A.15 Compliance - One of the grey areas of ISO 27001

Richard Regalado

Trusted Information Resource
#1
Standards have their sometimes amusing and also irritating ways to stating requirements. More often these requirements are subject to multiple interpretations by both the implementing organization and the auditors.

ISO/IEC 27001 is not lily-white in this area.

Control A.15.1.1 states:
"All relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization." taken from ISO/IEC 27001:2005

The above control would have been very straightforward had a period been placed after the word system. But by including the words "and the organization" puts many in an instant quandary.

Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization.

Sad to say the guideline standard ISO/IEC 27002 does not provide much help in this.

Let me hear your thoughts fellow Covers.
 
Elsmar Forum Sponsor

John Broomfield

Leader
Super Moderator
#3
Standards have their sometimes amusing and also irritating ways to stating requirements. More often these requirements are subject to multiple interpretations by both the implementing organization and the auditors.

ISO/IEC 27001 is not lily-white in this area.

Control A.15.1.1 states:
"All relevant statutory, regulatory, and contractual requirements and the organization’s approach to meet these requirements should be explicitly defined, documented, and kept up to date for each information system and the organization." taken from ISO/IEC 27001:2005

The above control would have been very straightforward had a period been placed after the word system. But by including the words "and the organization" puts many in an instant quandary.

Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization.

Sad to say the guideline standard ISO/IEC 27002 does not provide much help in this.

Let me hear your thoughts fellow Covers.
Richard,

The organization is the system and the system is the organization.

If your management system inaccurately represents the way your organization actually keeps information secure then you have a nonconformity.

Above I have highlighted the key word from the requirement with regard to your mission creep question.

John
 

Colin

Quite Involved in Discussions
#4
As with other management system standards, there is a limited scope to them. In the same way that ISO 9001 does not include requirements for H&S or environmental issues, in ISO 27001 it is only referring to legal requirements related to the standard under consideration - in this case information security.
 

Richard Regalado

Trusted Information Resource
#5
Richard,

The organization is the system and the system is the organization.

If your management system inaccurately represents the way your organization actually keeps information secure then you have a nonconformity.

Above I have highlighted the key word from the requirement with regard to your mission creep question.

John
What is a mission creep question? Sorry.

So you are saying that ALL relevant compliance considerations apply when implementing ISO 27001? Thanks for replying John.
 

Richard Regalado

Trusted Information Resource
#6
As with other management system standards, there is a limited scope to them. In the same way that ISO 9001 does not include requirements for H&S or environmental issues, in ISO 27001 it is only referring to legal requirements related to the standard under consideration - in this case information security.
Thanks Colin. But you're opinion is more based on your experience with management systems and not based on the statement on A.15. Please correct if I am wrong in this.

Had the statement ended with information systems, it should have been a clear, cut requirement. The added words "and organization" confuses many. Yes, including me.
 

John Broomfield

Leader
Super Moderator
#7
What is a mission creep question? Sorry.

So you are saying that ALL relevant compliance considerations apply when implementing ISO 27001? Thanks for replying John.

Richard,

Here is what I took as your 'mission creep' question:

"Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization."

Yes, only include only ALL requirements that are relevant to keeping information secure.

Going beyond that would be mission creep for that part of the organizational management system that secures information per ISO 27001.

John
 

Richard Regalado

Trusted Information Resource
#8
Richard,

Here is what I took as your 'mission creep' question:

"Do I include health and safety legal requirements? What about financial requirements? Labor legislations? Tax laws? After all, these are the requirements of the organization."

Yes, only include only ALL requirements that are relevant to keeping information secure.

Going beyond that would be mission creep for that part of the organizational management system that secures information per ISO 27001.

John
Thank you for clarifying the mission creep part John.

The requirement A.15 does NOT even mention information security. It says information system and makes a sweeping mention of "ALL relevant statutory, regulatory and contractual requirements..." How do you defend this now against an auditor who is reading the requirement in verbatim?

I say this is an area which requires a lot of clarification for the next version.

This is unlike the previous section A.14 Business continuity management wherein it is crystal-clear that BCM in the eyes of ISO 27001 is ONLY referring to information security. The way A.14 is written ensures that there is no confusion whether to establish BCMS for information security or for the whole organization.
 
Thread starter Similar threads Forum Replies Date
T Compliance Manager Dashboard AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
T QMS Compliance Department KPIs AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 20
MaHoDie Regulatory compliance for IVD in india Other Medical Device Regulations World-Wide 0
M On-demand EU MDR Compliance toolkit with online training courses, templates & document management system Training - Internal, External, Online and Distance Learning 0
T Compliance Dept KPI Dashboard AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
C Regulatory requirements of cloud platform for devices developed in compliance with 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
H Does this clause mean i must be in compliance with AS9100 or is 9001 enough? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I Where to find MDR compliance device? EU Medical Device Regulations 6
E Compliance with GSPR 10.4 CMR/ED EU Medical Device Regulations 9
G Suggestions for environmental compliance with small machinists? REACH and RoHS Conversations 1
S Training for PRRC (person responsible for regulatory compliance) EU Medical Device Regulations 3
R Evidence of compliance with Directive 2013/59/Euratom EU Medical Device Regulations 3
T Electronic Systems and 8.5.2 compliance AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
Sidney Vianna ISO 37301 - Compliance management systems – Requirements with guidance for use Other ISO and International Standards and European Regulations 2
H Regarding compliance according WEEE Directive CE Marking (Conformité Européene) / CB Scheme 6
M Regulatory compliance ISO 14001 ISO 14001:2015 Specific Discussions 5
S Requirements for ANSI Z540.3 Compliance as End User of Calibrated Instruments AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
M How to build a winning strategy for EU MDR Compliance Book, Video, Blog and Web Site Reviews and Recommendations 0
A Compliance with iso 14155 Other Medical Device Related Standards 1
T Determining FIPS 140-2 compliance in a medical device Medical Information Technology, Medical Software and Health Informatics 2
C Deadline for compliance with added MDR harmonized standards CE Marking (Conformité Européene) / CB Scheme 2
I User ID verification for in-house e-signature compliance Qualification and Validation (including 21 CFR Part 11) 2
Ron Rompen 4.4.1.2 Product Safety Compliance IATF 16949 - Automotive Quality Systems Standard 29
W 6.1.3 Compliance obligations b) - problem with understanding ISO 14001:2015 Specific Discussions 0
S Question: Best alternatives to audits for ensuring compliance Quality Tools, Improvement and Analysis 5
K Compliance Obligations 6.1.3 of ISO 14001 ISO 14001:2015 Specific Discussions 3
Ed Panek Which choice of the following most closely matches the MDR compliance of your company? EU Medical Device Regulations 0
G IEC 60601 Compliance IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
D Proof QMS compliance for class I ISO 13485:2016 - Medical Device Quality Management Systems 1
G Compliance with ISO 9001-2015 for ISO 17025 Accredited Labs? ISO 17025 related Discussions 8
L REACH compliance with MDR EU Medical Device Regulations 4
K ROHs compliance requirement REACH and RoHS Conversations 10
Z Choice of PTC heater voltage to maximize user safety and ease of CE compliance to LVD CE Marking (Conformité Européene) / CB Scheme 0
Z REACH compliance for low volume product REACH and RoHS Conversations 1
E Test report to certify compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
E Accredited vs. non-accredited labs for 60601 compliance in the US IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
E Accredited vs. non-accredited labs for 60601 compliance in the US Other Medical Device Related Standards 4
M Class II type machine , and its compliance with 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 14
Cats Clause ISO 14001:2015 6.1.3 Compliance Obligations - Legal requirements monitoring ISO 14001:2015 Specific Discussions 0
H Automotive wires - Compliance with USCAR21-4 & USCAR38-1 Various Other Specifications, Standards, and related Requirements 1
M FULFILMENT of compliance obligation versus COMPLY with compliance obligations ISO 14001:2015 Specific Discussions 2
K ISO 13485 and compliance of electronic signature ISO 13485:2016 - Medical Device Quality Management Systems 5
L Medical device HIPAA compliance in encryption Medical Information Technology, Medical Software and Health Informatics 2
J Strategy for MDR Regulatory Compliance Procedure ISO 13485:2016 - Medical Device Quality Management Systems 5
G Adopting old product - compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 12
M Advice needed for SEH Compliance Software and ISNETWord Compatabiliy Occupational Health & Safety Management Standards 2
D HIPAA, HITECH and Interoperability compliance route Medical Device and FDA Regulations and Standards News 2
armani Environmental Compliance obligations and risks (ISO 14001:2015 6.1.3) ISO 14001:2015 Specific Discussions 3
M Tracking Expiration dates on compliance certifications REACH and RoHS Conversations 2
T Training recommendations? Bringing our RoHS and REACH compliance efforts in-house REACH and RoHS Conversations 2

Similar threads

Top Bottom