Auditing Legal Compliance Management Processes against ISO 27001

Requirements with regard to Legal and Regulatory Compliance under ISO 27001

For Clients
ISO 27001 clause 4.2 requires organizations to determine the requirements of interested parties,
including applicable legal and regulatory requirements and contractual obligations.
Clause A.18.1 defines requirements for the control of compliance with legal and contractual:
Identification, and its approach to meeting the requirements, documented and kept up to date,
procedures to ensure compliance etc.

For Certification Bodies

ISO 27006 clause 9.2.1 requires the audit team to have “knowledge of the legislative and regulatory
requirements in the particular information security field,” and says they should have knowledge and
understanding of the following regulatory requirements:
• Intellectual property;
• Content, protection and retention of organizational records;
• Data protection and privacy
• Regulation of cryptographic controls;
• Anti-terrorism;
• Electronic commerce;
• Electronic and digital signatures;
• Workplace surveillance;
• Telecommunications interception and monitoring of data;
• Computer abuse;
• Electronic evidence collection;
• Penetration testing;
• International and national sector-specific requirements.
ISO 27006 clause 9.2.3.3.1 says that “The maintenance and evaluation of legal and regulatory
compliance is the responsibility of the client organization. The certification body shall restrict itself to
checks and samples in order to establish confidence that the ISMS functions in this regard. The
certification body shall verify that the client organization has a management system to achieve legal
and regulatory compliance applicable to the information security risks and impacts.”

Audit Objective
When certifying a client to ISO 27001 the objective is to assure that the client has processes in place
to
• Identify requirements for legal and regulatory compliance;
• Establish and maintain compliance with the appropriate combination of training, awareness,
skills, processes and procedures;
• Monitor compliance;
• Address non-compliance;
• Monitor changing laws and regulations and update compliance processes accordingly.
Clients that operate internationally will need to maintain compliance with laws and regulations in all
the countries in which they operate or process data; note that in the USA and perhaps other countries,
laws and regulations can vary from state to state.
Duties of Auditors with regard to Legal Compliance
• The auditor is not responsible for ensuring the client maintains legal and regulatory
compliance. That is the responsibility of the client.
• Neither BSI nor the auditor is responsible in law for reporting legal transgressions to the
authorities. Nor is the auditor liable for any loss or damage as a consequence of not reporting
such transgressions.

Auditing Principle
Audit a credible sample of the laws and regulations that apply to the client in order to assure that its
processes for establishing, monitoring and maintaining compliance are systematically communicated,
understood, executed and effective.

“Compliance” and “Conformance”

In this paper the term “compliance” is reserved for the context of legal compliance, and the term
“conformance” is reserved for the context of conformance with ISO 27001 (or other management
system standard).
The consequence of a non-conformance is expected to be a corrective action.
The consequence of a non-compliance could be a fine or jail (for the client).

Scope
This paper covers UK law and regulations.
Similar principles can be expected to apply in the EU because much of UK law is driven by EU
directives. That said, there will be differences between countries because local implementations of
directives can and do vary. Canada and Australia have a tendency to be similar.
The USA is different and caution is advised because of its well-known litigious culture.
Certain countries are known for weak enforcement of the law. BSI’s interpretation of compliance
means compliance with local law as written, not as (weakly) enforced. So, for example, in countries
where there is copyright law it should be complied with even if nobody seems to care. (The test is,
what would a reasonable, law-abiding international client expect “compliance with the local law” to
mean?)

How the Law Works

Clause A.15.1.1 betrays a simplistic understanding of the law and isn’t practical for several reasons:
• The list of laws that apply to information security is impossibly long (see the tables of
Statutes in refs 1 and 2)
• Laws and regulations are often mutually contradictory, or unclear;
• Contradictions and ambiguities are defined as a result of Court Judgements in case law;
• Court judgements are driven by applicable laws and the precedents set in case law;
• In the UK, interpretation of the law takes account of the Judge’s view of the intent of the
legislators who wrote it. (The USA and some other countries take less or no account of intent
and are more literal in their interpretation of Statutes.)
Therefore, legal compliance is managed with a blend of documentation and legal knowledge
(competence), not documentation alone.
Furthermore, governments change laws, and interpretation gets clarified in case law as a result of
litigation and Court judgements. “Compliance” is a moving target, and the client must have a process
for monitoring changes and updating compliance management processes accordingly.

Structure, Statutes and Staying Compliant

Statutes – the written laws that are passed by legislative bodies – aren’t structured. They have titles
but cover other areas as well, they supersede old laws without entirely rewriting them, and may or
may not take account of case law to date. Court judgements often amount to weighing the impact of
different laws and precedents and deciding which bear most on the case at hand.
In order to stay compliant an organization must first understand the relevant laws. Often, legal and
illegal behaviours will be easy to determine from books such as the references. Where it’s not clear

2
 the client will almost certainly require competent legal advice. Legal advisers essentially analyze the
situation and consult legal books of case law in an attempt to determine what a Court judgement is
likely to be, and the risks and penalties should the behaviour be deemed illegal.
It’s important for clients and auditors to recognize that the law does not necessarily recognize
“common sense” and, if in doubt, a legal opinion must be sought. The penalties for sailing too close to
the legal wind can be crippling.

Process for Auditing Legal Compliance

1. What laws are likely to apply to the Client’s particular products and services?
2. What laws are likely to apply to the critical information assets within scope?
3. Are those laws, at least, documented in the Client’s response?
4. Where does the Client get its lists of laws from? If a person, what is their legal competency?
How do they keep the list up to date? How do they cover all the territories in which they (or
their partners and suppliers) operate or process information?
5. Which operational processes are likely to be impacted by compliance issues?
6. Is legal compliance managed with procedure, skill or a combination?
7. If procedures, who writes them? What’s their legal competence? (Or, can they refer to a
competent legal authority when necessary?) How are operational people made aware of
procedures? Do they understand them? Are they aware of the consequences for stakeholders
in the event of non-compliance,?
8. If skill, who needs the competency and how to they attain and maintain it? How is skill
evaluated? Again, are they aware of the consequences for stakeholders in the event of non-
compliance?
9. Where the client was concerned about legal issues, was the resolution documented by a
legally competent authority? Such documentation is almost certainly required to limit
liability in case of dispute.
10. How is legal compliance systematically monitored (audited)?
The auditor should identify a credible sample of:
• Critical information assets;
• Core products and services;
• Laws and regulations that pertain to the above from an information security perspective;
• Operational processes that “touch” the above assets, products, services, laws and regulations;
• People who are accountable for defining, documenting, managing, operating, maintaining,
monitoring or auditing the above processes
While we can’t demand documented procedures for everything, we should require processes to be
repeatable and consistent on the basis of either documented procedures, or competency management,
or a combination, and (documented) records of resolution of legal issues, compliance monitoring. The
test is:
• Does the organization have sufficient evidence to persuade a Court or Public Enquiry that it
has the organization, competencies, procedures and management culture to protect critical
information within its care against reasonable threats and vulnerabilities?

References
1. Information Technology Law, Ian J Lloyd, Fifth Edition, Oxford University Press , 2008
2. Introduction to Information Technology Law, David I Bainbridge, Sixth Edition, Pearson
Longman, 2008