After you have determined the scope, identify any regulatory or legislative standards that apply to the areas you plan to cover with the ISMS. Such standards might come from the industry in which your organization works or from state, local, or federal governments, or international regulatory bodies.
What you need: Up-to-date regulatory or legislative standards that might be applicable to your organization. You might find it helpful to have input and review from lawyers or specialists who are knowledgeable about the standards.
Results: Additional statements in the scope of the ISMS. If your ISMS will incorporate more than two or three legislative or regulatory standards, you might also create a separate document or appendix in the Security Manual that lists all of the applicable standards and details about the standards.
Example: The text added to the scope statement as a result of identifying applicable legislation is shown in the following example.
Scope and Purpose
The company is committed to protecting its information and that of its customers. To achieve this goal, the company has implemented an Information Security Management System in accordance with ISO 27001: 2013 and the rules and regulations that are part of Information Technology Act, 2000 also know as IT Act.
The company’s ISMS is applicable to the following areas of the business:
• Finance department
• Internal IT systems and networks used for back-end business (such as email, timesheets, contract development and storage, and report writing)
(Note: IT systems and networks on which company software is developed and stored are part of the Software Development ISMS.)