ISO27001 – template – Applicable legislation for a UK SAAS Cloud company

One small but important aspect of an ISMS* is applicable legislation and regulation. When first starting our ISMS I struggled to come up with this list, so have posted it to give someone else a starting point and save them some time. This is a good starting point for UK cloud businesses on their way to ISO27001 certification.


Applicable Legislation list

Purpose

This document sets out the legislation for ISO27001 which BUSINESS NAME considers as applicable to the implementation and compliance of its ISMS.

Responsibilities

The Managing Director is responsible for ensuring that the ISMS design and implementation supports the stated aim of legal compliance, and that the statues/laws listed here are considered.
The Information Security Manager is responsible for ensuring that the list is maintained up to date when new legislation or amendments are issued, and for highlighting changes to the Directors.

Legislation

The following laws/regulations are considered applicable to a UK Cloud Business:

  •   The Copyright, Designs and Patents Act 1988
  •   Official Secrets Act 1989
  •   Computer Misuse Act 1990
  •   Copyright (Computer Programs) Regulations 1992
  •   Data Protection Act 1998
  •   The EU Data Protection Directive (95/46/EC)
  •   Human Rights Act 1998 (esp. Article 8)
  •   Regulation of Investigatory Powers Act 2000
  •   Electronic Communications Act 2000
  •   Freedom of Information Act 2000
  •   Privacy and Electronic Communications (EC Directive) Regulations 2003
  •   Disability Discrimination Act 2005
  •   The Privacy and Electronic Communications (EC Directive) (Amendment)Regulations 2011
  •   Defamation Act 2013
  •   The Electronic Communications Code (Conditions and Restrictions)(Amendment) Regulations 2013
  •   Data Retention and Investigatory Powers Act 2014

* Information Security Management System. This is a combination of documented policies, processes and systems describing your approach to information security