ISO 27001 Annex A.18: Compliance
As an international standard, ISO 27001 enforces that organisations identify relevant laws and regulations that apply to their scope.
A.18.1 External compliance
A.18.1.1 identification of applicable legislation and contractual requirements
Your organisation must maintain adequate documentation of all legislation and regulatory measures that affect its business and ISMS scope. Part of that maintenance involves staying current with recent updates to these abiding laws and requirements.
You should speak with the legal department or legal consultant to confirm which laws apply to your firm. The criteria for identifying applicable legislation and terms for your business include:
- the location of your company, you're expected to adhere to the laws governing your jurisdiction
- the nature of your organisation, whether you are a non-profit institution, medical centre, financial firm, government owned, etc.
- the type of information processed in your organisation, e.g. medical centres operate under doctor patient confidentiality clauses. Those terms would not apply to a bank.
A.18.1.2 Intellectual property rights
An organisation must comply with all standards and legal rights associated with intellectual property and software products used in its activities. All licensed software used within your firm's parameters must be continually audited and reviewed for IPR compliance.
Apart from respecting the rights of other entities, your firm should see to it that third parties adhere to the laws protecting your intellectual property. This is where you can implement confidentiality agreements between your business and prospective clients, employees and stakeholders. Your auditor will ask you to submit logs of all the licenses, permitting you to use various software and products for your work.
A.18.1.3 Protection of records
The nature of your records will determine which methods are best for protecting them against loss, damage, corruption, unauthorised user access and unsolicited disclosure. The method you choose must comply with the terms of appropriate legislation or contractual requirements.
Always keep an eye out for terms that specify how long you can retain certain records. Poor handling and storage of files can also result in their damage or destruction and all record particulars should be understood so that authorised personnel can implement the correct measures.
A.18.1.4 Privacy and protection of personally identifiable information
All personally identifiable information is considered highly confidential on many levels of legislation with ISO requirements respecting these stipulations (e.g. GDPR).
As such, ISO 27001 requires you to apply relevant controls to protect the sensitive data and each staff member and stakeholder are individually responsible for protecting the information of persons engaged in the business with their company so keep evidence of this process for your audits..
A.18.1.5 Regulation of cryptographic controls
Cryptographic laws and regulations apply to all devices and networks operating via encryptions, transporting regulations may apply in cases where keys are used in locations outside of the company's actual jurisdiction. Provisions for applicable regulatory requirements as well as transport requirements must be made and documented by your firm.
A.18.2 Internal Compliance
A.18.2.1 Independent review of information security
Best practices encourage companies to carry out regular or annual independent reviews of all information security policies and controls to improve their systems with independent assessments mandatory.
Reviews must have formal schedules and consider the current risks and vulnerabilities relevant to the organisation and seek to target any new ways of mitigation. A report of every review and its findings must be included in your list of documentation during an audit.
A.18.2.2 Compliance with security policies and standards
They should also be orders performed on a departmental scale. The CISO and respective heads of department should perform planned checks of their system performance. This ensures that the staff still comply with the policies and standards expected of them in the ISMS. If the review reveals any non-compliance issues with the system, the head must log their results and suggest relevant corrective actions to improve these areas.
To address the noncompliance issue, responsible parties needs to deduce the root cause and frequency of the problem before resolving it. In most cases, this can be corrected with appropriate documentation updates and training forums to educate or re-educate users on
A.18.2.3 Technical compliance review
Information systems and networks must all be assessed for compliance with its ISMS standards and policies. The most convenient method of performing these reviews is the use of automated systems. Only authorised personnel will be granted access to these compliance testing systems and this includes vulnerability scanning and Penetration testing.