Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions


0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

Applicable legislation

ISO 27001 requires the determination of the needs and expectations of:Legislation

  • ‘interested parties that are relevant to the information security management system; and
  • ‘the requirements of these interested parties relevant to information security.’

It further clarifies that this may ‘include legal and regulatory requirements and contractual obligations’.


When first analysing the requirements, there is often a focus on those aspects of legislation that directly relate to information security, such as the Data Protection Act 1998.  What is more normally missed are industry specific regulations, for example, or business legislation which could have implications for the requirement to maintain confidentiality, integrity and availability of data and information.  As an example, Companies Act 2006 requires that Board meetings’ minutes and resolutions are maintained for a minimum of 10 years, and the Taxes Management Act 1970 has detailed requirements for the retention of taxation records.

It is also worth noting that some legislation may deal with how long data and information should be kept for, and when it should be destroyed; this may be equally important when dealing with personal identifiable data; the Data Protection Act requires that data should not be ‘kept for longer than is necessary’ for for the purpose for which you hold it, and it must be kept up-to-date.

What does it mean for you?

Any relevant legislation and regulation must be assessed to fully understand the implications for your business, and to assist with ensuring that the relevant controls are in place to ensure that confidentiality, integrity and availability is maintained as required by you AND your interested parties.  Furthermore, all aspects of legislation relevant to the business will need to be monitored regularly, particularly in the post-Brexit referendum environment, where a significant amount of legislation is likely to be modified.

We can work with you to fully understand your regulatory and legislative environment, to identify the requirements for your interested parties, and to create a register of this information, clearly identifying the requirements and implications for your business.  We will assist to establish a process that ensures that this register is maintained and reviewed, taking account of all stakeholder requirements.

Get In Touch

We are always happy to answer any questions you may have, please either contact us by telephone, or by filling in the form below.

Please ensure that you do not divulge any sensitive data as this webpage is not secure.

Cambridge Risk Solutions are a first rate Business Continuity consultancy whose excellent reputation has deservedly spread far beyond the East of England.

more testimonials

  • Business Continuity Planning

    Effective planning that takes into account risk evaluation and business impact analysis, supported by clear and concise crisis management. We work with you to develop user-friendly plans.

  • Business Impact Analysis

    The Business Impact Analysis (BIA) is one of the most important, and least well understood, stages of the Business Continuity Management Lifecycle; we can assist with your BIA.

  • Training and Exercising

    No Business Continuity Management programme is effective without a significant element of training. Moreover, ongoing Crisis Management training and exercising is key. We can provide objective training and exercising.

  • Risk Evaluation and Control

    Risk evaluation and treatment provide a process to identify, prioritise and managing your risks. Cambridge Risk Solutions can assist with risk management for business operational and information security risks.

  • Statement of Applicability

    Which controls do you need to have in place? How do you link your risk assessment process into your SoA? How do you ensure that you have effective controls in place? We can assist with your SoA.

  • Integrated Management Systems

    Management Systems assist with your on-going management, maintenance and continual improvement. We work with you to develop a fully integrated management system, enabling certification to ISO 22301 and ISO 27001.