Information security requirements – Interpreting the legal aspects

With information security being the focal point of business in the media and in legislatures around the world, organisations face complex requirements to comply with security and privacy standards and regulations. The escalating magnitude of national and international laws and regulations, such as Sarbanes–Oxley, Gramm–Leach–Bliley and Basel II, caused organisations to become increasingly aware of the importance of legal compliance and the obligations that arise from it. The challenge of meeting these obligations has become a complex web of requirements that grows exponentially as organisations cross international boundaries. This paper attempts to provide an interpretation of the legal aspects, as a starting point for clarifying compliance issues, as referred to by ISO/IEC 27002 (ISO/IEC 27002, 2005; previously known as ISO/IEC 17799, 2005). ISO/IEC 27002 further mentions three sources from which information security requirements can be derived, of which one will be focused on within this paper, namely the legal requirements. The interpretation of the legal aspects thus forms the foundation for motivating a proposed model for determining legal requirements, which in turn, indicates relevant information security controls from the list provided in ISO/IEC 27002, to satisfy the identified legal requirements.