ISO 27001 Annex A 5.31

Know which laws apply to your information security - and how you meet them.

ISO 27001 Annex A 5.31 - Legal, Statutory, Regulatory and Contractual Requirements

The starting point is identification. The organisation needs to know which laws, regulations and contractual obligations apply to its information security activities. In the UK that typically includes UK GDPR and the Data Protection Act 2018, the Computer Misuse Act 1990, the Investigatory Powers Act 2016 and sector-specific regulation where applicable. Contractual obligations come from customer agreements, supplier agreements and any specific data sharing arrangements.

Identification has to be paired with implementation. Knowing the law applies is not the same as complying with it. The control asks for the organisation's approach to meeting each requirement to be documented, so there is a clear link between obligation, the controls in place and the evidence of compliance.

Legal landscapes change. New legislation, new regulatory guidance, court rulings and contract changes can all affect the requirements that apply. The control needs the legal register to be reviewed at planned intervals so the picture stays current. Some organisations subscribe to legal update services. Others rely on professional advice or sector forums. The mechanism is less important than the consistency.

The legal register is one of those documents that gets created at certification time and then forgotten. A useful legal register is one that is owned by someone, reviewed on a defined cycle, and updated when new legislation or guidance lands. If the dates on the register are all from two years ago, that is a finding waiting to happen.

Practical Compliance Guidance

The legal register is described in the IMS1 manual at section 8.2 alongside the wider information security arrangements, and section 4.1 on understanding internal and external factors. The legal register itself is a controlled document maintained on a defined review cycle.

alphaZ document	How to use it
ISO 27001 Toolkit	The full alphaZ ISO 27001 toolkit covering manual, policies, procedures, registers and audit checklists.
F-IMS27 Legal Register	The legal register listing applicable legislation, regulators, the organisation's approach to compliance and the responsible owner. Maintain on a defined review cycle and update when new requirements arise.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

What should the legal register contain?

For each applicable requirement: the source legislation or regulation, the relevant regulator, what the requirement covers in summary, the organisation's approach to compliance, evidence of compliance, the responsible owner and the date last reviewed. Contractual requirements should sit alongside or in a parallel register.

How often should it be reviewed?

At least annually as a structured review, plus updates whenever new legislation, regulatory guidance or contractual changes affect the picture. Some sectors face frequent regulatory change and may benefit from more frequent reviews or a legal update service that flags changes as they occur.

Do we need to track international laws?

Where the organisation operates internationally, processes data of individuals in other jurisdictions, or deals with regulators outside the UK, yes. The legal register should reflect the actual jurisdictions affecting the organisation. UK-only operations focused on UK customers usually only need UK and applicable EU law tracked.

UK Legislation

For UK organisations, the following legislation typically forms part of the information security legal register:

Further Resources