The ISO 27001 standard[1] is a specification for managing an information security program in an organization. The International Organization for Standardization (ISO) developed and maintains this standard. Worldwide, ISO 27001 has become the most popular standard for managing information security programs, and many organizations have received a certification that their information security management system complies with the standard.
When companies obtain an ISO 27001 audit, they usually envision working with auditors to complete the project using operational, management, information security, and internal audit teams within the organization. What they may find surprising is that the ISO 27001 framework contains a number of legal topics, and the input of the legal team is vital as well. Some organizations may consult legal counsel about these topics, but I believe most organizations try to address these topics without legal help or use “off the shelf” documentation offered as samples from their auditors.
Writing documentation without the help of legal counsel creates risk for the organization. In the event of a security breach, for instance, government or plaintiff’s lawyers will ask for, and be entitled to examine, the “off the shelf” policies and procedures adopted by the company. If the policies and procedures were never implemented properly, these lawyers would point to the lack of adoption as evidence of knowing failure to implement security practices properly. If the policies and procedures are inconsistent with actual security practice, the inconsistency will make the company look lax in its security practices.
In either case, the disconnect between the company’s security and whatever documentation the company adopted solely for the sake of getting through the ISO audit process creates a risk of liability if a breach occurs. Companies must anticipate that breaches of some kind are inevitable. Therefore, legal risk from hastily-adopted legal documentation drafted during an ISO audit is also inevitable.
Given these risks, companies are well advised to obtain the assistance of legal counsel in drafting legal policies and procedures referenced in the ISO framework. Many of the topics covered relate to legal issues the company should tackle anyway. Accordingly, any legal work done in connection with the audit will benefit the organization beyond simply the audit process and help the organization manage overall legal risk.
The table below includes examples of legal topics in ISO 27001 and example controls in ISO 27002, the types of legal documents relating to these topics that can serve as audit artifacts, and notes concerning their implementation. Note that if a section in ISO 27001 appears, the corresponding section in ISO 27002 likely contains helpful explanatory details.
ISO 27001 or ISO 27002 Section | Topic | Applicable Legal Documentation | Note |
ISO 27002 Section 0.2 | Identifying security requirements | Security policy, ISMS policy, and others | Calls for a thorough understanding of applicable laws and contracts, as well as the security requirements they impose.
|
ISO 27001 Section 4.2 | Understanding the needs and expectations of interested parties | Auditors may ask for a document on this topic. | This section states that these requirements include “legal and regulatory requirements and contractual obligations.”
|
ISO 27001 Section A.5.1.2
ISO 27002 Section 5.1.2 |
Review of information security policies for changes in “legal conditions” | Security policy, ISMS policy, and others | Legal should review security documentation periodically to update it in case of changes in security, privacy, or other laws.
|
ISO 27001 Section A.6.2 | Teleworking and mobile device policies | Teleworking and mobile device standalone policies or coordination with an acceptable use policy or employment manual | These documents are frequently covered by employment legal documents and should be coordinated with employment documents.
|
ISO 27001 Section A.7.2.1 | Terms and conditions of employment | Employee agreements and employment manual | Employees and contractors should be bound by contractual duties to maintain the security of information protected under the security program.
|
ISO 27001 Section A.7.3.1 | Termination procedures | Acknowledgements signed upon termination | Departing employees and contractors should acknowledge their continuing security duties. These acknowledgements are typically drafted by HR and employment lawyers.
|
ISO 27001 Section A.8.2.1 | Information classification | Information classification policy | The framework states that information should be classified in terms of legal requirements. Organizations need to understand and document what those requirements are.
|
ISO 27002 Section 10.1.2 | Legal requests for cryptographic keys | Policies for handing subpoenas and other legal process | This section discusses the fact that an investigating party may request copies of cryptographic keys. There should be documentation about how the organization will handle such requests.
|
ISO 27002 Section 11.2.2 | Supporting utilities | Capacity management documentation | Capacity management documentation should comply with legal requirements.
|
ISO 27002 Section 11.2.5 | Removal of assets | Visitor NDA, employment manual, employee agreements | Spot checking to prevent exfiltration of information assets should comply with applicable law.
|
ISO 27002 Section 11.2.9 | Clear desk and screen policy | Acceptable Use Policy, employee agreements, or employment manual | Clear desk and screen policies should be consistent with applicable law.
|
ISO 27002 Section 12.4.4 | Time synchronization | Security policy or subordinate policy | Requirements for time accuracy and audit logging time precision should meet applicable legal requirements.
|
ISO 27002 Section 13.2.1 | Information transfer agreements | Agreements with parties sending or receiving transmissions of sensitive information | Practices for transmitting sensitive information should be consistent with applicable legal requirements.
|
ISO 27002 Section 13.2.3 | Electronic messaging | Agreements with parties sending or receiving transmissions of sensitive information | Electronic signatures, authentication, and assurances of nonrepudiation should be consistent with applicable legal requirements.
|
ISO 27002 Section 14.1.2 and 14.1.3 | Internet-based services | Agreements with service providers | Services should comply with authentication, integrity, and confidentiality requirements imposed by law or contract.
|
ISO 27002 Sections 15.1.1 and 15.1.2 | Information security policy for supplier relationships | Internal policy about using suppliers and imposing requirements on them and agreements with suppliers
|
Policies and agreements should impose security requirements on suppliers. |
ISO 27001 Section A.16.1.2
ISO 27002 Section 16.1.3 |
Reporting of information security events and weaknesses | Reporting forms | If phrased as a request for legal advice, some incident reporting forms can be protected from disclosure by the attorney-client privilege. This would be helpful when the reports contain self-critical information, which would constitute admissions used against the organization in the absence of a privilege.
|
ISO 27001 Section A.16.1.5 | Response to incidents | Potentially breach notifications | One kind of response that may be mandatory under the law is breach notification. Organizations should identify legal requirements for breach notification and obtain legal advice on structuring a response policy.
|
ISO 27001 Section A.16.1.7 | Collection of evidence | Policy for the collection of evidence | In the event of a breach, it is helpful for legal counsel to engage forensic exerts to collect and preserve evidence for potential legal proceedings.
|
ISO 27001 Section A.18.1.1 | Identification of applicable laws and contracts | Separate documentation | This section explicitly calls for organizations to understand and document applicable legal requirements.
|
ISO 27001 Section A.18.1.2 | Compliance with IP rights | IP policy, agreements with employees, employment manual, and code of conduct. | This section calls for documentation of an organization’s commitment to avoid infringing on the IP rights of others.
|
ISO 27001 Section A,18.1.3 | Protection of records (records and information management) | Document retention policy or Records and Information Management Policy | Documentation should address the preservation of key records in light of legal requirements. Companies have been sanction for not having such a policy, separate from the information security context.
|
ISO 27001 Section A.18.1.4 | Privacy of personal information | Privacy policies | Legal should assist in identifying privacy requirements and how they apply to the organization’s products and services.
|
ISO 27001 Section A.18.1.5 | Regulation of cryptographic controls | Encryption policy and technical standard | This section relates to the export and import of cryptographic software and hardware.
|
ISO 27001 Section A.18.2.2 | Compliance reviews | Assessment documentation | Legal should assist in the assessment of compliance in light of applicable legal requirements.
|
Stephen Wu is a shareholder with Silicon Valley Law Group. Mr. Wu advises clients on information technology matters in areas including establishing information governance policies and practices, agreement drafting and negotiation, information security, data breach response, computer fraud, computer investigations, privacy, and records management. For more information on legal assistance for your ISO 27001 audit, please contact Stephen Wu by completing the web form here.
[1] ISO/IEC 27001:2013, Information technology—Security techniques—Information security management systems—Requirements (“ISO 27001”).