Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.
The organization shall document the information security requirements and the organisation's operating model for meeting them.
It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.