ISO 27001 is the internationally recognised standard for information security management systems (ISMS) and it provides a comprehensive framework to safeguard critical data. The latest edition of the standard, ISO 27001:2022, contains control 5.31 Legal, statutory, regulatory and contractual requirements which requires organisations to identify applicable legal requirements and document their approach to complying with them. Often the easiest way to do this is via a Legal Register but where do you start?
On this page we discuss what an ISO 27001 legal register is, its significance, and provide a dynamically generated list of legislation the MAY be applicable to your ISMS.
What is an ISO 27001 Legal Register?
An ISO 27001 legal register is a structured and documented list of relevant legal and regulatory requirements applicable to an organisation’s information security management. This register serves as a central repository for tracking and ensuring compliance with various laws, regulations, industry standards, and contractual obligations that relate to data protection and security.
What Should be Included in an ISO 27001 Legal Register?
An effective ISO 27001 legal register should include the following key components:
Applicable Laws and Regulations: Identify and document all relevant laws and regulations related to information security and data protection that apply to your organisation’s operations, industry, and geographic location.
Industry Standards: Include any industry-specific standards and guidelines that your organisation must adhere to, such as those set by regulatory bodies or industry associations.
Contractual Obligations: Document contractual agreements that require compliance with specific information security requirements, such as data protection clauses in customer agreements or vendor contracts.
Timelines and Updates: Specify compliance deadlines and ensure the register is regularly updated to reflect changes in laws, regulations, and contractual obligations.
Responsibilities: Assign responsibilities to individuals or teams responsible for monitoring and ensuring compliance with each requirement.
Evidence of Compliance: Include references to documents, policies, procedures, and other evidence that demonstrate how your organisation meets each requirement.
Is ISO 27001 a Legal Requirement?
No, ISO 27001 itself is not a legal requirement. It is a globally recognised standard that outlines best practices for establishing, implementing, maintaining, and continually improving an information security management system. Organisations can choose to adopt ISO 27001 voluntarily to enhance their information security posture, demonstrate their commitment to data protection, and gain a competitive edge.
What should my ISO 27001 Legal Register Look Like?
A legal register can take many forms and you should choose a format that works for your organisation. Resilify.io provides a Legal Register Template in Excel form, that can be downloaded from our page: https://www.resilify.io/knowledge-base/uk-legal-register-template/
Speak to an ISO 27001 Consultant
For support building and maintaining your ISO 27001 legal register, implementing the standard or conducting internal audits, Assent Risk Management’s ISO 27001 Consultants can help.
Speak to an Expert!
How do I keep my ISO 27001 Legal Register Up-to-date?
Legislation and industry updates can come from many places. It can be useful to sign up to the newsletters of relevant government departments, organisations and professional bodies.
In addition, ISO Consultants Assent Risk Management provide a free monthly legislation update email. Sign Up Here.
List of ISO 27001 Legislation
Title: Bribery Act 2010 amended 2011 Title: Communications Data Acquisition Regs (2019) Title: Computer Misuse Act 1990 Title: Copyright and Duration of Rights in Performances Regulations 2013 Title: Copyright, Designs and Patents Act 1988 Title: Counter-Terrorism and Border Security Act 2019 Title: Counter-Terrorism and Border Security Act 2019 (Commencement No. 1) (Northern Ireland) Regulations 2021 Title: Cyber (Sanctions) (Overseas Territories) Order 2020 Title: Data Protection Act 2018 Title: Data Retention and Investigatory Powers Act 2014 Title: Defamation (Operators of Websites) Regulations 2013 Title: Defamation Act 2013 Title: Defamation and Malicious Publication (Scotland) Act 2021 (Commencement and Transitional Provision) Regulations 2022 Title: eIDAS Regulation UK Title: Electronic Communications Act 2000 Title: Electronic Trade Documents Act 2023 Title: Electronic Money Regulations 2011 Title: General Data Protection Regulations (EU) Title: Global Anti-Corruption Sanctions Regulations 2021 Title: Intellectual Property Act 2014 Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) (No. 02) Regulations 2020 Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) Regulations 2020 Title: Investigatory Powers Act 2016 Title: Network and Information Systems (Amendment and Transitional Provision etc) Regulations 2020 Title: Network and Information Systems (EU Exit) (Amendment) Regulations 2021 Title: Network and Information Systems Regulations 2018 Title: Official Secrets Act 1989 Title: Patents Act 2004 Title: Patents Designs and Marks Act 1986 Title: Payment Services Regulations 2017 Title: Police and Criminal Evidence Act 1984 Title: Privacy and Electronic Communications Regulations 2003 amendment 2018 Title: Private Security Industry (Licence Fee) Order 2020 Title: Regulation of Investigatory Powers Act 2000 (RIP or RIPA) Title: Sanctions and Anti-Money Laundering Act 2018 Title: Sanctions and Anti-Money Laundering Act 2018 Title: Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 Title: Regulation of Investigatory Powers (Scotland) Act 2000 Title: Freedom of Information (Scotland) Act 2002 Title: Wales Accord on the Sharing of Personal Information (WASPI) 2018 Title: Economic Crime and Corporate Transparency Act 2023 Title: Online Safety Act 2023 Title: European Union Artificial Intelligence Act Title: The Online Safety (List of Overseas Regulators) Regulations 2024 Title: Artificial intelligence liability directive Title: Artificial Intelligence (Regulation) Bill Title: AI Training Act Title: Algorithmic Accountability Act of 2022 Record Count: 48 Powered by Clemark.Technology Disclaimer: Errors and omissions excepted, Resilify and Assent are not legal advisors and we do not provide legal advice. However, over many years of implemented ISO Management Systems and undergoing external audit by Accredited Certification Bodies, we have developed a good understanding of how to comply with the legal and contractual clauses of many ISO standards. |