The system must comply with the legal requirements of the jurisdiction to which it is subject.
GDPR. Recital 45: Fulfillment of legal obligations: Where processing is carried out in accordance with a legal obligation to which the controller is subject, the processing should have a basis in Union or Member State law.
ISO 27001:2013. Annex A - 18.1.2: Implement appropriate processes to ensure compliance with legal, regulatory and contractual requirements related with intellectual property rights and the use of patented software products.
ISO 27001:2013. Annex A - 18.1.3: Protect records against loss, destruction, forgery, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements.
ISO 27001:2013. Annex A - 18.1.4: When applicable, guarantee the privacy and security of personal information, as required by the relevant legislation and regulations.
ISO 27001:2013. Annex A - 18.1.5: Use cryptographic mechanisms as required by the relevant legislation and regulations.
OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.1): Verify that input and output requirements clearly define how to handle and process data based on type, content and applicable laws, regulations, and other policy compliance.
OWASP-ASVS v4.0.1 V6.1 Data Classification.(6.1.1): Verify that regulated private data is stored encrypted while at rest, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.
OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(1.7.2): Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.4): Verify that all sensitive data created and processed by the application has been identified, and ensure that a policy is in place on how to deal with sensitive data.