If you have been working within the world of information security for a while, you probably know that ISO 27001 underwent a significant facelift recently. We moved from the familiar 2013 version to the more modern 2022 iteration. While the core management system requirements stayed relatively stable, the Annex A controls, the “bread and butter” of security implementation were completely restructured. One of the most important shifts involves how we handle legal and contractual obligations, now found under Annex A 5.31.
The Shift from 18.1.1 to 5.31
In the ISO 27001:2013 version, legal and contractual compliance was tucked away in the 18th domain. Specifically, Control 18.1.1 focused on the identification of applicable legislation and contractual requirements. It was often viewed as a “compliance checkbox” at the end of the manual.
In the 2022 update, this has been rebranded as Control 5.31: Legal, Statutory, Regulatory, and Contractual Requirements. By moving into Theme 5 (Organisational Controls), the standard creators are sending a clear message: managing your legal obligations isn’t just a technical or IT task; it is a fundamental organizational requirement. According to experts at Hightable.io, this transition emphasises that compliance should be integrated into the very fabric of business operations rather than being a standalone annual review.
What is New in Annex A 5.31?
At first glance, the objective remains the same: identify the rules you need to follow and make sure you follow them. However, the 2022 version introduces a more streamlined and holistic approach. The previous version had several sub-controls (like 18.1.2 for intellectual property and 18.1.5 for regulation of cryptographic controls). The 2022 version consolidates these under the umbrella of 5.31.
This means that when you look at Annex A 5.31, you aren’t just looking at a list of laws. You are looking at a requirement to maintain an active register of every legal, statutory, regulatory, and contractual obligation related to information security. It covers everything from GDPR and industry-specific regulations to the specific security clauses in your Client Service Level Agreements (SLAs).
The Role of the “Interested Party”
One of the subtle but powerful changes in the 2022 version is the alignment with the “Context of the Organisation.” Annex A 5.31 now leans more heavily on the needs of interested parties. You are no longer just identifying laws because the government says so; you are identifying them because your stakeholders – customers, partners, and regulators – expect a specific level of compliance to trust your brand.
Hightable.io highlights that the 2022 version requires a more dynamic approach. Because the digital landscape changes so fast (think AI regulations or evolving privacy laws), your process for Annex A 5.31 must be “evergreen.” You need a defined owner who regularly monitors for changes in the legal landscape to ensure your Statement of Applicability (SoA) remains accurate.
Practical Differences in Implementation
In the 2013 version, many organizations got away with a simple spreadsheet that they updated once a year before their audit. For ISO 27001:2022, the expectation for Annex A 5.31 is more robust. You need to demonstrate how these requirements translate into actual technical or organisational controls. For example, if a contract says you must encrypt data at rest, Annex A 5.31 should link directly to your encryption policy and technical implementation.
The 2022 version also uses “attributes.” These are new metadata tags assigned to each control. For 5.31, attributes like “Legal” and “Governance” help organizations categorise their security efforts more effectively, making it easier to report to the board and external auditors.
Why Does This Change Matter?
The transition to ISO 27001:2022 Annex A 5.31 reflects the reality of the modern business world. We are no longer just protecting a server in a room; we are managing complex webs of data that cross international borders and various legal jurisdictions. By consolidating these requirements into a single, high-level organizational control, the standard makes it easier for companies to see the “big picture” of their compliance posture.
If you are currently transitioning from the 2013 to the 2022 version, your first step for Annex A 5.31 should be a thorough gap analysis. Review your old 18.1 list and cross-reference it with your current contracts and the latest regional laws. As noted by the team at Hightable.io, staying ahead of these requirements doesn’t just pass an audit, it builds a foundation of trust that can be a genuine competitive advantage in the marketplace.