1. Framework FAQs

ISO 27001: 2022 A.5.31 Legal, statutory, regulatory and contractual requirements

This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.31 Legal, statutory, regulatory and contractual requirements.

ISO 27001: 2022 Control Description

Legal, statutory, regulatory and contractual requirements relevant to  information security and the organisation’s approach to meet these  requirements shall be identified, documented and kept up to date.

Purpose

To ensure compliance with legal, statutory, regulatory, and contractual requirements related to information security.

Guidance on implementation

External requirements, including legal, statutory, regulatory, or contractual obligations, should be considered when:

a) developing information security policies and procedures;

b) designing, implementing, or modifying information security controls;

c) classifying information and other associated assets as part of the process for setting information security requirements for internal needs or supplier agreements;

d) conducting information security risk assessments and determining information security risk treatment activities;

e) establishing processes along with related roles and responsibilities concerning information security;

f) determining suppliers’ contractual requirements relevant to the organisation and the scope of supply of products and services.

Legislation and Regulations

The organisation should:

a) identify all legislation and regulations relevant to the organisation’s information security to be aware of the requirements applicable to their type of business;

b) consider compliance in all relevant countries, particularly if the organisation: — conducts business in other countries; — uses products and services from other countries where laws and regulations may affect the organisation; — transfers information across jurisdictional borders where laws and regulations may impact the organisation;

c) regularly review the identified legislation and regulations to stay updated with changes and to identify new legislation;

d) define and document specific processes and individual responsibilities to meet these requirements.

Cryptography

Cryptography is an area that often has specific legal requirements. Compliance with relevant agreements, laws, and regulations concerning the following items should be considered:

a) restrictions on the import or export of computer hardware and software for performing cryptographic functions;

b) restrictions on the import or export of computer hardware and software designed to have cryptographic functions added to it;

c) restrictions on the use of cryptography;

d) mandatory or discretionary methods of access by the authorities to encrypted information;

e) the validity of digital signatures, seals, and certificates.

It is recommended to seek legal advice to ensure compliance with relevant legislation and regulations, especially when encrypted information or cryptography tools are moved across jurisdictional borders.

Contracts

Contractual requirements related to information security should include those stated in:

a) contracts with clients;

b) contracts with suppliers (see A.5.20);

c) insurance contracts.