Applicable legislation

Effective information security will ensure compliance with all relevant statutory and regulatory requirements, ensuring the confidentiality, integrity and availability of data as required by your own organisation, as well as those of clients and other interested parties, including staff.

ISO 27001 requires the determination of the needs and expectations of:

  • Interested parties that are relevant to the information security management system; and
  • ‘the requirements of these interested parties relevant to information security.’


It further clarifies that this may ‘include legal and regulatory requirements and contractual obligations’.

When first analysing the requirements, there is often a focus on those aspects of legislation that directly relate to information security, such as the Data Protection Act 2018. 

What is more normally missed are industry specific regulations, for example, or business legislation which could have implications for the requirement to maintain confidentiality, integrity and availability of data and information.

 As an example, the Companies Act 2006 requires that Board meetings’ minutes and resolutions are maintained for a minimum of 10 years, and the Taxes Management Act 1970 has detailed requirements for the retention of taxation records.

It is also worth noting that some legislation may deal with how long data and information should be kept for, and when it should be destroyed; this may be equally important when dealing with personal identifiable data.  As an example, the Data Protection Act requires that data should not be ‘kept for longer than is necessary’ for for the purpose for which you hold it, and it must be kept up-to-date.

Any relevant legislation and regulation must be assessed to fully understand the implications for your business, and to assist with ensuring that the relevant controls are in place to ensure that confidentiality, integrity and availability is maintained as required by you AND your interested parties.  

Furthermore, all aspects of legislation relevant to the business will need to be monitored regularly, particularly in the post-Brexit environment, where a significant amount of legislation is likely to be modified.

We can work with you to fully understand your regulatory and legislative environment, to identify the requirements for your interested parties, and to create a register of this information, clearly identifying the requirements and implications for your business. 

 We will assist to establish a process that ensures that this register is maintained and reviewed, taking account of all stakeholder requirements.

We are happy to answer any questions about - Business Continuity Crisis Management Information Security Product Recalls

How can Cambridge Risk Solutions Help?

Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2013.

View some case studies of recent Information Security projects.