Content library
ISO 27001 (2013): Full
18.1.1: Identification of applicable legislation and contractual requirements

How to fill the requirement

ISO 27001 (2013): Full

18.1.1: Identification of applicable legislation and contractual requirements

Task name
Priority
Status
Theme
Policy
Other requirements
Identification, documentation and management of other information security requirements
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
13
requirements

Task is fulfilling also these other security requirements

18.1.1: Identification of applicable legislation and contractual requirements
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
HAL-05: Vaatimukset
Julkri
5.31: Legal, statutory, regulatory and contractual requirements
ISO27k1 Full
2: Lainsäädäntö ja velvoitteet
Sec overview
1. Task description

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

Implementation and documentation of management reviews
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Risk management and leadership
Cyber security management
16
requirements

Task is fulfilling also these other security requirements

18.1.1: Identification of applicable legislation and contractual requirements
ISO27 Full
ID.GV-3: Legal and regulatory requirements
NIST
9.3: Management review
ISO27k1 Full
12: Digiturvan tilan seuraaminen
Sec overview
13: Digiturvan kokonaistilanteen raportointi
Sec overview
1. Task description

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

  • Status of improvements (or other actions) initiated as a result of previous management reviews
  • Future changes relevant to the security management system
  • Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
  • Stakeholder feedback on data security
  • Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

No items found.