top of page

ISO27001:2022 - A5.31 – Identification of legal, statutory, regulatory and contractual requirements

Implementing ISO27001 isn’t for everyone, but when businesses like yours decide to do it, it’s rarely for fun! Yes, they may see it as a way to curb the growing rise of cyberattacks and data breaches, or because it’s the right thing to do.


But normally, there’s a more pressing and obvious reason, and this control speaks directly to that need.


What does the standard require?

The standard states that “Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements shall be identified, documented and kept up to date..” (A5.31 – Identification of legal, statutory, regulatory and contractual requirements).


Why is this required?

As a business you need to comply with legal, statutory, regulatory and contractual requirements that are placed upon you, from government, clients and suppliers. Breaching these laws or requirements can land you in hot water of varying depths, from a simple ‘breach of contract’, through to the very worse case of landing in court or prison!


This control expects you to understand the legal, regulatory and contractual landscape to ensure this doesn’t happen. 


For example the General Data Protection Regulation (GDPR) has principles and articles which relate specifically to information security and data protection.  For example, Article 32 (Security of Processing) establishes the obligation to implement appropriate technical and organizational measures to ensure security. Article 33 (Notification of a personal data breach to the supervisory authority) requires businesses (or data controllers) to report data breaches to supervisory authorities and, in certain cases, to data subjects and Article 34 (Communication of a Personal Data Breach to the Data Subject) specifies the conditions under which data subjects must be notified of a personal data breach.


Contracts with clients may have similar requirements, such as expecting you to notify them of a breach within a defined period of time. If they are the controller, and you are processing data on their behalf, then their need could be driven by the GDPR articles noted above. 


Without identifying these requirements you are implementing security controls without truly understanding the need. This is a powerful control because it’s a great way to gain support for your compliance programme, because it spotlights the reasons for implementing ISO27001, to your senior leadership team.


What the auditor is looking for

The control states that these requirements will be identified, documented and kept up to date, so the auditor will firstly be looking for a list of legal and contractual requirements. This will need to explain how you meet these requirements, so be sure to explain what is required, and how you address that need.


The auditor will also want to know how you identified these requirements, and how you maintain the list. This might be included within your audit schedule and within meeting minutes, where you discuss specific contracts.  Audit reports and incidents may also evidence how these requirements have been met (or broken).


Finally, you can evidence this to the auditor through the ongoing monitoring and tracking of your objectives.


What do you need to do?

Create a Legal Register where you will list the legal, regulatory and contractual requirements your business needs to comply with.  This will include details of how you comply with the requirement, and perhaps a link to the requirement.


Speak to your business leaders about what requirements your business must comply with, and this should also include speaking to clients, suppliers and insurers.  This is especially important if you have Cyber insurance in place, as there will most certainly be a number of contract clauses which stipulate how information security is addressed.


Special care should also be taken when using encryption, as there may be some rules governing the use of specific cryptographic controls. This is especially important when looking at international transfers of data, where certain types of encryption would not be permitted. However, if you keep to standard tools which use encryption, such as Amazon, Microsoft etc then you shouldn’t go far wrong.


As ever, a word of caution; Don’t over complicate this. You don’t need to have every contract listed here. Keep it high-level, but be specific if there is a particular client that has a particular need.  For example, if a client requires that all their data is transferred to them via a specific medium (e.g. on an encrypted drive), then this should be noted in your register.


Add the review of legal requirements to you audit schedule, so that you can be sure that any changes in laws are not missed. This is why controls, such as A5.7 – Threat Intelligence, and A5.6 Contact with special interest groups are important, as they will ensure you’re aware of any changes that might impact your legal or regulatory needs.


Q & A

Do I need to include all laws and regulations?

No. Some auditors may expect to see a long list of all laws that a business needs to comply with, but note the control specifically states it expects to see the requirements relevant to information security. Therefore, keep your list specifically related to legal and regulatory requirements related to information security.


Keep in mind that the more you include in this list, you will need to audit against, because you need to be able to evidence compliance with the requirement. Therefore if you include information on Tax, then you’re going to have to audit against this legal requirement and evidence compliance.  That is outside the remit of this standard, and most likely outside your skill set.


Difficulty rating

We rate this a 2 out of 5 difficulty rating. This control requires no real technical skill, but does require you to review contracts and relevant laws to understand what is required.  This may include discussions with your business, but certainly with the team who help you put your contracts together.  If you have a legal representative, this may be a littler easier.


More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.


For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.



10 views0 comments


bottom of page