Laws and Regulations Applicable to Information Security Management Systems

Introduction
This table is a “plain person’s guide” to the laws and regulations that might apply to the ISMS implemented by a typical BSI client. For details please refer to Ref 1.
(If you decide to consult additional reference books please make sure they were published in 2008 or later, are written by a reputable authority, and apply to the
country you’re auditing.)
Staying within the law means understanding the statutes (the law as written) and case law (interpretations of the law written by Judges). Case law is discussed
alongside statutes texts like Ref 1. Many areas of law applicable to information security are changing rapidly (new statutes are introduced, existing ones are revised,
and case law evolves), so it’s necessary for client organizations to have means for keeping up to date such as newsletters, subscription services and competent legal
counsel.
A full list of applicable laws would be impossibly long so this guide concentrates on the most important statutes and regulations for typical BSI clients with a
certified ISMS. Thus, for example, it makes no mention of the Companies Act because although companies must protect their organizational records, it’s not usually
a primary motivator for ISMS Certification. There is mention, though, of Sarbanes Oxley because the detailed control it requires of records of financial transactions
can be supported with an ISMS.
The table lists statutes and describes their “natural justice principles” in plain (not legally precise) language, together with examples of its application in a typical
BSI client ISMS. The idea is to provide a quick reference enable an auditor to get a quick grasp of the legal areas that apply to a given client, and to consider legal
compliance processes in relation to the legal principles the client ought to be applying. When it seems the client’s compliance is not aligned with principle, auditing
in more detail may be required. (We should no doubt be cautious about using the term “principle” here because it probably has a legal definition; however, this is a
plain person’s guide so if there is such a definition, the lay understanding herein is operative.)
EU Directives drive many areas of UK law. The process is that each country implements Directives in its own laws. There are differences between countries in their
interpretation of EU Directives and their balancing of national and European interests. Thus, laws in different countries that enact EU Directives will be inconsistent
in the details.

References
1. Information Technology Law, Ian J Lloyd, Fifth Edition, Oxford University Press , 2008.
Statute Natural Justice Principle
Data Protection Act 1998 Protection of an individual’s privacy according to
defined DP principles such as fair and accurate
(See also ISO 10012 Personal Information processing, in respect of data relating to race,
Management Systems) politics, religion, health, sex life or criminal
convictions.
Telecommunications (Lawful Business Practice) Telecom companies can and must monitor and log
(Interception of Communications) Regulations – communications for the purposes of traffic
under the auspices of RIPA management, billing and in support of serious
crime investigations, but within strict boundaries
that balance individual privacy, network
management and evidence collection.
Data Protection Act 1998 – eighth principle, Don’t send personal data outside the EU unless the
Transborder data flows. country or territory ensures an adequate level of
protection for the rights and freedoms of data
Safe Harbor principles subjects.
Safe Harbor applies to US processing of personal
data. Self-certifying scheme. Not regulated. Breach
of terms may result in legal action by Federal Trade
Commission.
Computer Misuse Act 1990 Computers must not be misused, either by
unauthorized users or authorized users (who must
only use the computer for the purpose for which
authorization was granted). The Act covers the
information on the computer although there have
been legal disputes on this point.
2
Application in typical BSI Client ISMS
Government, banks, IT service providers, telecom
service providers, healthcare – any organization
that processes or stores personal information.
Typical BSI clients are unlikely to be exempt from
the notification requirements.
Telecom service providers (mobile and fixed) and,
perhaps, some of their suppliers.
Clients that outsource personal data processing
outside the EU.
Clients with computer networks. A penetration
testing service attacking a client computer to
measure the strength of its defences under contract
with the client is not guilty of computer misuse. A
researcher attacking computers without prior
written consent is in breach of the Computer
Misuse Act.
There may be significant differences in approach in
other countries. (One book says that penetration
testing should only be done in the USA under
client-attorney privilege, because the report may be
at risk of public disclosure in Court; but this has not

Forgery and Counterfeiting Act 19981
Fraud Act 2006
Anti-terrorism Crime and Security Act 2001
Proceeds of Crime Act 2002
Sarbanes Oxley (USA)
Protection of Children Act 1978
Criminal Justice and Public Order Act 1994
Obscene Publications Act 1964
Video Recordings Act 1984
Regulation of Investigatory Powers Act 2000
Anti-terrorism, Crime and Security Act 2001
Police and Criminal Evidence Act 1984
Don’t obtain money or services by deception.
Don’t deceive shareholders, don’t siphon funds,
and establish processes, accountability and
segregation of duties to make sure that 3rd parties
are evaluated and cheques are written with integrity
and audit trails.
These and other Acts (e.g. the Copyright, Designs
and Patents Act defines a “photograph”) combine to
prohibit or control pornography.
Voice and data communications may be intercepted
when authorized by the Secretary of State in the
interests of national security, to prevent or detect
serious crime, or to safeguard UK economic well-
being. Telecommunications companies (fixed and
mobile) and Internet Service Providers (there may
be exemptions for smaller companies) have to
provide defined interception and detection
capabilities including audit trails and records
retention in their networks. Encryption keys can be
demanded and withholding can be an offence. This
is all subject to warrants and regulations that
safeguard individual liberties.
Evidence has to be admissible and credible in
Court. Computer evidence must be above
3
yet been corroborated with a second reference.)
Banks, financial services, gambling. Vulnerable to
theft and money-laundering attacks: money
laundering is used by organized crime to hide the
proceeds of serious crime like drug trafficking and
piracy; and by terrorist organizations to transfer
funds.
Any client selling products or services using on-line
sales transactions.
Any client subject to SOX requirements (which are
often imposed on European companies by their
corporate American masters) that wishes to use ISO
27001 to protect the C/I/A of financial audit trails.
Client organizations (as well as their employees or
customers) may be held legally responsible for
banned or controlled materials (pictures, videos,
animations, text) on their computers.
Telecom fixed and mobile; ISPs; government
departments involved in crime or anti-terrorism.
Any organization subject to a police investigation
and needs to be aware of its rights and obligations
(e.g. with regard to encryption keys).
Any client organization that might initiate, or be
subject to, Court proceedings, in order that it can

Copyright, Patents and Designs Act 1988
Trademarks Act 1994
Electronic Communications Act 2000
reasonable suspicion of tampering.
Copyright applies to original literary, dramatic,
musical or artistic works, sound recordings, films,
broadcasts, etc. Patents apply to inventions. Both
Copyright and Patent law can apply to software and
databases and protect the owner from unauthorized
copying, broadcast and so on.
A trademark can be a sign (the Bass red triangle or
the BSI logo), a form of words (“for Dummies”) or
other sign distinctively associated with the trading
entity. It’s not legal to use someone else’s
trademark to pass off a product, service or company
as the genuine article when it’s not. Using a
hijacked domain name can be an infringement.
The purpose of the Electronic Communications Act
is to support the development of electronic
commerce by making the electronic networks upon
which e-commerce relies secure and trusted. To this
end it deals with
• encryption (to facilitate communications
that are safe from interception, and the
authentication of parties to the
communication),
• the interpretation of contract law as it
applies to electronic contracts,
4
properly collect and store evidence. Not only must
it observe correct procedures, its key personnel
(such as its forensics engineer) must be demonstrate
competence and credibility in Court.
Industrial espionage is a significant threat for
technology companies. R&D and manufacturing
organizations that need to protect their copyright or
patented designs (including software and
databases). Design services such as architects,
software consultants. Publishers and printers of
copyright material.
Companies as well as individuals may be held
legally responsible for copyright and patent
infringements, e.g. MP3 and DVD pirating.
Sales and marketing departments. Any client
organization (perhaps especially e-commerce)
registering domain names or protecting its
trademark from being confused with similar
domain names. (Protection may be limited because
many businesses have similar names.)
Any client that is concerned with e-commerce,
whether as a customer, supplier or support service.
 • electronic signatures,
• and changes to the telecommunications
licensing regime.
Defamation Act 1996 Defamation is the making of untrue and
unwarranted statements about an individual that
would lower that person’s standing in the eyes of
right-thinking members of society (a moving
definition depending on changing mores). When
written (as in e-mails and on websites or discussion
boards) it’s libel; when verbal, it’s slander; in the
workplace it can be harassment. UK libel laws are
notoriously strict.
Clients operating e-mail systems or websites: Since
individuals tend to have little money, aggrieved
people may take their employer, ISP or web
publishing service to Court for compensation.
Companies might monitor e-mails and websites
(discussion boards) for defamation (or internally,
harassment) and take appropriate action.
Information security implications include the
continued availability of the website and discussion
forum (some have been closed down by libel
actions) and the monitoring of e-mails without
infringing the right to individual privacy.