Ely, England, 6 December 2011 – There are over 70 information-related laws and statutes currently in force in the UK. Organisations need to know what laws they have to comply with and how to ensure compliance. For those implementing ISO27001, there is a requirement that their ISMS takes ‘into account business and legal or regulatory requirements, and contractual security obligations’.
Since the new UK Government’s Cyber Security Strategy was published in November, there is an even greater incentive for all industries to familiarise themselves with the existing legislation and adhere to those laws relevant them. Important laws, such as the Data Protection Act (DPA), Freedom of Information Act, Privacy and Electronic Communications Regulations and many more, exist in order to protect organisations’ information assets, as well as the well-being of their customers and stakeholders. The Information Commissioner’s Office looks after their application and has the right to fine any organisation that violates these laws. The internationally recognised ISO27001, on the other hand, ensures that companies comply with this legislation.
More importantly, some experts believe, that the new Cyber Security Strategy can only be successful if organisations are required to pursue ISO27001 with a number of mandated controls, and if businesses are encouraged to invest in improving their information security.
Speaking to risk.net in November, Alan Calder, CEO of IT Governance, stated “The big thing is that, while the Government talks about needing to take the lead and have a public–private partnership, what it really needs to be doing is making sure companies in the UK financial sector, and outside the financial sector, take information security a massive amount more seriously".
The experts at IT Governance, the single-source provider for everything related to ISO27001 and information security, have recently launched their revised ISO27001 Compliance Database and Update Service. This is the only product on the market that holds a repository of all the 71 statutes and regulations relevant to ISO27001. Updated for 2011, the ISO27001 Compliance Database includes 10 new laws and offers regular updates (depending on the subscription period) as and when new laws are published.
ISO27001 requires organisations to develop their information security management system (ISMS), taking into account ‘business and legal or regulatory requirements, and contractual security obligations’ (Clause 4.2.1 b. 2). There are five controls in ISO/IEC 27001 Annex A which impose specific requirements in terms of identifying and staying up to date with statutory and regulatory requirements.
The ISO 27001 Compliance Database and Update Service identifies the specific clauses within each legal instrument that organisations must comply with, providing best-practice guidance on how to comply with that clause. It also enables an ISMS project manager to select appropriate controls at the individual clause level.
A video demonstrating how the ISO27001 Compliance Database and Update Service works is available online at www.itgovernance.co.uk/products/3161.
Subscriptions to the ISO27001 Compliance Database and Update Service can be made online here: www.itgovernance.co.uk/products/3161, or by contacting IT Governance’s friendly service team on +44 (0) 845 070 1750, or via e-mail to firstname.lastname@example.org.