Resources
Everything you need to know
Company
Security and customers first
Close

Request a demo

Find out today the difference that Hicomply’s unique solution can make to your business.

Close

Thank you for your request

Success

In the meantime, connect with Hicomply for insights on authentication and fraud prevention

Close

ROI Calculator

See how much you could save with Hicomply

Hicomply feature Yearly saving
Automated scoping Easily scope your ISMS with the Hicomply platform
Asset register autogeneration A shorter learning curve for organisations and a simplified process
Risk assessment Autogenerate your risk register and risk treatment plan
Extended policy templates 90% of the essential are already written out of the box
Controls framework All controls are pre-loaded and already linked to the risks they mitigate
Task management Automate all actions, administration and setup time of your ISMS
Real time monitoring Understand status and progress across your ISMS with the Hicomply dashboard
Compliance & Training Your whole team, on the same page
Audit readiness Hicomply makes sure you have everything in place for your audit
Auditor access Give auditors a dedicated login to access and audit your ISM
Back to Resource Hub

ISO 27001 Annex A.18: Compliance

As an international standard, ISO 27001 enforces that organisations identify relevant laws and regulations that apply to their scope.

A.18.1 External compliance

A.18.1.1 identification of applicable legislation and contractual requirements

Your organisation must maintain adequate documentation of all legislation and regulatory measures that affect its business and ISMS scope. Part of that maintenance involves staying current with recent updates to these abiding laws and requirements.

You should speak with the legal department or legal consultant to confirm which laws apply to your firm. The criteria for identifying applicable legislation and terms for your business include:

  • the location of your company, you're expected to adhere to the laws governing your jurisdiction
  • the nature of your organisation, whether you are a non-profit institution, medical centre, financial firm, government owned, etc.
  • the type of information processed in your organisation, e.g. medical centres operate under doctor patient confidentiality clauses. Those terms would not apply to a bank.

A.18.1.2 Intellectual property rights

An organisation must comply with all standards and legal rights associated with intellectual property and software products used in its activities. All licensed software used within your firm's parameters must be continually audited and reviewed for IPR compliance.

Apart from respecting the rights of other entities, your firm should see to it that third parties adhere to the laws protecting your intellectual property. This is where you can implement confidentiality agreements between your business and prospective clients, employees and stakeholders. Your auditor will ask you to submit logs of all the licenses, permitting you to use various software and products for your work.

A.18.1.3 Protection of records

The nature of your records will determine which methods are best for protecting them against loss, damage, corruption, unauthorised user access and unsolicited disclosure. The method you choose must comply with the terms of appropriate legislation or contractual requirements.

Always keep an eye out for terms that specify how long you can retain certain records. Poor handling and storage of files can also result in their damage or destruction and all record particulars should be understood so that authorised personnel can implement the correct measures.

A.18.1.4 Privacy and protection of personally identifiable information

All personally identifiable information is considered highly confidential on many levels of legislation with ISO requirements respecting these stipulations (e.g. GDPR).

As such, ISO 27001 requires you to apply relevant controls to protect the sensitive data and each staff member and stakeholder are individually responsible for protecting the information of persons engaged in the business with their company so keep evidence of this process for your audits..

A.18.1.5 Regulation of cryptographic controls

Cryptographic laws and regulations apply to all devices and networks operating via encryptions, transporting regulations may apply in cases where keys are used in locations outside of the company's actual jurisdiction. Provisions for applicable regulatory requirements as well as transport requirements must be made and documented by your firm.

A.18.2 Internal Compliance

A.18.2.1 Independent review of information security

Best practices encourage companies to carry out regular or annual independent reviews of all information security policies and controls to improve their systems with independent assessments mandatory.

Reviews must have formal schedules and consider the current risks and vulnerabilities relevant to the organisation and seek to target any new ways of mitigation. A report of every review and its findings must be included in your list of documentation during an audit.

A.18.2.2 Compliance with security policies and standards

They should also be orders performed on a departmental scale. The CISO and respective heads of department should perform planned checks of their system performance. This ensures that the staff still comply with the policies and standards expected of them in the ISMS. If the review reveals any non-compliance issues with the system, the head must log their results and suggest relevant corrective actions to improve these areas.

To address the noncompliance issue, responsible parties needs to deduce the root cause and frequency of the problem before resolving it. In most cases, this can be corrected with appropriate documentation updates and training forums to educate or re-educate users on

A.18.2.3 Technical compliance review

Information systems and networks must all be assessed for compliance with its ISMS standards and policies. The most convenient method of performing these reviews is the use of automated systems. Only authorised personnel will be granted access to these compliance testing systems and this includes vulnerability scanning and Penetration testing.

More Resource Hub

ISO27001
SOC 2 Policies and Procedures
ISO27001
What Is The NHS Data Security and Protection…
ISO27001
Whitepaper | How To Choose The Best Information…