ISMS certification is a voluntary Certification and not a substitute for compliance to legal requirements. Compliance with ISO 27001 does not in itself confer immunity from legal obligations.
The maintenance and evaluation of legal and regulatory compliance is the responsibility of the client organization.
The certification body shall restrict itself to checks and samples in order to establish confidence that the ISMS functions in this regard.
The certification body shall verify that the client organization has a management system to achieve legal and regulatory compliance applicable to the information security risks and impacts