ISO 27001 requires the determination of the needs and expectations of:
- ‘interested parties that are relevant to the information security management system; and
- ‘the requirements of these interested parties relevant to information security.’
It further clarifies that this may ‘include legal and regulatory requirements and contractual obligations’.
When first analysing the requirements, there is often a focus on those aspects of legislation that directly relate to information security, such as the Data Protection Act 1998. What is more normally missed are industry specific regulations, for example, or business legislation which could have implications for the requirement to maintain confidentiality, integrity and availability of data and information. As an example, Companies Act 2006 requires that Board meetings’ minutes and resolutions are maintained for a minimum of 10 years, and the Taxes Management Act 1970 has detailed requirements for the retention of taxation records.
It is also worth noting that some legislation may deal with how long data and information should be kept for, and when it should be destroyed; this may be equally important when dealing with personal identifiable data; the Data Protection Act requires that data should not be ‘kept for longer than is necessary’ for for the purpose for which you hold it, and it must be kept up-to-date.
What does it mean for you?
Any relevant legislation and regulation must be assessed to fully understand the implications for your business, and to assist with ensuring that the relevant controls are in place to ensure that confidentiality, integrity and availability is maintained as required by you AND your interested parties. Furthermore, all aspects of legislation relevant to the business will need to be monitored regularly, particularly in the post-Brexit referendum environment, where a significant amount of legislation is likely to be modified.
We can work with you to fully understand your regulatory and legislative environment, to identify the requirements for your interested parties, and to create a register of this information, clearly identifying the requirements and implications for your business. We will assist to establish a process that ensures that this register is maintained and reviewed, taking account of all stakeholder requirements.