ISO 27001 is the internationally recognised standard for information security management systems (ISMS) and it provides a comprehensive framework to safeguard critical data. The latest edition of the standard, ISO 27001:2022, contains control 5.31 Legal, statutory, regulatory and contractual requirements which requires organisations to identify applicable legal requirements and document their approach to complying with them. Often the easiest way to do this is via a Legal Register but where do you start?
On this page we discuss what an ISO 27001 legal register is, its significance, and provide a dynamically generated list of legislation the MAY be applicable to your ISMS.
What is an ISO 27001 Legal Register?
An ISO 27001 legal register is a structured and documented list of relevant legal and regulatory requirements applicable to an organisation’s information security management. This register serves as a central repository for tracking and ensuring compliance with various laws, regulations, industry standards, and contractual obligations that relate to data protection and security.
What Should be Included in an ISO 27001 Legal Register?
An effective ISO 27001 legal register should include the following key components:
Applicable Laws and Regulations: Identify and document all relevant laws and regulations related to information security and data protection that apply to your organisation’s operations, industry, and geographic location.
Industry Standards: Include any industry-specific standards and guidelines that your organisation must adhere to, such as those set by regulatory bodies or industry associations.
Contractual Obligations: Document contractual agreements that require compliance with specific information security requirements, such as data protection clauses in customer agreements or vendor contracts.
Timelines and Updates: Specify compliance deadlines and ensure the register is regularly updated to reflect changes in laws, regulations, and contractual obligations.
Responsibilities: Assign responsibilities to individuals or teams responsible for monitoring and ensuring compliance with each requirement.
Evidence of Compliance: Include references to documents, policies, procedures, and other evidence that demonstrate how your organisation meets each requirement.
Is ISO 27001 a Legal Requirement?
No, ISO 27001 itself is not a legal requirement. It is a globally recognised standard that outlines best practices for establishing, implementing, maintaining, and continually improving an information security management system. Organisations can choose to adopt ISO 27001 voluntarily to enhance their information security posture, demonstrate their commitment to data protection, and gain a competitive edge.
What should my ISO 27001 Legal Register Look Like?
A legal register can take many forms and you should choose a format that works for your organisation. Resilify.io provides a Legal Register Template in Excel form, that can be downloaded from our page: https://resilify.io/knowledge-base/uk-legal-register-template/
How do I keep my ISO 27001 Legal Register Up-to-date?
Legislation and industry updates can come from many places. It can be useful to sign up to the newsletters of relevant government departments, organisations and professional bodies.
List of ISO 27001 Legislation
Title: Bribery Act 2010 amended 2011
Title: Communications Data Acquisition Regs (2019)
Title: Computer Misuse Act 1990
Title: Copyright and Duration of Rights in Performances Regulations 2013
Title: Copyright, Designs and Patents Act 1988
Title: Counter-Terrorism and Border Security Act 2019
Title: Counter-Terrorism and Border Security Act 2019 (Commencement No. 1) (Northern Ireland) Regulations 2021
Title: Cyber (Sanctions) (Overseas Territories) Order 2020
Title: Data Protection Act 2018
Title: Data Retention and Investigatory Powers Act 2014
Title: Defamation (Operators of Websites) Regulations 2013
Title: Defamation Act 2013
Title: Defamation and Malicious Publication (Scotland) Act 2021 (Commencement and Transitional Provision) Regulations 2022
Title: eIDAS Regulation UK
Title: Electronic Communications Act 2000
Title: Electronic Trade Documents Act 2023
Title: Electronic Money Regulations 2011
Title: General Data Protection Regulations (EU)
Title: Global Anti-Corruption Sanctions Regulations 2021
Title: Intellectual Property Act 2014
Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) (No. 02) Regulations 2020
Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) Regulations 2020
Title: Investigatory Powers Act 2016
Title: Network and Information Systems (Amendment and Transitional Provision etc) Regulations 2020
Title: Network and Information Systems (EU Exit) (Amendment) Regulations 2021
Title: Network and Information Systems Regulations 2018
Title: Official Secrets Act 1989
Title: Patents Act 2004
Title: Patents Designs and Marks Act 1986
Title: Payment Services Regulations 2017
Title: Police and Criminal Evidence Act 1984
Title: Privacy and Electronic Communications Regulations 2003 amendment 2018
Title: Private Security Industry (Licence Fee) Order 2020
Title: Regulation of Investigatory Powers Act 2000 (RIP or RIPA)
Title: Sanctions and Anti-Money Laundering Act 2018
Title: Sanctions and Anti-Money Laundering Act 2018
Title: Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
Record Count: 37
Powered by Clemark.Technology
Disclaimer: Errors and omissions excepted, Resilify and Assent are not legal advisors and we do not provide legal advice. However, over many years of implemented ISO Management Systems and undergoing external audit by Accredited Certification Bodies, we have developed a good understanding of how to comply with the legal and contractual clauses of many ISO standards.