Professional Documents
Culture Documents
03.2 Audit Legal Compliance Vs ISO 27001
03.2 Audit Legal Compliance Vs ISO 27001
Requirements with regard to Legal and Regulatory Compliance under ISO 27001
For Clients
ISO 27001 clause 4.2 requires organizations to determine the requirements of interested parties,
including applicable legal and regulatory requirements and contractual obligations.
Clause A.18.1 defines requirements for the control of compliance with legal and contractual:
Identification, and its approach to meeting the requirements, documented and kept up to date,
procedures to ensure compliance etc.
Audit Objective
When certifying a client to ISO 27001 the objective is to assure that the client has processes in place
to
• Identify requirements for legal and regulatory compliance;
• Establish and maintain compliance with the appropriate combination of training, awareness,
skills, processes and procedures;
• Monitor compliance;
• Address non-compliance;
• Monitor changing laws and regulations and update compliance processes accordingly.
Clients that operate internationally will need to maintain compliance with laws and regulations in all
the countries in which they operate or process data; note that in the USA and perhaps other countries,
laws and regulations can vary from state to state.
Duties of Auditors with regard to Legal Compliance
• The auditor is not responsible for ensuring the client maintains legal and regulatory
compliance. That is the responsibility of the client.
• Neither BSI nor the auditor is responsible in law for reporting legal transgressions to the
authorities. Nor is the auditor liable for any loss or damage as a consequence of not reporting
such transgressions.
Auditing Principle
Audit a credible sample of the laws and regulations that apply to the client in order to assure that its
processes for establishing, monitoring and maintaining compliance are systematically communicated,
understood, executed and effective.
Scope
This paper covers UK law and regulations.
Similar principles can be expected to apply in the EU because much of UK law is driven by EU
directives. That said, there will be differences between countries because local implementations of
directives can and do vary. Canada and Australia have a tendency to be similar.
The USA is different and caution is advised because of its well-known litigious culture.
Certain countries are known for weak enforcement of the law. BSI’s interpretation of compliance
means compliance with local law as written, not as (weakly) enforced. So, for example, in countries
where there is copyright law it should be complied with even if nobody seems to care. (The test is,
what would a reasonable, law-abiding international client expect “compliance with the local law” to
mean?)
2
the client will almost certainly require competent legal advice. Legal advisers essentially analyze the
situation and consult legal books of case law in an attempt to determine what a Court judgement is
likely to be, and the risks and penalties should the behaviour be deemed illegal.
It’s important for clients and auditors to recognize that the law does not necessarily recognize
“common sense” and, if in doubt, a legal opinion must be sought. The penalties for sailing too close to
the legal wind can be crippling.
References
1. Information Technology Law, Ian J Lloyd, Fifth Edition, Oxford University Press , 2008
2. Introduction to Information Technology Law, David I Bainbridge, Sixth Edition, Pearson
Longman, 2008