ISO27001:2022, A5.31 states that “Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements shall be identified, documented and kept up to date..” (A5.31 – Identification of legal, statutory, regulatory and contractual requirements).
Why is this required?
As a business you need to comply with legal, statutory, regulatory and contractual requirements that are placed upon you, from government, clients and suppliers. Breaching these laws or requirements can land you in hot water of varying depths, from a simple ‘breach of contract’, through to the very worse case of landing in court or prison!
Our Register gives you the structure you need, in order to evidence control in this area.
Keep in mind that this is about 'Applicable' legislation. You don't need to list every law under the sun(!) It's what is applicable to you, and more importantly, what is applicable to information security. Health and safety laws are important, but not in the context of information security and data protection.
Register of Applicable Legislation
Hey, we're not going to go all 'legal' on you here... that's not our style. But this is our Intellectual Property, and we'd prefer it if you didn't go sharing this with other people who haven't spent the money and bought a copy.
Of course, we can't really stop you... But are you that kind of person? We don't think you are. So if you want to tell people about your new found super power of ISO27001-Awesomeness, great... just don't give it away for free!