The discomfort zone

Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this  morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 "Identification of applicable legislation and contractual requirements", members generally ask what laws are relevant to the ISMS. 

That's a tough one to answer for two reasons.  

Firstly, I'm not a lawyer so I am unqualified and unable to offer legal advice. To be honest, I'm barely familiar with the laws and regs in the UK/EU and NZ, having lived and worked here for long enough to absorb a little knowledge. The best I can offer is a layman's perspective. I feel more confident about the underlying generic principles of risk, compliance, conformity, obligations, accountabilities, assurance and controls though, and have the breadth of work and life experience to appreciate the next point ...

Secondly, there is a huge range of laws and regs that have some relevance to information risk, security, management and the ISMS. The mind map is a brief glimpse of the landscape, as I see it ...

That's a heady mix of laws and regs that apply to the organisation, its officers and workers, its property and finances, its technologies, its contracts, agreements and relationships with employees and third parties including the authorities, owners, suppliers, partners, prospects and customers, and society at large. There are obligations relating to how it is structured, operated, governed, managed and controlled, plus all manner of internal rules voluntarily adopted by management for business reasons (some of which concern obligations under applicable laws and regs). Noncompliance and nonconformity open the can-o-worms still wider with obligations and expectations about 'awareness', 'due process', 'proof' and more, much more.

That A.18.1.1 control is - how shall I put it - idealistic:

"All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization."
All requirements?! Oh boy! Explicit! Documented! Maintained! This is bewildering, scary stuff, especially for relatively inexperienced infosec or cybersecurity professionals who seldom set foot outside of the IT domain. We're definitely in the discomfort zone here.

At the CISO, Information Security Manager or Privacy Officer level, the view is no less scary despite narrower knowledge gaps. The possibility of being held personally to account (perhaps even sacked or prosecuted!) for incidents involving noncompliance or nonconformity is both sobering and discomforting again.

The issue qualifies as a classic information risk, so an obvious risk-response is to attempt to avoid or mitigate it. Unfortunately, simply ignoring it won't make it go away, but large parts of the mind map can legitimately be handed to Other Departments or Someone Else - the Legal/Compliance team for instance (in larger organisations anyway), plus competent professionals from HR, Finance, Sales & Marketing, Operations, plus "top management". It's not really about being slopy-shouldered (honest!), so much as acknowledging that legal and regulatory compliance, particularly, deserve/require the involvement of competent specialists.

The residual risks may simply be accepted but really they ought to be explored, evaluated and reduced where cost-effective to do so. For example, misunderstandings or disagreements about precisely who is responsible for what in this domain can lead to gaps and conflicts with nasty consequences (e.g. if Everyone assumes Someone Else is dealing with, say, intellectual property) ... and that's a jolly good reason to arrange a management workshop or study to explore the entire mind map, talking it through and carving it up appropriately. 

Good luck with that.

Normally, I argue against unduly narrowing the scope of the ISMS (for instance, constraining it within IT or 'cyber') but in this case, scope-narrowing is due. It makes good sense to steer well clear of the can-o-worms, well skirt around it as best we can anyway. 

Fresh off the screen today, I'll soon be dropping the complete mind map one-pager into the SecAware ISMS Orbit toolkit, complementing the existing security awareness/training materials, diagrams, policies and guidance designed to make your worklife a little less fraught, more tolerable if not entirely comfortable. Meanwhile, if you ask me nicely and promise not to be scared witless, I'll share the mind map with you. It's R18 rated.