ISO 27001:2022 A 5.31 Legal, statutory, regulatory and contractual requirements

Organizations are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets. Understanding and maintaining compliance with these different requirements is sometimes a difficult road. Laws, regulations and contractual requirements form a large part of an organization’s information security responsibilities. Organizations should have a clear understanding of their obligations at any one time and be prepared to adapt their information security practices in accordance with their role as a responsible data handler. The path to establishing compliance takes a complete look at the areas in which your organization has responsibilities, whether legal, regulatory, contractual, or self-imposed. Important elements to consider when developing a plan for compliance include the following:

  • Awareness of relevant regulations/laws. (Do you know what you need to follow?)
  • Awareness of relevant policies. (Do you know what  policies apply to information use?)
  • Awareness of relevant contractual agreements. (Do you know what agreements your organization has made that impose conditions on the use of data?)
  • Awareness of relevant standards or best practices. (Do you know what standards or best practices your organization chooses to follow with respect to information use?)
  • Management of organizational records. (Do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your organization.
  • Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
  • Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)

Organizations should keep in mind their legal, statutory, regulatory and contractual requirements when:

  1. Drafting and/or amending their information security procedures and internal policy documents.
  2. Designing, amending or implementing information security controls.
  3. Categorising information when considering their broader information security requirements, either for organisational purposes or related to their relationships with a third party (suppliers etc.)
  4. Undergoing risk assessments relating to information security activities, including internal roles and responsibilities relating to an organisational structure.
  5. Establishing the nature of a supplier relationship, and their contractual obligations throughout the supply of products and services.

Control

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

Purpose

To ensure compliance with legal, statutory, regulatory and contractual requirements related to information security.

ISO 27002 Implementation Guidance

General
External requirements including legal, statutory, regulatory or contractual requirements should be taken into consideration when:
a) developing information security policies and procedures;
b) designing, implementing or changing information security controls;
c) classifying information and other associated assets as part of the process for setting information security requirements for internal needs or for supplier agreements.
d) performing information security risk assessments and determining information security risk treatment activities.
e) determining processes along with related roles and responsibilities relating to information security.
f) determining suppliers’ contractual requirements relevant to the organization and the scope of supply of products and services.

Legislation and regulations
The organization should:
a) identify all legislation and regulations relevant to the organization’s information security in order to be aware of the requirements for their type of business.
b) take into consideration compliance in all relevant countries, if the organization:

  • conducts business in other countries.
  • uses products and services from other countries where laws and regulations can affect the organization.
  • transfers information across jurisdictional borders where laws and regulations can affect the organization.

c) review the identified legislation and regulation regularly in order to keep up to date with the changes and identify new legislation.
d) define and document the specific processes and individual responsibilities to meet these requirements.

Cryptography
Cryptography is an area that often has specific legal requirements. Compliance with the relevant agreements, laws and regulations relating to the following items should be taken into consideration:
a) restrictions on import or export of computer hardware and software for performing cryptographic functions.
b) restrictions on import or export of computer hardware and software which is designed to have cryptographic functions added to it.
c) restrictions on the usage of cryptography.
d) mandatory or discretionary methods of access by the countries’ authorities to encrypted information.
e) validity of digital signatures, seals and certificates.
It is recommended to seek legal advice when ensuring compliance with relevant legislation and regulations, especially when encrypted information or cryptography tools are moved across jurisdictional borders.

Contracts
Contractual requirements related to information security should include those stated in:
a) contracts with clients.
b) contracts with suppliers.
c) insurance contracts.

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. The specific controls and individual responsibilities to meet these requirements should also be defined and documented. Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries. Organizations should “define and document” internal processes and responsibilities that allow them to:

  • Identify, analyze and understand their legislative and regulatory obligations relating to information security, including periodic reviews of legislation and regulations.
  • Ensure that they remain compliant across all legislative and regulatory environments in whatever countries they operate in. This extends to the use of products and services that originate outside of the country they usually operate in.

The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. It’s an important part of the information security management system (ISMS). The goal here is to help outline effective practices for identifying compliance obligations, as well as the roles and responsibilities, activities and controls needed to manage all of the organization’s legal, contractual, and records management requirements. A good control describes how all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. Put in simple terms, the organization needs to ensure that it is keeping up to date with and documenting legislation and regulation that affects the achievement of its business objectives and the outcomes of the ISMS. It is important that the organization understands the legislation, regulation and contractual requirements with which it must comply, and these should be centrally recorded in the register to allow for ease of management and coordination. The identification of what is relevant will largely depend on; Where the organization is located or operates; What the nature of the organization’s business is; and the nature of information being handled within the organization. The Identification of the relevant legislation, regulation and contractual requirements are likely to include engagement with legal experts, regulatory bodies and contract managers. This is an area that often catches organizations out as there is generally far more legislation and regulation impacting the organization than is first considered.  The auditor will be looking to see how the organization has identified and recorded its legal, regulatory and contractual obligations; the responsibilities for meeting such requirements and any necessary policies, procedures and other controls required for meeting the controls. Additionally, they will look to see that this register is maintained on a regular basis against any relevant change – especially in legislation across common areas that they would expect any organization to be impacted by.  Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements. To meet this part of compliance, controls should be developed which:

  1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements. Each state has breach laws, personal information protection laws, social security protections laws, or other laws related to technology furnished at the organization. Each state must be taken as its own legal island and an organization must know if any of the following impact or enhance security efforts.
  2. Identify the persons or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the organization or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Every contract that involves organizational data must be documented and any controls specified in that contract must also be documented. It is crucial to know what your contractual responsibilities are so that you can look at the physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability. In instances where contracting parties have access to organizational data, you want to be sure that you can audit the contractual controls and protections that the other party has agreed to follow.

The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to the organization. To that end, confer with your legal and/or audit departments, and review the most common federal and state data protection laws.
1. Identify key stakeholders and/or partners across the organization who regularly deal with organizational compliance issues (e.g., legal, risk management, privacy, audit). Key stakeholders may vary from campus to campus.
2. Perform a high-level gap analysis of each compliance requirement that is applicable to determine where progress needs to be made.
3. Develop a prioritized action plan that will help you organize your efforts (one section of your Information Security plan).
4. Develop a policy, standard, roles, and responsibilities, and/or procedures in collaboration with other key stakeholders at your organization.
5. Familiarize yourself with common standards and regulations that address specific requirements
6. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you with managing compliance.

Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. A good control describes how cryptographic controls are used in compliance with all relevant agreements, legislation, and regulations. The use of cryptographic technologies is subject to legislation and regulation in many territories, and it is important that an organization understands those that are applicable and implements controls and awareness programs that ensure compliance with such requirements. This is especially true when cryptography is transported or used in territories other than the organizations or user’s normal place of residence or operation. Trans-border import/export laws may include requirements relating to cryptographic technologies or usage. The auditor will be looking to see that considerations for the appropriate regulation of cryptographic controls have been made and relevant controls and awareness program implemented to ensure compliance. In ICT, ‘cryptography’ is a method of protecting information and communications through the use of codes. As such, the whole concept of encryption and cryptography usually involves specific legal requirements and a considerable amount of topic-specific regulatory guidance that need to be adhered to. With that in mind, the following guidance needs to be taken into consideration:

  • Laws on the import and/or export of hardware or software which either carries out a dedicated cryptographic function, or has the ability to carry out said function.
  • Laws relating to the restriction of cryptographic functions.
  • Any access to encrypted information that authorities within a country or region have the right to request and enforce.
  • The validity and veracity of three key digital elements of encrypted information: a) Signatures b) Seals c) Certificates

Leave a Reply