The basics
Control A.5.31 Legal, statutory, regulatory and contractual requirements require companies to ensure these requirements are identified, documented, and kept up to date in order to ensure organizations comply with them.
Documentation
ISO 27001 control A.5.31 Legal, statutory, regulatory and contractual requirements can be documented:
- through a List of Legal, Regulatory, Contractual, and Other Requirements
- on top of this, larger companies might write a Procedure for Identification of Security Requirements.
This control must be documented.
Implementation
In order to comply with control A.5.31 Legal, statutory, regulatory and contractual requirements you might implement the following:
- Technology — the technology to enable the management of legal, statutory, regulatory, and contractual requirements may include an electronic spreadsheet for small organizations or specialized compliance software for bigger organizations.
- Organization/processes — you should set up a process for identifying, documenting, and keeping the information about requirements up to date, as well as to define the approach to comply with the requirements. You can document those processes through a Procedure for Identification of Security Requirements, and list security requirements through a List of Legal, Regulatory, Contractual, and Other Requirements.
- People — make employees aware of why managing legal, statutory, regulatory, and contractual requirements is needed, and train them on how to identify and document them.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.31 Legal, statutory, regulatory and contractual requirements: if relevant requirements for information security are identified, documented, and kept up to date.
