Cambridge Risk Solutions jigsaw pattern

ISO 27001 Legislation

ISO 27001 legislation requirements include ensuring compliance with all applicable legislation, which includes relevant statutory and regulatory requirements and contractual obligations for you and your clients, as well as other interested parties.

ISO 27001 requires the determination of the needs and expectations of:

  • Interested parties that are relevant to the information security management system; and ‘the requirements of these interested parties relevant to information security.’
  • It further clarifies that this may ‘include legal and regulatory requirements and contractual obligations’.
Checking the legislation requirements for ISO 27001 certification


When first analysing the requirements, there is often a focus on those aspects of legislation that directly relate to information security, such as the Data Protection Act 2018.

What is more normally missed are industry specific regulations, for example, or business legislation which could have implications for the requirement to maintain confidentiality, integrity and availability of data and information.

As an example, the Companies Act 2006 requires that Board meetings’ minutes and resolutions are maintained for a minimum of 10 years, and the Taxes Management Act 1970 has detailed requirements for the retention of taxation records.

It is also worth noting that some legislation may deal with how long data and information should be kept for, and when it should be destroyed; this may be equally important when dealing with personal identifiable data. As an example, the Data Protection Act requires that data should not be ‘kept for longer than is necessary’ for for the purpose for which you hold it, and it must be kept up-to-date.

What does it mean for you?

Any relevant legislation and regulation must be assessed to fully understand the implications for your business, and to assist with ensuring that the relevant controls are in place to ensure that confidentiality, integrity and availability is maintained as required by you AND your interested parties.

Furthermore, all aspects of legislation relevant to the business will need to be monitored regularly, particularly in the post-Brexit environment, where a significant amount of legislation is likely to be modified.

We can work with you to fully understand your regulatory and legislative environment, to identify the requirements for your interested parties, and to create a register of this information, clearly identifying the requirements and implications for your business.

We will assist to establish a process that ensures that this register is maintained and reviewed, taking account of all stakeholder requirements.

We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.

How Can Cambridge Risk Solutions Help?

Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2022

View some case studies of recent Information Security and ISO 27001 projects.

Scroll to Top
Scroll to Top