? One would start by is making sure all applicable legislation and requirements are identified.

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.”  – ISO 27001 A.18.1.1 control

This approach is essential for every organization, even if you don’t plan to pursue ISO certification, you can still be negatively impacted if you cannot show that all laws and regulations are systematically followed.

How do I maintain a list of applicable laws, regulations or contractual obligations?

One mistake for many companies is assuming this is a responsibility for the IT Department or the Information Security team alone. If you need to be sure of mandatory requirements, it is essential to have support from different departments such as legal, human resources and even finance.

It is quite common for some companies to have to obey several regulations, depending on how you do business, this may include laws from multiple countries that in some cases may even have conflicting requirements. The best approach is to work with your legal department (or even a specialized consultant) to create an outline of all the regulations and contractual obligations.  Identify which requirements may impact the organization and then discuss the results with your security staff to determine if your current security measures are sufficient for compliance or whether additional measures are required to satisfy the requirements.

Please note that having an understanding of what are your mandatory requirements is just the first step. It is also necessary to make sure there is sufficient evidence that your organization is compliant with each and every one of them. For instance, if you intend on adhering to the ISO 27001 A.18.1.1 control, some compliance-related evidence may include:

Preparing for your ISO audit?

Need a clean, simple tool to manage policies, requirements and controls? That's StandardFusion.

We give you enterprise-level functionality that's easy-to-use and drastically reduces the amount of effort you need to get and maintain your ISO compliance.

Find out how our customers are sleeping easy knowing their next ISO audit will be a breeze!

  • A published compliance policy, supported by standards, procedures, and guidelines;
  • A documented inventory of every applicable law, regulation, contractual obligation and any other form of security requirement your organization needs to comply,
  • Emails exchanged with Legal\Compliance team and others with information security compliance obligations and skills (e.g. Privacy, Procurement, HR, Finance, IT) concerning compliance matters in the information security context;
  • Agendas, minutes or notes of meetings with those people on related matters, demonstrating an active, current dialogue, especially when the board is involved;
  • Internal reports concerning applicable compliance obligations, ideally with evidence that management is actively engaged in assessing the extent to which compliance is needed and aware of the risks of noncompliance;
  • Compliance assessment\review\audit reports, noting the content, form, distribution, status;
  • Project plans, progress reports, budgets or any other information regarding compliance-related projects, to gauge how engaged management is.

This amount of evidence should be more than enough to prove your compliance or identify any areas that may require improvement. It is important to note that creating and updating a list of applicable laws and regulations may take some effort and, if not prepared correctly, this could present a real issue to your organization, as there would be a false sense of compliance.

A quick google search will result in several sites that have a compiled list of worldwide laws and regulations regarding information security, but this is entirely an informal effort. One excellent alternative is using a professional service for consulting on applicable laws and standards. Hiring an expert with the ability to understand the complex and ever-changing requirements that apply to your specific line of business can be of great value.

The effects of regulatory compliance on information security are surely quite complex, but there is no way out: you have to face them. A lot of time and effort can be saved by having your legal department becoming familiar with the laws and regulations or by hiring specialists who can work the confluence of regulatory compliance and IT security. In the end, your regulatory compliance efforts will translate into making very good security practices a reality, and add a considerable amount of value to your company.