Auditing ISO 27001 Annex A 5.31 is the systematic verification of an organization’s adherence to jurisdictional and contractual mandates. The Primary Implementation Requirement is a maintained legal register, ensuring the Business Benefit of total regulatory alignment, avoided litigation, and the protection of essential intellectual property assets.
This technical verification tool is designed for lead auditors to establish the legitimacy of the organisation’s compliance framework. Use this checklist to validate compliance with ISO 27001 Annex A 5.31 (Legal, statutory, regulatory and contractual requirements).
1. Comprehensive Legal and Regulatory Register Verified
Verification Criteria: A maintained register identifies all applicable legislation, statutory requirements, and regulatory obligations relevant to the ISMS scope and jurisdiction.
Required Evidence: Legal and Regulatory Register (or Compliance Matrix) showing specific acts (e.g., UK Data Protection Act 2018, NIS2 Directive) and their impact on security controls.
Pass/Fail Test: If the organisation cannot produce a list of specific laws and regulations applicable to its industry and geography, mark as Non-Compliant.
2. Contractual Security Obligation Inventory Confirmed
Verification Criteria: An inventory or repository exists that extracts and tracks specific information security clauses from client and vendor contracts.
Required Evidence: Contractual Obligations Tracker or a centralised CRM/Legal folder containing security annexes from active Master Service Agreements (MSAs).
Pass/Fail Test: If security requirements from a major client contract are not reflected in the organisation’s internal control objectives, mark as Non-Compliant.
3. Intellectual Property (IP) Protection Controls Validated
Verification Criteria: Technical and organisational controls are implemented to protect intellectual property in accordance with legal and contractual requirements.
Required Evidence: Software asset register showing license validity, and Data Loss Prevention (DLP) logs protecting proprietary source code or designs.
Pass/Fail Test: If the organisation is using unlicensed commercial software or lacks controls to prevent unauthorised IP exfiltration, mark as Non-Compliant.
4. Protection of Records (Retention and Disposal) Verified
Verification Criteria: Records are protected from loss, destruction, and falsification in accordance with statutory, regulatory, and business requirements.
Required Evidence: Document Retention Schedule and evidence of secure disposal (e.g., certificates of destruction) for records that have exceeded their legal hold.
Pass/Fail Test: If sensitive records are retained indefinitely without a legal or business justification, mark as Non-Compliant.
5. Data Privacy and PII Protection Compliance Confirmed
Verification Criteria: Personal data is protected according to relevant privacy legislation (e.g., GDPR) and contractual privacy mandates.
Required Evidence: Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIAs), and Privacy Notices.
Pass/Fail Test: If the organisation processes high-risk PII but has not conducted a DPIA or lacks a designated Data Protection Lead, mark as Non-Compliant.
6. Cryptographic Control Regulatory Alignment Verified
Verification Criteria: The use of cryptography complies with all relevant agreements, laws, and regulations (including import/export restrictions).
Required Evidence: Cryptographic Policy and technical configuration logs showing the use of approved algorithms (e.g., AES-256) and key management practices.
Pass/Fail Test: If cryptographic implementations use prohibited algorithms or violate the import/export laws of the jurisdictions in which the organisation operates, mark as Non-Compliant.
7. Independent Compliance Review Records Identified
Verification Criteria: Regular, independent reviews of the organisation’s compliance with legal and contractual requirements are performed.
Required Evidence: External audit reports, legal counsel opinions, or internal audit reports specifically focused on legal/contractual compliance.
Pass/Fail Test: If the organisation has not conducted a formal compliance review of its legal and contractual obligations within the last 12 months, mark as Non-Compliant.
8. Management Accountability for Legal Compliance Confirmed
Verification Criteria: Senior management demonstrates accountability for ensuring that the organisation meets its legal and regulatory security obligations.
Required Evidence: Management Review Meeting (MRM) minutes showing “Legal and Regulatory Compliance” as a discussed and reviewed agenda item.
Pass/Fail Test: If top management has not reviewed the compliance status of the ISMS against the legal register in the current audit cycle, mark as Non-Compliant.
9. Technical Access to Legal Information Validated
Verification Criteria: Personnel responsible for compliance have access to up-to-date information regarding changes in legislation and regulations.
Required Evidence: Subscriptions to legal update services, membership in professional bodies (e.g., IAPP, ISACA), or records of legal briefings from external counsel.
Pass/Fail Test: If the organisation is unaware of a major regulatory change (e.g., NIS2 or a GDPR update) that has already come into effect, mark as Non-Compliant.
10. Transborder Data Transfer Controls Verified
Verification Criteria: Information transfers across national borders comply with relevant privacy and data protection legislation.
Required Evidence: Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), or adequacy decision records for sampled transfers.
Pass/Fail Test: If data is being transferred to a third country without a valid legal transfer mechanism or risk assessment, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Legal Register | GRC tool provides a pre-filled “Global Laws” list. | The auditor must verify that the list is tailored to the specific services provided and locations of operation. |
| Contractual Tracking | Platform identifies that a contract is “Signed.” | An auditor must see the mapping of specific security clauses in the contract to internal technical controls. |
| Data Privacy | SaaS tool shows a generic “Privacy Policy” exists. | Verify the RoPA. If the tool doesn’t show exactly where PII flows, it isn’t compliant with UK GDPR. |
| Record Retention | Tool records that backups are kept for 7 years. | Verify disposal. Keeping backups is easy; proving that you securely deleted data when the legal term expired is the real test. |
| IP Protection | Platform assumes software is legal because it’s “On the Cloud.” | Verify SaaS license management. Over-usage of seats or unapproved “Shadow IT” apps are common IP violations. |
| Regulatory Updates | GRC provider claims they “Update the system for you.” | The organisation must prove they reviewed the update and adjusted internal procedures accordingly. |
| Cross-Border Transfers | Tool checks a box for “Data Residency.” | Verify the Transfer Risk Assessment (TRA). Knowing where data sits is not the same as having the legal right to send it there. |
About the author
