In this post, we will cover the regulatory, legal and other requirements that are relevant to businesses, which include how to manage them to protect yourself from any potential litigation or other legal disputes. Controls around privacy, including intellectual property, personal identifiable information (PII) and how records are protected in controls A.5.31 to A.5.34 will be covered.

A.5.31 Legal, statutory, regulatory and contractual requirements

The objective of this control is to identify the legislation and contractual requirements which are applicable to your business. You need to explicitly identify, document and kept up to date all relevant legislative statutory, regulatory, contractual requirements.

A good way to achieve this is by creating a legal and regulatory register. The register can then be reviewed and updated as appropriate to ensure it remains current. 

Signing up to notifications from government departments when legislation is updated is a good way of keeping up to date with changes and allow you to keep on top of these. Similarly, in the current day of SaaS services where the contracts are enforced as supplier EULA agreements, reviewing these when notifications of changes are received and updating the register will ensure that you stay on top of these requirements.

A.5.32 Intellectual property rights

This control is intending to ensure you do not infringe on any intellectual property rights and ensure that you keep control of your business’s intellectual property. You need to implement appropriate procedures ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Ensuring that your business intellectual property is protected is most commonly achieved by including clauses within employee and contactor contracts and non-disclosure agreements which address the ownership of intellectual property.

A.5.33 Protection of records

The aim of this control is to ensure that records and documentation are protected. Records need to be protected from loss, destruction, falsification, unauthorized access, and unauthorized release, in accordance with legislator, regulatory, contractual, and business requirements. 

This is usually achieved within a document management system and implemented based on the classification of information in control A.5.12 in conjunction with access control in control A.5.15 to ensure that records are appropriately stored and only accessible to relevant people.

A.5.34 Privacy and protection of personal identifiable information (PII)

This clause aims to ensure the privacy and protection of personally identifiable information. Your privacy and protection of personally identifiable information shall be protected as required in relevant legislation and regulation where applicable.

This can broadly be achieved by the following steps:

  • Identifying any places where PII is stored in your systems, identifying these in the Information Register from control A.5.9.
  • Identifying any relevant laws, legislation and requirements of handling PII as part of control A.5.31.
  • Ensuring that the data identified is handled based on the identified requirements. Good practice is to ensure that the most stringent requirements are applied, which ensures that you are exceeding any requirements which are less stringent should new or existing requirements change.


 

Takeaways

The key points to take away are:

  1. Keep a register of legal and regulatory requirements that affect your business, along with contractual requirements.
  2. Subscribe to learn of changes to these requirements and review the register periodically.
  3. Ensure intellectual property clauses are included in contracts
  4. Keep your records protected in your document repository
  5. Know where you keep any PII records within your business to classify and protect them.
Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Loading...