ISO 27001 – A.5.31- Legal, regulatory and contractual requirements

Becoming compliant

How to comply

Step 1: Modify the policy or directive

Add the following statements to the security policy, for example, “The organization respects the laws of the countries in which it operates and takes the necessary steps to identify, assess and manage them.”

More specifically in the ajouesté guidelines:

“At least once a year, a review will be carried out of legal, regulatory and contractual requirements to identify any changes required to assess information risks. This will include any updates to the associated list of information security measures managing identified information risks. This document will be updated to reflect the fact that this review has taken place.”

Step 2: Identify and monitor laws

Tools like Google Alerts can be configured to track legal news in different countries. For example: use a search like “[Country name] + Privacy Law”.

Ideally, a register of the countries in which the company is active should be maintained, together with a list of the laws that apply there.

Useful resources :

DLA Piper – Data Protection Laws of the World

IAPP Global Privacy Directory

Step 3: Monitor contracts and customer requirements

It is essential that the Chief Information Security Officer (CISO) has access, in a centralized and structured way, to all customer-specific contractual requirements relating to information security or protection.

Step 4: Create a register to document requirements

To be compliant, a simple Excel table may suffice, as long as it includes at least :

• Customer name or country
• Applicable law
• Description, security clauses or special requirements (e.g. local hosting, external audit, specific encryption, etc.).
• Contractual reference documents
• The person responsible for implementation
• The date of the last inspection and the date scheduled for the next inspection

It is also advisable to include a review of contracts by the security team or CISO before they are signed, or at least before operations begin.

This is when the CISO ensures that all requirements are understood, evaluated, accepted and communicated to the relevant teams.

If a law is deemed inapplicable, it is important to justify this decision. For example:

“Law X on banking information does not apply, as the company does not process any payments directly.”

It is important to keep a record of the analyses carried out, so as to be able to demonstrate them in the event of an audit or dispute.

In concrete terms, monitoring keeps a record in the register under the revision section:

“The last analysis took place on March 27, 2025 and, following this analysis, we can confirm that there are no new risks that should be added to the information risk assessment. There is no change to the likelihood or impact of any of the existing risks and that no changes to the statement of applicability have been required.”

Compliance is an evolving process. It is recommended to review the register at least once a year, or when a change occurs:

• Expansion into a new market (e.g. entry into the European market).
• Signature of a new contract with specific requirements.
• Amendments to legislation (e.g. Quebec’s Bill 25).

Example of a validation list before launching a project :

• Is the collection of personal data involved?
• Are confidential data or sensitive metadata processed?
• Does storage comply with contractual requirements?
• Are there any retention or destruction obligations?
• What other safety measures are required for the project?

According to Thomson Reuters’ “Global Compliance Risk Benchmarking” report, 63% of SMEs with a structured compliance function avoided major sanctions in 2022 (source: https: //legal.thomsonreuters.com/en/insights/articles/compliance-program-benchmarking-survey).

Gartner also notes that integrating legal requirements into risk assessments reduces non-compliance incidents by an average of 30% (source: https: //www.gartner.com/en/articles/how-to-prepare-for-new-global-privacy-laws).

Common pitfalls to avoid

• Consider it a matter for the legal department alone. In fact, security, IT, operations and HR are all involved.
• Believing that training is enough. Understanding requirements is one step, applying them with processes is another.
• Content with a generic policy. A non-customized ISO 27001 policy risks missing key requirements.
• React only during the audit period. Compliance is an ongoing process, not a one-off exercise.

As the expression reminds us, no one is supposed to ignore the law –or for the purists in Latin: “Nemo censetur ignorare legem”.

Let me rephrase: “Ignoring the law is no excuse for negligence. In information security, this reality is inescapable.

Success Criteria

Here are some questions an auditor might ask to validate compliance with security measure A.5.31 of ISO 27001:2022:

1. What legal and regulatory requirements must the organization meet in terms of information security?
2. How do you keep track?
3. In your list of requirements, have you included those of your customers, suppliers and subcontractors?
4. Does the list of requirements include the laws of the countries in which you do business?