ISO 27001 A.5.31: Legal, statutory, regulatory and contractual requirements
What This Control Requires
Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.
In Plain Language
You cannot protect data properly if you do not know which laws and contracts apply to you. This control is about building and maintaining a clear picture of every legal, regulatory, and contractual obligation that touches your information security practices.
What applies to you depends on your industry, the jurisdictions you operate in, the types of data you handle, and what you have promised customers in contracts. Think GDPR, NIS2, PCI DSS, HIPAA, plus whatever security clauses your enterprise customers have negotiated into their agreements.
The tricky part is keeping up. Regulations change, new ones appear, and guidance evolves. Auditors will look for a systematic process that tracks these changes and feeds them back into your security controls - not just a one-off list that was created during initial certification and never touched again.
How to Implement
Start with a thorough review to identify every applicable requirement. Get legal counsel and compliance teams involved. Consider data protection and privacy laws in every jurisdiction where you operate or process data, industry-specific regulations, intellectual property rules, employment laws around monitoring and privacy, sector-specific security requirements, and contractual obligations to customers and partners.
Build a legal and regulatory requirements register. For each entry, capture the specific law, regulation, or contract clause, the issuing authority, the applicable jurisdiction, the security requirements it imposes, the controls you have in place to address it, who owns it internally, and when it is next due for review.
Assign clear ownership for each regulatory area. Subscribe to legal update services, join industry compliance groups, schedule regular check-ins with legal counsel, and monitor regulatory authority publications. Set up a process so that when something changes, the impact on your ISMS is assessed promptly.
Map your regulatory requirements to your security controls. Make sure your statement of applicability and risk treatment plan cover everything. Where there are gaps, build remediation plans with firm deadlines.
Run periodic compliance assessments as part of your internal audit programme to verify you are still meeting obligations. Document the results and address findings through corrective actions. Review the entire register at least annually, and immediately when significant regulatory changes land.
Evidence Your Auditor Will Request
- Legal, statutory, regulatory, and contractual requirements register
- Mapping of requirements to information security controls
- Process documentation for monitoring regulatory changes
- Compliance assessment records showing verification against requirements
- Records of actions taken in response to new or changed requirements
Common Mistakes
- No comprehensive register of applicable legal and regulatory requirements
- Requirements from all jurisdictions are not identified in multi-national organizations
- No process for monitoring and assessing the impact of regulatory changes
- Contractual security obligations to customers are not tracked systematically
- Compliance assessments are not conducted regularly against identified requirements
Related Controls Across Frameworks
Frequently Asked Questions
How do we keep track of changing regulations across multiple jurisdictions?
Should contractual requirements be treated the same as legal requirements?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment