Synopsis: |
This pocket guide provides initial guidance to all who are concerned with IT regulatory compliance in the UK. A key challenge for all IT management teams is to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulatory or contractual obligations, and of any security requirements. Control A.15.1.1 of ISO/IEC 27001:2005 provides guidance that is relevant to the IT governance of every organization. It says that the organization should explicitly define and document the statutory, regulatory and contractual requirements for each of its information systems, and that this documentation should be kept up-to-date to reflect any relevant changes in the legal environment. The specific controls and individual responsibilities to meet these requirements should be similarly documented and kept up-to-date, and should be linked to the list of all the data assets and processes in the organization, together with their ownership details.Foreign legislation may also be applicable to the operations of the organization; in particular, legislation passed in America (such as the Digital Millennium Copyright Act and others, discussed below) may affect the international operations of UK-based organizations or may be the basis on which a US-based organization takes action against a UK-based one. Again, expert legal advice is necessary and the rapid, ongoing development of the law should be tracked on a regular basis. |