Skip to content

Publication Summary

Title Legal, Regulatory and Contractual Requirements Procedure
Author(s) Alessandro Cardinali
Issued by CEO

Version doc.

Review freq.

0.1

Yearly
Date of issue December 11, 2023
Owner CEO/Founder
Document status Draft – Final Draft - Final
Approval Date n/a
Classification Internal

Change Log

Version Date Author Comments
0.1 December 11, 2023 Olaf Jacobson First draft document

Table of Contents

Publication Summary 2

1 Introduction 4

1.1 Purpose of this document 4

1.2 Areas of the standard addressed 4

2 Legal, regulatory and contractual requirements procedure 5

3 Identify requirement 6

3.1 Assess implications 7

3.2 Document requirements 7

3.3 Define approach to meeting requirements 7

3.4 Review and update 8

Introduction

Soon has implemented an Information Security Management System (ISMS) in line with the ISO/IEC 27001 international standard for information security management.

In creating and maintaining an ISMS it is vital that a full understanding is gained of the various legal, regulatory and contractual requirements that apply to Soon and its business. This will ensure that the organization continues to meet its obligations and its board of directors and other stakeholders are not exposed to the risk of criminal prosecution or corporate liability.

The purpose of this procedure is to document how such requirements are identified and incorporated into the ISMS and how updates to the requirements are handled.

Purpose of this document

This document sets out how the applicable legal, regulatory and contractual requirements relevant to the ISMS, and your approach to meeting them, will be identified, documented and kept up to date.

Areas of the standard addressed

The following areas of the ISO/IEC 27001 standard are addressed by this document:

  • A.5 Organizational controls

  • A.5.31 Legal, statutory, regulatory and contractual requirements

Legal, regulatory and contractual requirements procedure

The procedure for identifying, documenting and maintaining legal, regulatory and contractual requirements is summarised in the diagram below. Each step is expanded upon in the following sections.

Figure 1: Legal, regulatory and contractual requirements procedure

Identify requirement

Soon relies upon the following internal teams and external bodies to identify legal, regulatory and contractual requirements that are relevant to its information security:

TEAM/ORGANIZATION AREAS COVERED COMMUNICATION METHOD
Legal department Laws relevant to information security, including privacy and data protection

Email alerts

Quarterly meetings
External legal advisers Laws relevant to information security, including privacy and data protection

Webinars

Newsletters

Meetings on specific topics
Governance, Risk and Compliance team

Regulatory framework and requirements

Regulatory reporting

Email alerts

Quarterly meetings
Supplier Management Contractual agreements, current and new bids

Email alerts

Quarterly meetings
Industry body Laws, regulations and other issues relevant to our industry

Seminars

Annual Conference
Regulatory Authority

Regulatory framework and requirements

Regulatory reporting

Official communications

Briefing events
Professional associations for information security General legal, regulatory and contractual issues for information security

National and regional meetings

Newsletters

Training
National and regional business groups General legal, regulatory and contractual issues for the business

National and regional meetings

Newsletters

Training
  • Table 1: Sources of requirements*

In general, Soon will rely upon the appropriate team or external body to provide an interpretation of the relevant parts of the item under consideration. This may be in the form of briefing papers, presentation materials or other media.

Where necessary, the IS Manager shall obtain full copies of the relevant source material (such as legislation or regulatory announcements) for reference purposes. These may be in hardcopy or electronic form.

Assess implications

The IS Manager is responsible for ensuring that a full assessment of the implications of the relevant items for the ISMS is carried out. This will be based upon qualified advice from the relevant sources listed in Table 1.

The assessment will include the following aspects:

  • Degree of change to the ISMS and its associated policies, procedures, forms and plans needed to meet the requirement

  • Urgency of meeting the requirement

  • Consequences of not meeting the requirement

  • Available options for meeting the requirement

Document requirements

Once assessed, the relevant requirements will be documented at a high level as part of the ISMS within the document Information Security Context, Requirements and Scope. All changes to this document will be recorded in accordance with the ISMS documentation procedures.

Details of the requirements will be documented in the Legal, Regulatory and Contractual Requirements spreadsheet. These details will include:

  • Source of the requirement

  • Type of requirement – legislative, regulatory, contractual, other

  • Details of the requirement, at an appropriate level

  • Link(s) to more detailed specification of the requirement, where relevant e.g. legislative documents, regulations, contracts

  • Owner of the requirement

  • The legal scope of the requirement, for example which country’s law applies

  • Dates the requirement applies from and to

Where needed, confirmation of the interpretation of the requirement will be obtained from a relevant source, for example the organization legal department.

Define approach to meeting requirements

Where immediate changes are needed to the ISMS as a result of a new or changed requirement these will be incorporated as soon as possible, and revisions issued to all recipients of the relevant policies and procedures. Otherwise, the change will be considered at the next annual review of the ISMS.

Details of the approach to be taken will be added to the Legal, Regulatory and Contractual Requirements spreadsheet along with links to relevant documentation, where appropriate.

Review and update

New requirements and changes to existing requirements will be discussed at regular review meetings with internal departments, particularly:

  • Legal department

  • Governance, Risk and Compliance team

  • Supplier Management

All relevant requirements will be re-assessed on at least an annual basis as part of the ISMS annual review. Appropriate advice will be obtained at this point to ensure that all changes have been captured.

Any new or changed requirements identified as part of the review process will be handled in accordance with this procedure and appropriate updates made.