This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.31 Legal, statutory, regulatory and contractual requirements.
ISO 27001: 2022 Control Description
Legal, statutory, regulatory and contractual requirements relevant to information security and the organisation’s approach to meet these requirements shall be identified, documented and kept up to date.
Purpose
To ensure compliance with legal, statutory, regulatory, and contractual requirements related to information security.
Guidance on implementation
External requirements, including legal, statutory, regulatory, or contractual obligations, should be considered when:
a) developing information security policies and procedures;
b) designing, implementing, or modifying information security controls;
c) classifying information and other associated assets as part of the process for setting information security requirements for internal needs or supplier agreements;
d) conducting information security risk assessments and determining information security risk treatment activities;
e) establishing processes along with related roles and responsibilities concerning information security;
f) determining suppliers’ contractual requirements relevant to the organisation and the scope of supply of products and services.
Legislation and Regulations
The organisation should:
a) identify all legislation and regulations relevant to the organisation’s information security to be aware of the requirements applicable to their type of business;
b) consider compliance in all relevant countries, particularly if the organisation: — conducts business in other countries; — uses products and services from other countries where laws and regulations may affect the organisation; — transfers information across jurisdictional borders where laws and regulations may impact the organisation;
c) regularly review the identified legislation and regulations to stay updated with changes and to identify new legislation;
d) define and document specific processes and individual responsibilities to meet these requirements.
Cryptography
Cryptography is an area that often has specific legal requirements. Compliance with relevant agreements, laws, and regulations concerning the following items should be considered:
a) restrictions on the import or export of computer hardware and software for performing cryptographic functions;
b) restrictions on the import or export of computer hardware and software designed to have cryptographic functions added to it;
c) restrictions on the use of cryptography;
d) mandatory or discretionary methods of access by the authorities to encrypted information;
e) the validity of digital signatures, seals, and certificates.
It is recommended to seek legal advice to ensure compliance with relevant legislation and regulations, especially when encrypted information or cryptography tools are moved across jurisdictional borders.
Contracts
Contractual requirements related to information security should include those stated in:
a) contracts with clients;
b) contracts with suppliers (see A.5.20);
c) insurance contracts.