Table 4. Contextual knowledge in... | Emerald Publishing

Table 4.

Contextual knowledge in Requirements – Internal and external requirements are exemplified

Contextual knowledge documented	Explanation
External requirements	Requirements from an external source
Privacy laws and regulations	National and/or international laws regulating privacy in some sense
NIS-2	EU law enforcing cybersecurity measures and incident reporting for essential and important service providers
GDPR	EU regulation governing data protection and privacy, giving individuals control over their personal data
Public access to information	Laws and regulations regulating public access to official documents while protecting sensitive information
Sector-specific laws and regulations	National and/or international laws and regulations regulating sector-specific requirements
Patient data laws and regulations	Laws and regulations managing and protecting patient journal information, ensuring traceability and secure handling of patient data
Archiving laws and regulations	National and international laws and regulations that dictate the retention and management of records
Archives act	Dictates the preservation and management of public records for long-term archiving
Public records act	Governs transparency and archiving of public documents to maintain public access
IT provider agreements	Statement on how the information asset can be handled in relation to external providers of IT services to the organisation. An example of this is service level agreements (SLAs)
Internal requirements	Requirements from an internal source
Internal policies	Policies stemming from within the organisation, such as ones touching on organisational privacy, information security and data retention. An example affecting the classification could be, for example, certain access-control requirements to particular assets
Disaster recovery plan	Strategy for restoring systems and data after disruptions to ensure business continuity. This can affect, for example, storage requirements, and in turn, the classification of identified assets
Information management plan	Internal guidelines on structuring, storing and managing information efficiently. This can affect the classification level by, for example, limiting the use of certain identified assets

Contextual knowledge documented	Explanation
External requirements	Requirements from an external source
Privacy laws and regulations	National and/or international laws regulating privacy in some sense
NIS-2	EU law enforcing cybersecurity measures and incident reporting for essential and important service providers
GDPR	EU regulation governing data protection and privacy, giving individuals control over their personal data
Public access to information	Laws and regulations regulating public access to official documents while protecting sensitive information
Sector-specific laws and regulations	National and/or international laws and regulations regulating sector-specific requirements
Patient data laws and regulations	Laws and regulations managing and protecting patient journal information, ensuring traceability and secure handling of patient data
Archiving laws and regulations	National and international laws and regulations that dictate the retention and management of records
Archives act	Dictates the preservation and management of public records for long-term archiving
Public records act	Governs transparency and archiving of public documents to maintain public access
IT provider agreements	Statement on how the information asset can be handled in relation to external providers of IT services to the organisation. An example of this is service level agreements (SLAs)
Internal requirements	Requirements from an internal source
Internal policies	Policies stemming from within the organisation, such as ones touching on organisational privacy, information security and data retention. An example affecting the classification could be, for example, certain access-control requirements to particular assets
Disaster recovery plan	Strategy for restoring systems and data after disruptions to ensure business continuity. This can affect, for example, storage requirements, and in turn, the classification of identified assets
Information management plan	Internal guidelines on structuring, storing and managing information efficiently. This can affect the classification level by, for example, limiting the use of certain identified assets

Source(s): Authors’ own work