All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Legal, statutory, regulatory and contractual requirements

Annex A control 5.28 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 18.1.1 and Annex A 18.1.5

Every business has its obligations. From legal and contractual matters to industry regulations, these significant factors have a clear impact on an organisation’s information security responsibilities. Being ready to modify information security measures to ensure reliable data handling is a key part of managing business responsibilities.

Although it doesn’t list any specific obligations or method for drafting contracts, Annex 5.31 focuses on what organisations need to consider from an information security standpoint.

Understanding control 5.31

Legal, statutory, regulatory and contractual obligations must be considered when drafting or amending information security procedures and policies, as well as when designing, altering, or executing IS controls.

When assessing broader data security needs, organisations must categories their information security. Obligations must also be considered when carrying out risk assessments related to data security activities, and when determining the nature of supplier relationships.

Guidance: legislature and regulations

Internal procedures and roles must be clearly outlined and recorded to allow organisations to identify, analyse, and comply with their legal and regulatory requirements.

Organisations must remain compliant with all legal and regulatory requirements in every nation they operate in, as well as any services and products from outside the country.

Guidance: cryptography

Cryptography encodes information and communications in order to protect them from threat actors or even just those without access privileges. To practice cryptography effectively, organisations need to be aware of the following directives:

  • Legislation surrounding limiting cryptographic functions
  • Laws regarding cryptographic software and hardware dedicated to cryptographic function
  • The accuracy and reliability of the fundamental digital components of encrypted data: seals, signatures, and certificates
  • The permission of any region or country’s authorities to request and enforce access to encrypted information

Guidance: contractual

Annex 5.31 stipulates that organisations need to carefully consider their information security responsibilities when authorising or creating legally binding contracts with vendors, providers, or customers, including insurance policies and contracts. Annex A control 5.20 in the 2022 version of the standard offers additional support and guidance regarding supplier contracts.

What has changed since 2013?

Replacing 2013’s controls 18.1.1 (identification of application legislation and contractual requirements) and 18.1.5 (regulation of cryptographic controls), this control in the 2022 version of the standard covers compliance with legislative, regulatory and cryptographic standards, while also offering general advice and going into greater detail on meeting legislature and regulations.

While it includes some of the same underlying points as the 2013 controls, Annex 5.31 goes further by demanding that organisations contemplate software and hardware that may perform cryptographic functions.