Evaluating Compliance with Legal and Other Requirements
Compliance Evaluation in Brief
Each legal obligation in the register needs evidence of how the organisation knows it is meeting it. Compliance evaluation, recorded at planned intervals, gives that evidence and surfaces problems before they become enforcement issues.
What Evaluation of Compliance Means
A legal register lists what the law requires. Evaluation of compliance is the activity of checking that the organisation is meeting those requirements in practice - and recording the result. It is the difference between "we have a fire risk assessment" and "we have a fire risk assessment, it was last reviewed in March, it covers the current premises layout, and the actions from it are complete."
ISO 14001 Clause 9.1.2 and ISO 45001 Clause 9.1.2 both require organisations to plan, establish, implement and maintain a process for evaluating compliance with their compliance obligations. ISO 9001 does not have an equivalently-named clause, but the same activity falls under Clause 9.1 (monitoring, measurement, analysis and evaluation) for legal requirements affecting product and service compliance. ISO 27001 Annex A 5.36 covers compliance with policies, rules and standards for information security, with A.5.31 covering identification of legal requirements.
The output of evaluation is documented information - a record showing what was checked, when, by whom, and the conclusion. This is what auditors expect to see and what protects the organisation if a regulator asks.
How Compliance is Evaluated in Practice
Most organisations evaluate compliance through a combination of activities rather than a single annual review. A legal register can be used as a central reference, but the evaluation evidence comes from looking at the activities on-site, and checking that they are managed in accordance with legislation.
The mistake I see most often is treating evaluation of compliance as a separate activity that has to be invented from scratch. It does not. The evidence of compliance is already there in most cases - the fire risk assessment for fire safety obligations, the COSHH assessments for COSHH obligations, the safety inspections for PUWER, the data protection impact assessments for UK GDPR. Evaluation of compliance is the activity of pulling those pieces of evidence together and confirming they cover the obligations the legal register identifies.
What I look for in audits is the link. I want to be able to take an entry on the legal register, follow it to the evidence, and see a recent date. If I cannot trace from obligation to evidence, that is a finding. If the evidence is there but is three years out of date, that is also a finding.
One of the differences between ISO 9001 and the H&S and environmental standards is how explicitly they require compliance evaluation. ISO 14001 and ISO 45001 use the actual phrase. ISO 9001 reaches the same outcome through Clauses 9.1 and 8.2.2 but does not name the activity, which sometimes leads quality managers to think it does not apply to them. It does. Any organisation supplying products or services has statutory and regulatory requirements to meet, and those need to be evaluated.
For an integrated management system, the practical answer is to run one evaluation process across all the standards. The legal register covers them all, and the evaluation produces one set of evidence that satisfies whichever standards the organisation is certified to.
Evaluation of compliance sounds heavy. It is not. It is asking, for each thing on the legal register - are we still doing what we said we would? Sometimes the answer is yes and you tick the box. Sometimes the answer is that you used to but the person who did it left, and now you have something to fix. Either way it is the same exercise - just take the register, work down it, write the answer next to each entry.
What Auditors Look For
An external auditor evaluating compliance evaluation (which is, admittedly, a slightly recursive thing to do) checks four things:
- Coverage - does the organisation understand all of its legal obligations and have the resources to do so
- Recency - the evaluation has been done recently enough to be meaningful, typically within the last twelve months
- Evidence - the conclusion of compliant or non-compliant is supported by something concrete - a checklist, an inspection record, a permit, a third-party report
- Action - where non-compliance was found, an action was raised and tracked through to resolution
The four together form a compliance loop: identify obligations (legal register), evaluate compliance, raise actions for gaps, close those actions, repeat. The loop should be visible from the documented information without the auditor having to reconstruct it from scattered pieces.
Frequency and Triggers
Annual evaluation is the common standard, often timed to feed into a management review. Some obligations need more frequent checks - statutory inspections such as LOLER thorough examinations, have their own legal cycles built in (six-monthly for lifting equipment used to lift people, twelve-monthly for other lifting equipment). The compliance evaluation does not duplicate these checks; it confirms they have happened.
Out-of-cycle evaluation should be triggered by significant changes:
- New or amended legislation - the Data (Use and Access) Act 2025 which commenced in February 202, is a recent example that changed UK GDPR obligations
- Significant changes to the organisation - new premises, new processes, new product lines, new data flows
- Incidents that suggest a control may not be working - a near-miss, a complaint, a regulator query
- External audit findings against compliance obligations
Recording the Evaluation
The simplest and most traceable approach is a column on the legal register itself - Last evaluated, Status, Evidence reference - updated as part of the periodic review. Some organisations prefer a separate evaluation record per obligation; either works as long as the link from obligation to evidence is clear.
The evaluation record should include:
- The date of the evaluation and the name of the evaluator
- The conclusion - compliant, partially compliant, non-compliant, or not applicable
- The evidence relied on - a document reference, a record, an inspection report
- Any actions raised where compliance is not full
Where actions are raised, they should flow into the same actions register the rest of the management system uses, so they get tracked alongside other improvement actions rather than sitting in a separate compliance silo.
Compliance Evaluation and Management Review
Compliance status is a required input to the management review under ISO 14001 Clause 9.3.2 and ISO 45001 Clause 9.3.2. The evaluation done during the year feeds into the review - top management should see, at minimum, whether the organisation is broadly compliant, where the gaps are, and what is being done about them.
This is not a tick-box exercise. Top management has strict liability for compliance with much of UK law, and the management review is where leadership formally confirms it has visibility of the compliance position. A management review that does not address compliance status is missing a required element of the standards.
Practical Advice
The most efficient way to evaluate compliance is to build the evaluation column into the legal register itself. The same review cycle covers both register currency and compliance status, and the evidence of evaluation lives next to the obligation it relates to.
Where compliance gaps are found, they get raised on the issues and actions register and tracked through to closure alongside other corrective actions, so the loop closes. Compliance status then feeds into management review through the standard input route.
| alphaZ document | How to use it |
|---|---|
| ISO 9001/14001/45001 IMS Toolkit | Full integrated management system toolkit including the legal register, issues and actions register, and the management review template that consumes compliance status as an input. |
| ER9 Legal Register | The legal register that compliance evaluation works from. Add evaluation columns for last evaluated date, status, evidence reference and reviewer name. |
| ER1 Issues and Actions Register | Where compliance gaps and required actions are recorded and tracked through to closure. Sits alongside the legal register and references it. |
| F-IMS23 Opportunities and Risks Register | Where significant compliance risks identified through evaluation are recorded with the controls in place to manage them. |
| A-C_P03 Legal Requirement | Legal requirements audit checklist |
Note: subscribers to alphaZ documents can download all of the documents above as part of the subscription.
Frequently Asked Questions
Annually as a minimum is the standard interpretation of ISO 14001 Clause 9.1.2 and ISO 45001 Clause 9.1.2, often timed to feed into the management review. Some statutory inspections - LOLER thorough examinations, electrical installation testing, fire alarm tests, asbestos surveys - have their own cycles dictated by the underlying legislation. An annual compliance evaluation confirms these have been done at the right intervals rather than replacing them.
It depends on the obligation. Some require a competent specialist - a thorough examination under LOLER, an asbestos survey under the Control of Asbestos Regulations 2012, a fire risk assessment under the Regulatory Reform (Fire Safety) Order 2005. Others can be evaluated internally by someone competent in the area - the H&S adviser for safety obligations, the data protection lead for UK GDPR obligations, HR for employment obligations. The compliance evaluation as a whole is normally co-ordinated by the IMS or compliance lead with input from these specialists.
Raise an action, fix the gap, record the closure. The action goes onto the same issues and actions register that the rest of the management system uses, with an owner, a description, date and status. Significant non-conformances - particularly anything that could constitute a regulatory breach or a serious safety risk - should be escalated to top management immediately rather than waiting for the next management review. The compliance evaluation record and the corrective action together demonstrate that the issue was identified and addressed.
No, though they overlap. Internal audit checks that the management system itself is working - that procedures are being followed, that records exist, that the system is effective. Compliance evaluation specifically checks whether legal obligations are being met. An internal audit programme often samples compliance obligations as part of its scope, but a sampled audit is not a complete compliance evaluation. Most organisations run the two as related but distinct activities.
Not under that name. ISO 9001 Clause 9.1 requires monitoring, measurement, analysis and evaluation, which includes legal and regulatory requirements that affect product and service conformity. Clause 8.2.2 requires the organisation to determine statutory and regulatory requirements applicable to its products and services. Together, these create a duty to know what the law requires and to confirm the organisation is meeting it. Most organisations running an integrated management system across ISO 9001, ISO 14001 and ISO 45001 simply use the same compliance evaluation process across all three.
UK Legislation
The legislation referenced in this article is wide-ranging - any item on the legal register is potentially evaluated through this process. Examples particularly relevant to evaluation activities themselves include:
- Lifting Operations and Lifting Equipment Regulations (LOLER) 1998
- Control of Asbestos Regulations 2012
- Regulatory Reform (Fire Safety) Order 2005
- Control of Substances Hazardous to Health Regulations (COSHH) 2002
- Data Protection Act 2018 and UK GDPR
- Data (Use and Access) Act 2025
- Health and Safety at Work etc. Act 1974
