Identification, documentation and management of other information security requirements

Critical
High
Normal
Low

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

Connected other frameworks and requirements:
18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST CSF
5.31: Legal, statutory, regulatory and contractual requirements
ISO 27001

Implementation and documentation of management reviews

Critical
High
Normal
Low

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

Connected other frameworks and requirements:
18.1.1: Identification of applicable legislation and contractual requirements
ISO 27001
ID.GV-3: Legal and regulatory requirements
NIST CSF
9.3: Management review
ISO 27001
No items found.