It has been clear from the onset that the purpose of this section is not merely to provide an overview of formal legislative sources (such as directives, regulations, national laws with an international impact, etc.) with some relevance to RM/RA. Indeed, as was already noted above, the practices of corporate governance are not limited to such formally binding legal texts, but are increasingly dominated by private sector norms which provide guidance on how specific service providers are to meet their RM/RA obligations in practice.
While such standards are typically not legally binding, in many countries and in many sectors service providers risk liability when any damages result from disregarding them, on the grounds that ignoring established and well documented good practices is to be considered negligent conduct. Thus, in practice, certain codes of good practices/guidelines/generally accepted principles have attained the status of near-legal requirements or of informally codified customs of sound governance, which are equally significant to service providers as binding legislations. For this reason, the scope of the section is said to be ‘normative texts’, rather than ‘legislative’ or ‘regulatory texts’, which would suggest a limitation to formal sources of law.
For this same reason, it is also clear that this section cannot restrict its attention to purely European normative initiatives. In today’s increasingly expanding business market, the reality is that non-European initiatives (either international initiatives or national initiatives with an international impact) can be equally influential in RM/RA auditing practices as European norms. For all intents and purposes, such norms can be essential as a yardstick to measure the adequacy of corporate policies, and for this reason such documents will be included here as well.
Thus, to ensure the usability and validity of the section, this test should also be the final criterion to determine the relevance of any given normative text to the section: its value in assessing and measuring the adequacy of RM/RA practices and policies. The section will therefore include any influential text in the field of RM/RA which a suitably qualified auditor might rely upon to accept or criticise RM/RA practices and policies in the field of information/network security.
As a logical consequence of this criterion, the study excludes from its scope any document of which the principal goal is to state policy choices, without direct implications for specific parties other than calls for increased attention to RM/RA issues by public institutions.