ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements, asks you to know what outside rules and laws apply to your information security and then make sure you follow them. It specifically deals with the legal and contract rules that tell you exactly how you should handle and use information security.
Table of contents
What is ISO 27001 Annex A 5.31?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Legal, statutory, regulatory and contractual requirements”.
What is the ISO 27001 Annex A 5.31 control objective?
The formal definition and control objective in the standard is: “Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements should be identified, documented and kept up to date.“
What is the purpose of ISO 27001 Annex A 5.31?
The purpose of ISO 27001 Annex A 5.31 is “to ensure you comply with legal, statutory, regulatory and contractual requirements related to information security.“
Is ISO 27001 Annex A 5.31 Mandatory?
ISO 27001 Annex A control 5.31 (Legal, statutory, regulatory and contractual requirements in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.31 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
You need to understand and write down the rules for your information security that come from any laws, government rules, or contracts.
Five Things to Remember
You should think about these outside requirements when you do the following:
- Create your rules and steps for information security.
- Make or change your security tools.
- Sort your information and important items.
- Check for and manage risks.
- Deal with your suppliers and their contracts.
Rules About Laws and Government Regulations
You should keep a list of your required laws and rules in a document called an ISO 27001 Legal Register.
You are going to find all the laws and rules that affect you and write them down. This way, you know what you must do and how the rules affect you.
It is smart to ask for help from a lawyer to make this list.
This can be hard because you must think about the rules for all the places you work. This includes moving information across borders, where other countries’ laws might apply to you.
Rules About Using Codes (Cryptography)
It is a good idea to get a lawyer’s help on everything for this rule, including using codes. The rules about codes can be very specific.
The lawyer will check for any limits on bringing code tools into or sending them out of a country, as well as how you use them.
A key thing to remember is the rule about being able to see coded information inside a country.
In short, you should ask a lawyer for advice.
Rules About Contracts
Which contracts might have rules that change how you set up your information security? There are many, but they will include:
- Contracts with the companies that supply things to you.
- Contracts with the people you do business with.
- Contracts with your insurance company.
- Contracts with people who invest money in you.
The rules for supplier contracts are talked about in ISO 27001 Annex A 5.20.
