Compliance with legal requirements

The objective of this category is to ensure compliance with all statutory, regulatory, certificatory or contractual obligations.

Identification of applicable statutes, regulations and certification standards • All relevant statutory, regulatory and private certificatory requirements should be identified.  The organization's approach to meeting these requirements should be explicitly defined, documented and kept up to date. 

Authorities: ISO-27002:2005 15.1.1.

Protection of confidentiality of personal information • Appropriate policies and procedures should be implemented to ensure the confidentiality of personal data, consistent with statutory, regulatory and private requirements.

Authorities: ISO-27002:2005 15.1.4.

Protection of intellectual property rights (IPR) • Appropriate policies and procedures should be implemented to ensure compliance with legal, regulatory and private requirements for all materials for which there may be IPR, including but not limited to proprietary software products.

Authorities: ISO-27002:2005 15.1.2.

Protection of organizational records • Appropriate policies and procedures should be implemented to ensure the confidentiality, integrity and availability of organizational records.  Control includes:

• categorization of data, consistent with statutory, regulatory, certificatory, contractual and business requirements;
• creation of data protection policies consistent with this categorization;
• creation of data retention and data destruction policies consistent with this categorization;
• implementation of data retention and destruction schedule consistent with policies;
• appropriate controls to protect records from loss, destruction or falsification during their retention period;
• appropriate controls to assure appropriate destruction at the end of their retention period.

Authorities: ISO-27002:2005 15.1.3.

Prevention of misuse of information and information processing facilities • Appropriate policies, procedures and end-user education should be implemented to deter misuse of information and information processing services, systems, equipment and facilities.  Control includes:

• user awareness of the precise scope of their permitted access;
• user awareness of the monitoring in place to detect unauthorized access;
• a log-on warning message reminding users of access policies and monitoring; and
• intrusion detection/prevention, content inspection and other monitoring activities as appropriate.

Authorities: ISO-27002:2005 15.1.5.

Regulation of cryptographic controls and other technologies  • Appropriate policies and procedures should be implemented to ensure that cryptographic methods and controls, and any other national-security-sensitive technologies, are used in accordance with all relevant laws and regulations.

Authorities: ISO-27002:2005 15.1.6.

This category aims to ensure compliance with "internal" organizational policies, procedures and standards.

Periodic review of security processes • Data, data system and data facility controllers should periodically review all security processes within their areas of responsibility to ensure compliance with relevant security policies and standards.

Authorities: ISO-27002:2005 15.2.1.

Periodic checks of technical compliance • Data systems should be regularly checked for compliance with security implementation standards, including but not limited to penetration tests and vulnerability assessments. 

Authorities: ISO-27002:2005 15.2.2.

This category aims to maximize the effectiveness of and to minimize interference from information system audit processes.

Information systems audit controls • Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes. 

Authorities: ISO-27002:2005 15.3.1.

Protection of information system audit tools • Access to information system audit tools should be appropriately limited to prevent misuse or compromise. 

Authorities: ISO-27002:2005 15.3.2.

See also:

• ISO 17799/27002 - Code of Practice for Information Security Management

Last modified: 24-Jul-2006 [RC]