SBS - The best value in QMS software

A.15 Compliance - One of the grey areas of ISO 27001

Richard Regalado

Trusted Information Resource
#1
Standards have their sometimes amusing and also irritating ways to stating requirements. More often these requirements are subject to multiple interpretations by both the implementing organization and the auditors.

ISO/IEC 27001 is not lily-white in this area.

Control A.15.1.1 states:
"All relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization." taken from ISO/IEC 27001:2005

The above control would have been very straightforward had a period been placed after the word system. But by including the words "and the organization" puts many in an instant quandary.

Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization.

Sad to say the guideline standard ISO/IEC 27002 does not provide much help in this.

Let me hear your thoughts fellow Covers.
 
Elsmar Forum Sponsor

John Broomfield

Staff member
Super Moderator
#3
Standards have their sometimes amusing and also irritating ways to stating requirements. More often these requirements are subject to multiple interpretations by both the implementing organization and the auditors.

ISO/IEC 27001 is not lily-white in this area.

Control A.15.1.1 states:
"All relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization." taken from ISO/IEC 27001:2005

The above control would have been very straightforward had a period been placed after the word system. But by including the words "and the organization" puts many in an instant quandary.

Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization.

Sad to say the guideline standard ISO/IEC 27002 does not provide much help in this.

Let me hear your thoughts fellow Covers.
Richard,

The organization is the system and the system is the organization.

If your management system inaccurately represents the way your organization actually keeps information secure then you have a nonconformity.

Above I have highlighted the key word from the requirement with regard to your mission creep question.

John
 

Colin

Quite Involved in Discussions
#4
As with other management system standards, there is a limited scope to them. In the same way that ISO 9001 does not include requirements for H&S or environmental issues, in ISO 27001 it is only referring to legal requirements related to the standard under consideration - in this case information security.
 

Richard Regalado

Trusted Information Resource
#5
Richard,

The organization is the system and the system is the organization.

If your management system inaccurately represents the way your organization actually keeps information secure then you have a nonconformity.

Above I have highlighted the key word from the requirement with regard to your mission creep question.

John
What is a mission creep question? Sorry.

So you are saying that ALL relevant compliance considerations apply when implementing ISO 27001? Thanks for replying John.
 

Richard Regalado

Trusted Information Resource
#6
As with other management system standards, there is a limited scope to them. In the same way that ISO 9001 does not include requirements for H&S or environmental issues, in ISO 27001 it is only referring to legal requirements related to the standard under consideration - in this case information security.
Thanks Colin. But you're opinion is more based on your experience with management systems and not based on the statement on A.15. Please correct if I am wrong in this.

Had the statement ended with information systems, it should have been a clear, cut requirement. The added words "and organization" confuses many. Yes, including me.
 

John Broomfield

Staff member
Super Moderator
#7
What is a mission creep question? Sorry.

So you are saying that ALL relevant compliance considerations apply when implementing ISO 27001? Thanks for replying John.

Richard,

Here is what I took as your 'mission creep' question:

"Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization."

Yes, only include only ALL requirements that are relevant to keeping information secure.

Going beyond that would be mission creep for that part of the organizational management system that secures information per ISO 27001.

John
 

Richard Regalado

Trusted Information Resource
#8
Richard,

Here is what I took as your 'mission creep' question:

"Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization."

Yes, only include only ALL requirements that are relevant to keeping information secure.

Going beyond that would be mission creep for that part of the organizational management system that secures information per ISO 27001.

John
Thank you for clarifying the mission creep part John.

The requirement A.15 does NOT even mention information security. It says information system and makes a sweeping mention of "ALL relevant statutory, regulatory and contractual requirements..." How do you defend this now against an auditor who is reading the requirement in verbatim?

I say this is an area which requires a lot of clarification for the next version.

This is unlike the previous section A.14 Business continuity management wherein it is crystal-clear that BCM in the eyes of ISO 27001 is ONLY referring to information security. The way A.14 is written ensures that there is no confusion whether to establish BCMS for information security or for the whole organization.
 
Thread starter Similar threads Forum Replies Date
M FULFILMENT of compliance obligation versus COMPLY with compliance obligations ISO 14001:2015 Specific Discussions 2
K ISO 13485 and compliance of electronic signature ISO 13485:2016 - Medical Device Quality Management Systems 5
L Medical device HIPAA compliance in encryption Medical Information Technology, Medical Software and Health Informatics 1
J Strategy for MDR Regulatory Compliance Procedure ISO 13485:2016 - Medical Device Quality Management Systems 4
G Adopting old product - compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 9
M Advice needed for SEH Compliance Software and ISNETWord Compatabiliy Occupational Health & Safety Management Standards 2
D HIPAA, HITECH and Interoperability compliance route Medical Device and FDA Regulations and Standards News 2
N Quality Compliance Officer - ISO 13485, London Job Openings, Consulting and Employment Opportunities 1
A Environmental Compliance obligations and risks (ISO 14001:2015 6.1.3) ISO 14001:2015 Specific Discussions 3
M Tracking Expiration dates on compliance certifications REACH and RoHS Conversations 2
T Training recommendations? Bringing our RoHS and REACH compliance efforts in-house REACH and RoHS Conversations 2
optomist1 Informational Training IMDS - Management of Product Chemical Regulatory Compliance RoHS, REACH, ELV, IMDS and Restricted Substances 2
G ISO 14001 - 6.1.3 Compliance Obligations ISO 14001:2015 Specific Discussions 1
Ed Panek Compliance with Standards? When a standard is updated/revised CE Marking (Conformité Européene) / CB Scheme 3
K IEC 62304 compliance - Code reviews as part of verification strategy IEC 62304 - Medical Device Software Life Cycle Processes 5
N Which EN ISO 17664 version compliance to EU MDR? Elsmar Cove Forum Suggestions, Complaints, Problems and Bug Reports 3
N Audit non-compliance API Q1 - Use of External Documents 4.4.4 in Product Realization Oil and Gas Industry Standards and Regulations 8
C Compliance with ISO 17025 requirement 8.4.2 - Controls - Records recovery ISO 17025 related Discussions 4
J Management Representative and PRRC (Person Responsible for Regulatory Compliance) ISO 13485:2016 - Medical Device Quality Management Systems 5
N Audit non-compliance - API Spec Q1 9th Ed 5.6.1.2 b Oil and Gas Industry Standards and Regulations 10
J Interesting Discussion Compliance with regulations in exceptional circumstances EU Medical Device Regulations 5
L Wearables 21 CFR Part 11 compliance Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 1
V Preparing the IFU in compliance with MDR 745, Chapter III EU Medical Device Regulations 2
L AS9146 Implementation and Compliance AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
P MDR PRRC (person responsible for regulatory compliance) and personal liability EU Medical Device Regulations 2
R Foam mattresses used in hospitals - compliance with MDR requirements? EU Medical Device Regulations 6
E Machines in Europe not in compliance with the EC directive CE Marking (Conformité Européene) / CB Scheme 0
N EUDAMED postponement and compliance with Article 120 (3) MDR for Legacy Devices EU Medical Device Regulations 8
R Role of quality compliance in SAP Software Quality Assurance 2
E Part 11 Compliance, Excel living documents (i.e. document master list, equipment list, approved supplier list) Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 3
M MDR Legacy Medical Device Labeling compliance timeline EU Medical Device Regulations 3
D Required Checklist Showing Compliance to IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 11
D What is the best software used for the pharma compliance management? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
T Rumours that class 1 NS, NM, NR devices will have a new deadline for MDR compliance EU Medical Device Regulations 3
M Informational From RAPS: Danish Regulators Seek to Help Smaller Companies With EU MDR Compliance Medical Device and FDA Regulations and Standards News 0
G ISO 9001 Legal Compliance and Legal Register Requirements ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Ed Panek Do Cloud services require 21 CFR Part 11 compliance? Qualification and Validation (including 21 CFR Part 11) 7
R Certificate of compliance to RoHS/REACH/WEEE - any such animal? REACH and RoHS Conversations 18
Sidney Vianna Interesting Discussion Legal compliance as part of ISO 45001 accredited certification. Major OSHA penalties in the USA. Occupational Health & Safety Management Standards 15
D Control chart applicable? Percentage of compliance with a standard Statistical Analysis Tools, Techniques and SPC 2
J Business Intelligence and 21 CFR Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 1
M Informational US FDA issued the first warning letter for UDI violations to help ensure compliance Medical Device and FDA Regulations and Standards News 0
D USFDA vs NRTL/IEC 17025 Differences - Compliance testing lab ISO 17025 related Discussions 0
D USFDA vs NRTL/IEC 17025 Differences - Compliance testing lab US Food and Drug Administration (FDA) 6
I CAP/CLIA Environment - Part 11 Compliance Qualification and Validation (including 21 CFR Part 11) 3
M Informational Medtech Europe guidance – Use of Symbols to Indicate Compliance with the MDR Medical Device and FDA Regulations and Standards News 5
lilybef Medical Devices & US TAA (Trade Agreement Act) Compliance - 2019 Hospitals, Clinics & other Health Care Providers 5
M How is Class I Medical Device Compliance Enforced? EU Medical Device Regulations 7
N Comprehensive Compliance Matrix for Internal Audit Checklist Other Medical Device Regulations World-Wide 1
K Is Compliance Testing of IEC 60601-2-63 mandatory for Europe - Dental X-Ray machine CE Marking (Conformité Européene) / CB Scheme 3

Similar threads

Top Bottom