ISO 27001 Annex A 5.31 for AI Companies

ISO 27001 Annex A 5.31 is a security control that requires organizations to identify and document all legal, statutory, regulatory, and contractual obligations. The primary implementation requirement is the maintenance of a centralized legal register, providing the business benefit of mitigating regulatory penalties and enhancing enterprise client trust.

For leaders in the Artificial Intelligence sector, navigating the complex world of information security is paramount. While the ISO 27001 standard provides a comprehensive framework, one particular control, ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements, is where compliance meets commercial reality. Every unchecked legal, regulatory, or contractual obligation is an invitation for disruption, not just a penalty.

This guide provides a practical blueprint for turning this complex requirement from a hidden risk into a powerful business advantage, building the foundation upon which customer trust and regulatory resilience are built.

The “No-BS” Translation: Decoding the Requirement
The Business Case: Why This Actually Matters for AI Companies
DORA, NIS2 and AI Regulation: The Legal Register
ISO 27001 Toolkit vs SaaS Platforms: The Register Trap
The AI Magnifying Glass: Unique Risks and Obligations
Your Blueprint for Compliance: Practical Steps to Success
The Evidence Locker: What the Auditor Needs to See
Common Pitfalls & Auditor Traps
Handling Exceptions: The “Break Glass” Protocol
The Process Layer: “The Standard Operating Procedure (SOP)”

The “No-BS” Translation: Decoding the Requirement

Let’s strip away the consultant-speak. Annex A 5.31 asks one question: “Do you know the laws you are breaking?” If you operate globally, you have 50+ laws to track.

The Auditor’s View (ISO 27001)	The AI Company View (Reality)
“Legal, statutory, regulatory and contractual requirements… shall be identified, documented and kept up to date.”	Make a list. 1. Laws: GDPR, CCPA, EU AI Act. 2. Contracts: The SLA you signed promising 99.9% uptime. 3. Regulations: PCI-DSS if you take payments. If it’s not on the list, you aren’t compliant.

The Business Case: Why This Actually Matters for AI Companies

Why should a founder care about a “Legal Register”? Because ignorance is not a defence, and it is expensive.

The Sales Angle

Enterprise clients will ask: “How do you ensure compliance with the EU AI Act?” If your answer is “We are looking into it,” you lose the deal. If your answer is “We track all relevant AI regulations in our ISO 27001 Legal Register and conduct quarterly compliance reviews,” you win trust. A 5.31 proves you are a grown-up company.

The Risk Angle

The “Copyright” Lawsuit: You train your model on “public” data. Later, a court rules that scraping is copyright infringement. If you didn’t have “Intellectual Property Rights” listed as a requirement in A 5.31, you have no defence. You didn’t even check.

DORA, NIS2 and AI Regulation: The Legal Register

Regulators demand that you know your obligations.

DORA (Article 5): Financial entities must have an internal governance framework. This includes mapping all legal obligations related to ICT risk.
NIS2 Directive: Requires “compliance with legal requirements.” You must know which sectors you serve (e.g., energy, health) and what specific laws apply to them.
EU AI Act: This is the big one. It imposes strict obligations on “High-Risk AI Systems.” You must document these obligations (e.g., conformity assessments, transparency) in your Legal Register to prove you are tracking them.

ISO 27001 Toolkit vs SaaS Platforms: The Register Trap

SaaS platforms give you a generic list of laws, but they don’t apply them to your business. Here is why the ISO 27001 Toolkit is superior.

Feature	ISO 27001 Toolkit (Hightable.io)	Online SaaS Platform
The Content	Pre-populated List. We give you a spreadsheet with common laws (GDPR, HIPAA, etc.) ready to go.	Generic Database. Platforms connect to a legal database but dump 1,000 irrelevant laws on you. “Do you comply with the Bulgarian Mining Act?”
Ownership	Your Register. You keep the Excel file. You can share it with your lawyer.	Platform Lock-in. Your legal compliance status is locked in their dashboard. If you leave, you lose your history of compliance checks.
Simplicity	Relevance Column. Simple “Yes/No” check.	Overkill. Forces you to link every single control to a specific clause of a specific law, wasting hundreds of hours.
Cost	One-off fee. Pay once. Be compliant.	Subscription. You pay monthly for a list of laws that you could find on Google.

The AI Magnifying Glass: Unique Risks and Obligations

For AI companies, the web of obligations under Annex A 5.31 is significantly more intricate.

Securing Your Training Data

If your training data contains PII, it falls under GDPR. Annex A 5.31 requires you to identify these laws. Furthermore, your agreements with data suppliers often contain contractual clauses that dictate how that data can be stored. Failing to track these obligations creates hidden tripwires.

Protecting Algorithmic Integrity

Service Level Agreements (SLAs) that promise specific levels of accuracy or uptime are a core part of your contractual landscape. These agreements must be identified. A disruption to your algorithmic processes is a breach of contract.

Managing the AI Supply Chain

Every relationship with a third-party model provider or cloud host is governed by a contract. Annex A 5.31 mandates that you identify and manage the information security requirements embedded in these contracts.

Your Blueprint for Compliance: Practical Steps to Success

To effectively manage obligations, create a dynamic system.

Create a Centralised Legal Register

This is the core artefact. Create a master list of all legal, statutory, regulatory, and contractual requirements.

Requirement: The specific law or contract clause.
Source: “GDPR Art 32” or “Client Contract X Clause 9.”
Control: What you do to comply (e.g., “Encryption at rest”).

Assign Clear Ownership

Every requirement must have an owner. “Head of Legal” owns GDPR. “CTO” owns SLAs. If nobody owns it, you are non-compliant.

Integrate Requirements into Your ISMS

Link the requirement to the control. If the law requires encryption, link it to your Encryption Policy (A 8.24). This creates a provable chain.

The Evidence Locker: What the Auditor Needs to See

When the audit comes, prepare these artifacts:

Legal Register (Excel): The master list, updated within the last 12 months.
Contract Review Log: Evidence that you check client contracts for security clauses before signing.
Data Protection Registration: Your ICO registration certificate (or local equivalent).
IP Rights Policy: A document stating how you respect intellectual property (e.g., open source licenses).

Common Pitfalls & Auditor Traps

Here are the top 3 ways AI companies fail this control:

The “Outdated” Law: Your register lists the “Data Protection Act 1998” instead of the “Data Protection Act 2018.” This proves you haven’t looked at it in years. Instant fail.
The “Missing” Contract: You signed a huge deal with a bank that requires “Data Residency in UK,” but you didn’t add it to the register. You are hosting data in the US. Breach of contract.
The “Open Source” Violation: You use GPLv3 code in your proprietary product. You violated the license terms because you didn’t track “Contractual/License” obligations in your register.

Handling Exceptions: The “Break Glass” Protocol

What if you cannot comply with a law (e.g., conflicting laws in US vs EU)?

The Legal Risk Acceptance Workflow:

Identification: Conflict identified between Law A and Law B.
Advice: Obtain external legal opinion.
Decision: Board formally accepts the risk of non-compliance with one jurisdiction to satisfy the other.
Documentation: Record this decision in the Risk Register (not just the Legal Register).

The Process Layer: “The Standard Operating Procedure (SOP)”

How to operationalise A 5.31 using your existing stack (Linear, Excel).

Step 1: Setup (Manual). Download the Hightable.io Legal Register Template. Fill it with your known laws.
Step 2: Monitoring (Automated). Subscribe to a legal update feed (or just set a Google Alert for “AI Regulation”).
Step 3: Update (Manual). When a new law (e.g., EU AI Act) passes, add it to the register. Create a Linear ticket: “Assess impact of EU AI Act.”
Step 4: Review (Manual). Quarterly meeting between CISO and Legal to review the register. Update “Last Review Date.”

For an AI company, mastering compliance with ISO 27001 Annex A 5.31 is about building a fundamental layer of trust. The High Table ISO 27001 Toolkit provides the expert guidance and practical tools you need to turn a complex compliance obligation into a clear business advantage.

ISO 27001 Annex A 5.31 for AI Companies FAQ

What is ISO 27001 Annex A 5.31 for AI companies?

ISO 27001 Annex A 5.31 requires AI companies to identify and document all legal, regulatory, and contractual requirements relevant to information security. This ensures 100% compliance with complex frameworks like the EU AI Act and GDPR, mitigating legal risks that can carry penalties of up to €35 million or 7% of global annual turnover.

How does the EU AI Act impact Annex A 5.31 compliance?

The EU AI Act is a primary regulatory requirement under Annex A 5.31. AI firms must categorise their systems by risk level and maintain rigorous technical documentation. Implementing this control reduces regulatory friction by approximately 45% by centralising compliance evidence within the existing Information Security Management System (ISMS) framework.

How are Intellectual Property rights managed under Annex A 5.31?

Managing Intellectual Property (IP) is a critical component of Annex A 5.31 for AI firms. Companies must ensure they have documented legal rights to 100% of their training datasets. Key compliance steps include:

Reviewing “fair use” versus licensed data for model training.
Ensuring third-party data scrapers comply with robots.txt and site-specific Terms of Service.
Explicitly documenting model ownership and IP rights in multi-stakeholder development partnerships.

What are the contractual requirements for AI vendor management?

AI companies must identify security requirements within all vendor contracts, including LLM API agreements. Annex A 5.31 mandates that 100% of contracts with compute providers and data brokers include specific clauses on data sovereignty, ensuring that proprietary prompts are not used for external model training without explicit written consent.

What evidence do auditors require for Annex A 5.31?

To satisfy an ISO 27001 auditor, AI firms must maintain a “Legal and Regulatory Register.” This document must list all applicable international laws, the specific security controls implemented to meet them, and evidence of a formal compliance review conducted within the last 12 months to account for rapid legislative changes.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements for AI Companies

Table of contents