To create and maintain the ISMS,
This understanding ensures that the organization fulfills its obligations and mitigates the risk of criminal prosecution or corporate liability for the board of directors and other stakeholders.
The purpose of this procedure is to document the process of identifying and incorporating these requirements into the ISMS, as well as how updates to the requirements are managed.
Legal, regulatory, statutory and contractual requirements [FII-SCF-005-CPL-01]
The procedure for identifying, documenting and maintaining legal, regulatory and contractual requirements is summarised in the diagram below. Each step is expanded upon in the following sections.
Identify requirement
| TEAM | AREAS COVERED | COMMUNICATION METHOD |
|---|---|---|
| Legal department/Customer contracts/HR/Finance | Laws relevant to information security, including privacy and data protection Customer commitments, contractual obligations Employee related labour laws Finance, taxation, Cash flows | Email alerts Quarterly meetings |
| External legal advisers | Laws relevant to information security, including privacy and data protection | Webinars Newsletters Meetings on specific topics |
| Governance, Risk and Compliance team – InfoSec team | Regulatory framework and requirements Regulatory reporting if any | Email alerts Quarterly meetings |
| Supplier Management | Contractual agreements, current and new bids | Email alerts Quarterly meetings |
| Industry body | Laws, regulations and other issues relevant to our industry | Seminars Annual Conference |
| Regulatory Authority | Regulatory framework and requirements Regulatory reporting | Official communications Briefing events |
| Professional associations for information security | General legal, regulatory and contractual issues for information security | National and regional meetings Newsletters Training |
| National and regional business groups | General legal, regulatory and contractual issues for the business | National and regional meetings Newsletters Training |
In general,
If needed, the CTO will obtain full copies of the relevant source material (such as legislation or regulatory announcements) in hardcopy or electronic form for reference purposes.
Assess implications
The CTO has the responsibility of ensuring a complete assessment of the implications of relevant items for the ISMS based on qualified advice from the sources listed in Table 1.
The assessment will consider the following aspects:
- The extent of change required for the ISMS and its associated policies, procedures, forms, and plans to meet the requirement.
- The urgency of meeting the requirement.
- The consequences of not meeting the requirement.
- The available options for meeting the requirement.
Document requirements
After assessment, the relevant requirements will be documented at a high level as part of the ISMS in the Information Security Context, Requirements, and Scope document. All changes to this document will be recorded following the ISMS documentation procedures.
Details of the requirements will include:
- The source of the requirement
- The type of requirement (legislative, regulatory, contractual, or other)
- Details of the requirement at an appropriate level
- Link(s) to more detailed specification of the requirement, where applicable, such as legislative documents, regulations, contracts
- The owner of the requirement
- The legal scope of the requirement, such as the applicable country’s law
- The dates from and to which the requirement applies.
If necessary, confirmation of the requirement’s interpretation will be obtained from a relevant source, such as the organization’s legal department.
Define approach to meeting requirements
If a new or modified requirement calls for immediate changes to the ISMS, they will be included as soon as possible, and updated versions of the relevant policies and procedures will be provided to all recipients. Otherwise, the change will be assessed during the next annual review of the ISMS.
Review and update
New requirements and changes to existing requirements will be discussed at regular review meetings with internal departments.
All relevant requirements will be re-assessed on at least an annual basis as part of the ISMS annual review. Appropriate advice will be obtained at this point to ensure that all changes have been captured.
Any new or changed requirements identified as part of the review process will be handled in accordance with this procedure and appropriate updates made.