< Previous standard ^ Up a level ^ Next standard >

Regulatory requirements [DRAFT]

Abstract

“This document provides a list of national regulations that reference ISO/IEC 27001 as a requirement.”

[Source: ISO/IEC JTC 1/SC 27 SD11 July 2024]

Introduction

This Technical Report intends to help organisations determine which ISO27k standards are recommended or required of them for national compliance reasons (without being construed as legal advice), and to facilitate or encourage global harmonisation of the laws, regulations etc. in the field of information security management.

Scope of the standard

The draft standard:

Identifies a number of national laws, regulations and guidelines that depend and build upon the ISO27k standards;
Explicitly concerns information security, privacy/data protection, and digitalization and electronic archiving;
Does not (explicitly) concern other areas such as governance, contracts, product quality/fitness for purpose, cryptography, digital signatures, defence, official secrets, classified information, health and safety, financial data integrity, medical records, misinformation, and more.

Content of the standard

The central chapter contains just 18 clauses, each listing a selection of relevant laws and regs from a different country or region (such as the EU).

Status of the standard

A Technical Report is being developed from SC 27 Standing Document 7 - an internal committee reference document.

Since SD7 is mature, the standard progressed rapidly to Draft Technical Report stage and was due to be published in Q3 2023. However, compiling and checking details on relevant laws and regs around the globe, along with editorial changes required by ISO, substantially delayed release.

The title may become “Government and regulatory use of ISO/IEC 27001, ISO/IEC 27002 and other information security standards”. It entering Committee Draft stage and is now due to be published in 2025.

Personal comments

If this remained as a Standing Document without the formalities of becoming a standard, it would be easier, quicker and cheaper to update it as the referenced standards and laws/regs change, with the bonus of being freely available to those who need the information ... but the committee decided to publish it as a Technical Report.

Taking a broad perspective, there are loads of laws and regs that have some relevance to the confidentiality, integrity or availability of information. In the extreme, virtually every law involves forensic evidence with strong cia implications. Laws and regs relating to human safety are important to protect the valuable knowledge and competencies in our heads, while those relating to mental health affect our information processing capabilities. Laws and regs on tax and financial reporting and corporate governance all have information security implications. The standard is unlikely even to mention these.

This project faces a similar conundrum to ISO/IEC 27002. It would be wonderful if the standard was truly comprehensive and up-to-date, and could be relied upon as such, but ultimately that is infeasible. There is a risk that naive users may rely on the standard as definitive without seeking competent legal advice or researching which laws and regs are in fact applicable - hopefully not you though, having read this cautionary note!

< Previous standard ^ Up a level ^ Next standard >