Hello, I'm a student at the University of Advancing Technology (UAT) and this week we've been learning about the Plan, Do, Check, Act methodology for implementing an information management security system. Our reading explains about PDCA and how an organization should use it to obtain an ISO 27001 certification.
In our reading there was a note about possible conflicts within different across national, state, and local laws and regulation. Does anyone have any knowledge or experience with how an organization handles this scenario? Which laws would takes legal precedent? Is it case by case, a general rule of thumb, or a clear winner in all cases?