This paper describes the problem of determining whether plans for a population genetic database in Iceland met statutory information security requirements. It discusses the approach taken by the relevant governmental authority, which involved employing technical standards to solve the problem. By examining the background to the project, and the main challenges it faced, the paper aims to draw out insights and lessons to inform the way in which future projects are designed and governed. It reflects critically on the results of trying to meet legal requirements for information security by using technical information security standards. Particular attention is given to the founding legislation of the project, and the court case that eventually found that legislation to be unconstitutional.