Skip to content
AuditFront
A.5.31 ISO 27001

ISO 27001 A.5.31: Legal, statutory, regulatory and contractual requirements

What This Control Requires

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.

In Plain Language

You cannot protect data properly if you do not know which laws and contracts apply to you. This control is about building and maintaining a clear picture of every legal, regulatory, and contractual obligation that touches your information security practices.

What applies to you depends on your industry, the jurisdictions you operate in, the types of data you handle, and what you have promised customers in contracts. Think GDPR, NIS2, PCI DSS, HIPAA, plus whatever security clauses your enterprise customers have negotiated into their agreements.

The tricky part is keeping up. Regulations change, new ones appear, and guidance evolves. Auditors will look for a systematic process that tracks these changes and feeds them back into your security controls - not just a one-off list that was created during initial certification and never touched again.

How to Implement

Start with a thorough review to identify every applicable requirement. Get legal counsel and compliance teams involved. Consider data protection and privacy laws in every jurisdiction where you operate or process data, industry-specific regulations, intellectual property rules, employment laws around monitoring and privacy, sector-specific security requirements, and contractual obligations to customers and partners.

Build a legal and regulatory requirements register. For each entry, capture the specific law, regulation, or contract clause, the issuing authority, the applicable jurisdiction, the security requirements it imposes, the controls you have in place to address it, who owns it internally, and when it is next due for review.

Assign clear ownership for each regulatory area. Subscribe to legal update services, join industry compliance groups, schedule regular check-ins with legal counsel, and monitor regulatory authority publications. Set up a process so that when something changes, the impact on your ISMS is assessed promptly.

Map your regulatory requirements to your security controls. Make sure your statement of applicability and risk treatment plan cover everything. Where there are gaps, build remediation plans with firm deadlines.

Run periodic compliance assessments as part of your internal audit programme to verify you are still meeting obligations. Document the results and address findings through corrective actions. Review the entire register at least annually, and immediately when significant regulatory changes land.

Evidence Your Auditor Will Request

  • Legal, statutory, regulatory, and contractual requirements register
  • Mapping of requirements to information security controls
  • Process documentation for monitoring regulatory changes
  • Compliance assessment records showing verification against requirements
  • Records of actions taken in response to new or changed requirements

Common Mistakes

  • No comprehensive register of applicable legal and regulatory requirements
  • Requirements from all jurisdictions are not identified in multi-national organizations
  • No process for monitoring and assessing the impact of regulatory changes
  • Contractual security obligations to customers are not tracked systematically
  • Compliance assessments are not conducted regularly against identified requirements

Related Controls Across Frameworks

Framework Control ID Relationship
SOC 2 SOC 2 CC2.3 (partial overlap mapping) Partial overlap
GDPR GDPR Art.5 (related mapping) Related
GDPR GDPR Art.24 (related mapping) Related
NIS2 NIS2 Art.21 (related mapping) Related

Frequently Asked Questions

How do we keep track of changing regulations across multiple jurisdictions?
Layer several approaches. Subscribe to legal update services and regulatory newsletters for your key jurisdictions. Engage external counsel who specialise in the areas that matter most to you. Join industry compliance groups where members share updates. Monitor publications from data protection authorities and regulators directly. Assign internal ownership for each regulatory area so nothing falls through the cracks. For complex multi-jurisdictional operations, a regulatory compliance management tool can save a lot of manual tracking effort.
Should contractual requirements be treated the same as legal requirements?
Absolutely. Breaching a contractual security obligation can mean financial penalties, lost clients, and serious reputational damage - the impact is just as real as a regulatory fine. Track customer contract security requirements, SLAs, and data processing agreements in the same register. And review contractual obligations at renewal time to make sure you are still meeting what you have committed to.

Related Articles

The True Cost of Compliance: DIY vs Consultant vs Platform (2026)

A realistic comparison of three compliance approaches - DIY spreadsheets, hiring a consultant, or using a platform - with costs, timelines, and tradeoffs.

Read article →

ISO 27001 Certification Cost in 2026: A Realistic Breakdown

A detailed breakdown of ISO 27001 certification costs in 2026 - audit fees, consultant costs, tooling, internal time, and practical tips to reduce spend.

Read article →

How to Get ISO 27001 Certified: A Step-by-Step Guide

A practical walkthrough of the ISO 27001 certification process - from scoping to stage 2 audit. Covers timelines, costs, common mistakes, and what auditors actually look for.

Read article →

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment