Scribd Logo
Upload

Welcome to Scribd!

  • Legal Topics in ISO 27001 and Example Controls in ISO 27002

    Uploaded by

    holamundo123
    46 views6 pages

    Original Title

    Legal Topics in ISO 27001 and Example Controls in ISO 27002.xlsx

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    46 views6 pages

    Legal Topics in ISO 27001 and Example Controls in ISO 27002

    Uploaded by

    holamundo123

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as xlsx, pdf, or txt
    of 6

    ISO 27001 or ISO 27002 Section Topic

    ISO 27002 Section 0.2 Identifying security requirements

    Understanding the needs and


    ISO 27001 Section 4.2 expectations of interested parties

    Review of information security


    policies for changes in “legal
    ISO 27001 Section A.5.1.2, ISO 27002 Section 5.1.2 conditions”

    Teleworking and mobile device


    ISO 27001 Section A.6.2 policies

    Terms and conditions of


    ISO 27001 Section A.7.2.1 employment

    ISO 27001 Section A.7.3.1 Termination procedures

    ISO 27001 Section A.8.2.1 Information classification

    Legal requests for cryptographic


    ISO 27002 Section 10.1.2 keys

    ISO 27002 Section 11.2.2 Supporting utilities

    ISO 27002 Section 11.2.5 Removal of assets

    ISO 27002 Section 11.2.9 Clear desk and screen policy

    ISO 27002 Section 12.4.4 Time synchronization

    ISO 27002 Section 13.2.1 Information transfer agreements

    ISO 27002 Section 13.2.3 Electronic messaging


    ISO 27002 Section 14.1.2 and 14.1.3 Internet-based services

    Information security policy for


    ISO 27002 Sections 15.1.1 and 15.1.2 supplier relationships

    Reporting of information security


    ISO 27001 Section A.16.1.2, ISO 27002 Section 16.1.3 events and weaknesses

    ISO 27001 Section A.16.1.5 Response to incidents

    ISO 27001 Section A.16.1.7 Collection of evidence


    Identification of applicable laws
    ISO 27001 Section A.18.1.1 and contracts

    ISO 27001 Section A.18.1.2 Compliance with IP rights

    Protection of records (records and


    ISO 27001 Section A.18.1.3 information management)

    ISO 27001 Section A.18.1.4 Privacy of personal information


    Regulation of cryptographic
    ISO 27001 Section A.18.1.5 controls

    ISO 27001 Section A.18.2.2 Compliance reviews

    Copyright © Silicon Valley Law Group


    One North Market St. Suite 200
    San Jose, CA 95113
    Phone: (408) 573-5700
    Website: airoboticslaw.com
    Main SVLG website: svlg.com
    Applicable Legal Documentation

    Security policy, ISMS policy, and others

    Auditors may ask for a document on this topic.

    Security policy, ISMS policy, and others

    Teleworking and mobile device standalone


    policies or coordination with an acceptable use
    policy or employment manual

    Employee agreements and employment manual

    Acknowledgements signed upon termination

    Information classification policy

    Policies for handing subpoenas and other legal


    process

    Capacity management documentation


    Visitor NDA, employment manual, employee
    agreements
    Acceptable Use Policy, employee agreements,
    or employment manual

    Security policy or subordinate policy

    Agreements with parties sending or receiving


    transmissions of sensitive information

    Agreements with parties sending or receiving


    transmissions of sensitive information
    Agreements with service providers

    Internal policy about using suppliers and


    imposing requirements on them and
    agreements with suppliers

    Reporting forms

    Potentially breach notifications

    Policy for the collection of evidence

    Separate documentation
    IP policy, agreements with employees,
    employment manual, and code of conduct.

    Document retention policy or Records and


    Information Management Policy

    Privacy policies

    Encryption policy and technical standard

    Assessment documentation
    Note
    Calls for a thorough understanding of applicable laws and
    contracts, as well as the security requirements they impose.

    This section states that these requirements include “legal and


    regulatory requirements and contractual obligations.”

    Legal should review security documentation periodically to update


    it in case of changes in security, privacy, or other laws.

    These documents are frequently covered by employment legal


    documents and should be coordinated with employment
    documents.

    Employees and contractors should be bound by contractual duties


    to maintain the security of information protected under the
    security program.

    Departing employees and contractors should acknowledge their


    continuing security duties. These acknowledgements are typically
    drafted by HR and employment lawyers.

    The framework states that information should be classified in


    terms of legal requirements. Organizations need to understand
    and document what those requirements are.

    This section discusses the fact that an investigating party may


    request copies of cryptographic keys. There should be
    documentation about how the organization will handle such
    requests.
    Capacity management documentation should comply with legal
    requirements.
    Spot checking to prevent exfiltration of information assets should
    comply with applicable law.
    Clear desk and screen policies should be consistent with
    applicable law.
    Requirements for time accuracy and audit logging time precision
    should meet applicable legal requirements.

    Practices for transmitting sensitive information should be


    consistent with applicable legal requirements.

    Electronic signatures, authentication, and assurances of


    nonrepudiation should be consistent with applicable legal
    requirements.
    Services should comply with authentication, integrity, and
    confidentiality requirements imposed by law or contract.

    Policies and agreements should impose security requirements on


    suppliers.

    If phrased as a request for legal advice, some incident reporting


    forms can be protected from disclosure by the attorney-client
    privilege. This would be helpful when the reports contain self-
    critical information, which would constitute admissions used
    against the organization in the absence of a privilege.

    One kind of response that may be mandatory under the law is


    breach notification. Organizations should identify legal
    requirements for breach notification and obtain legal advice on
    structuring a response policy.

    In the event of a breach, it is helpful for legal counsel to engage


    forensic exerts to collect and preserve evidence for potential legal
    proceedings.
    This section explicitly calls for organizations to understand and
    document applicable legal requirements.
    This section calls for documentation of an organization’s
    commitment to avoid infringing on the IP rights of others.

    Documentation should address the preservation of key records in


    light of legal requirements. Companies have been sanction for not
    having such a policy, separate from the information security
    context.
    Legal should assist in identifying privacy requirements and how
    they apply to the organization’s products and services.
    This section relates to the export and import of cryptographic
    software and hardware.
    Legal should assist in the assessment of compliance in light of
    applicable legal requirements.

    You might also like