Medigy Intelligence

Compliance Regulatory Policy

companyName
aligned its information security management system (ISMS) with information security management. [FII-SCF-005-CPL-01]

To create and maintain the ISMS,

companyName
must fully understand the legal, statutory, regulatory, and contractual requirements that apply to its business.

This understanding ensures that the organization fulfills its obligations and mitigates the risk of criminal prosecution or corporate liability for the board of directors and other stakeholders.

The purpose of this procedure is to document the process of identifying and incorporating these requirements into the ISMS, as well as how updates to the requirements are managed.

Legal, regulatory, statutory and contractual requirements [FII-SCF-005-CPL-01]

compliance-regulatory-policy

The procedure for identifying, documenting and maintaining legal, regulatory and contractual requirements is summarised in the diagram below. Each step is expanded upon in the following sections.

Identify requirement

companyName
relies upon the following departments and external bodies to identify legal, regulatory and contractual requirements that are relevant to its information security:

TEAMAREAS COVEREDCOMMUNICATION METHOD
Legal department/Customer contracts/HR/FinanceLaws relevant to information security, including privacy and data protection
Customer commitments, contractual obligations
Employee related labour laws
Finance, taxation, Cash flows
Email alerts
Quarterly meetings
External legal advisersLaws relevant to information security, including privacy and data protectionWebinars
Newsletters
Meetings on specific topics
Governance, Risk and Compliance team – InfoSec teamRegulatory framework and requirements
Regulatory reporting if any
Email alerts
Quarterly meetings
Supplier ManagementContractual agreements, current and new bidsEmail alerts
Quarterly meetings
Industry bodyLaws, regulations and other issues relevant to our industrySeminars
Annual Conference
Regulatory AuthorityRegulatory framework and requirements
Regulatory reporting
Official communications
Briefing events
Professional associations for information securityGeneral legal, regulatory and contractual issues for information securityNational and regional meetings
Newsletters
Training
National and regional business groupsGeneral legal, regulatory and contractual issues for the businessNational and regional meetings
Newsletters
Training

In general,

companyName
will request the appropriate team or external body to provide an interpretation of the relevant parts of the item under consideration through briefing papers, presentation materials, or other media.

If needed, the CTO will obtain full copies of the relevant source material (such as legislation or regulatory announcements) in hardcopy or electronic form for reference purposes.

Assess implications

The CTO has the responsibility of ensuring a complete assessment of the implications of relevant items for the ISMS based on qualified advice from the sources listed in Table 1.

The assessment will consider the following aspects:

  • The extent of change required for the ISMS and its associated policies, procedures, forms, and plans to meet the requirement.
  • The urgency of meeting the requirement.
  • The consequences of not meeting the requirement.
  • The available options for meeting the requirement.

Document requirements

After assessment, the relevant requirements will be documented at a high level as part of the ISMS in the Information Security Context, Requirements, and Scope document. All changes to this document will be recorded following the ISMS documentation procedures.

Details of the requirements will include:

  • The source of the requirement
  • The type of requirement (legislative, regulatory, contractual, or other)
  • Details of the requirement at an appropriate level
  • Link(s) to more detailed specification of the requirement, where applicable, such as legislative documents, regulations, contracts
  • The owner of the requirement
  • The legal scope of the requirement, such as the applicable country’s law
  • The dates from and to which the requirement applies.

If necessary, confirmation of the requirement’s interpretation will be obtained from a relevant source, such as the organization’s legal department.

Define approach to meeting requirements

If a new or modified requirement calls for immediate changes to the ISMS, they will be included as soon as possible, and updated versions of the relevant policies and procedures will be provided to all recipients. Otherwise, the change will be assessed during the next annual review of the ISMS.

Review and update

New requirements and changes to existing requirements will be discussed at regular review meetings with internal departments.

All relevant requirements will be re-assessed on at least an annual basis as part of the ISMS annual review. Appropriate advice will be obtained at this point to ensure that all changes have been captured.

Any new or changed requirements identified as part of the review process will be handled in accordance with this procedure and appropriate updates made.

Medigy Innovation Network

Connecting innovation decision makers to authoritative information, institutions, people and insights.

Medigy Logo

The latest News, Insights & Events

Medigy accurately delivers healthcare and technology information, news and insight from around the world.

The best products, services & solutions

Medigy surfaces the world’s best crowdsourced health tech offerings with social interactions and peer reviews.


© 2022 Netspective Media LLC. All Rights Reserved.