ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements is a security control that mandates the systematic identification and documentation of all legal obligations. Implementing this requires a maintained Legal Register to ensure the ISMS remains compliant, providing the Business Benefit of mitigating litigation risks and preventing regulatory fines.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.31 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements
ISO 27001 Annex A 5.31 requires organizations to identify, document, and keep up-to-date all external rules that impact their information security. Its purpose is to ensure you don’t just “feel” secure, but that you are actually compliant with the specific laws (like GDPR) and client contracts (like NDAs) that govern your business.
Core Requirements for Compliance:
- The Legal Register: You must create a centralized document (a “Legal Register”) that lists every law, regulation, and contract clause applicable to your security. This is the primary artifact for this control.
- Specific Ownership: It is not enough to list a law; you must assign a specific person (e.g., “Head of HR”) to be responsible for monitoring that law.
- Cryptographic Controls: You must specifically identify laws regarding encryption, especially if you operate internationally, as some countries restrict the import/export of cryptographic software.
- Regular Review: Laws change. You must review your register at planned intervals (e.g., every 6 or 12 months) to ensure you haven’t missed a new regulation.
Audit Focus: Auditors will look for your Legal Register immediately. They are checking for “Living Evidence”:
- Completeness: Did you forget the Data Protection Act? Did you forget your client’s SLA requirements?
- Currency: Is the register dated from 2019? (Major non-conformity).
- Traceability: If you list “GDPR” as a requirement, can you show the auditor the specific Privacy Policy or Data Retention Procedure you built to satisfy it?
Obligation Examples:
| Requirement Type | Legal Definition | Industry-Specific Examples | ISO 27001:2022 Mapping |
|---|---|---|---|
| Legislative / Statutory | Mandatory laws passed by regional or national governments. | UK GDPR, Data Protection Act 2018, HIPAA, CCPA. | 5.31 (Legal requirements) |
| Regulatory | Enforceable rules issued by industry-specific oversight bodies. | PCI-DSS (Payments), FCA Handbooks (Finance), SOC2. | 5.31 (Regulatory requirements) |
| Contractual | Binding security obligations defined in private legal agreements. | Service Level Agreements (SLAs), Non-Disclosure Agreements (NDAs). | 5.31 (Contractual requirements) |
Table of contents
- What is ISO 27001 Annex 5.31?
- Watch the ISO 27001 Annex A 5.31 Tutorial
- ISO 27001 Annex A 5.31 Podcast
- ISO 27001 Annex 5.31 Implementation Guidance
- How to implement ISO 27001 Annex 5.31
- Obligation Examples Table
- How to Audit ISO 27001 Annex A 5.31
- ISO 27001 Annex A 5.31 Templates
- What are the benefits of Legal, statutory, regulatory and contractual requirements?
- Why are legal, statutory, regulatory and contractual requirements important?
- Applicability of ISO 27001 Annex A 5.31 across different business models.
- Fast Track ISO 27001 Annex A 5.31 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.31 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.31 FAQ
- Related ISO 27001 Controls
- Further Reading
- ISO 27001 Controls and Attribute values
Do it Yourself ISO 27001
Our Lead-Auditor verified templates with expert support have a 100% success rate.
What is ISO 27001 Annex 5.31?
ISO 27001 Annex 5.31 Legal, statutory, regulatory and contractual requirements is an ISO 27001 control that wants you understand external requirements on your information security and implement them. Specifically it is concerned with legal, regulatory, statutory and contractual requirements that may include specifics directly related to how you manage and implement information security.
What is the purpose of ISO 27001 Annex 5.31?
The purpose of ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements is to ensure you comply with legal, statutory, regulatory and contractual requirements related to information security.
An organisations information security responsibilities are informed by laws, regulations and contractual requirements.
Organisations should have a clear understanding of their obligations and be prepared to include those in their information security practices.
What is the definition of ISO 27001 Annex 5.31?
The ISO 27001 standard defines ISO 27001 Annex A 5.31 as:
Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements should be identified, documented and kept up to date.
ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements
Watch the ISO 27001 Annex A 5.31 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.31 and how to pass the audit.
ISO 27001 Annex A 5.31 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex 5.31 Implementation Guidance
Annex A 5.31 requirements are to understand and record the requirements on your information security from any legal, statutory, regulatory or contractual requirements.
There are 5 general guidance points to consider.
Organisation’s should take into consideration external requirements for their legal, statutory, regulatory and contractual requirements when:
- Developing your information security policies and processes
- Developing or changing your information security controls
- Classifying your data and assets
- Doing risk assessments and risk management
- Performing supplier management and supplier contracts
Legal and Regulatory Guidance on Control A 5.31
You should record your legal and regulatory requirements in an ISO 27001 Legal Register.
You are going to identify all of the laws and regulations that apply to you and write them down in order to be aware of the requirements and how they apply to you.
It is best practice to get legal advice to help you comprise this list.
It can be difficult as you have to consider the compliance requirements of all the countries in which you operate. This includes the transfer of information across borders where those countries laws could apply to you.
Cryptographic Guidance on Control A 5.31
It is recommended to get legal advice on all aspects of this control, including on the cryptography. It can be quite specialised in its requirements.
The legal advice will look at any restrictions on the import and export of cryptographic technologies and usage.
A significant one to note is the requirements of in country requirements to access encrypted information.
All in all, get some legal advice.
Contract Guidance on Control A 5.31
Which contracts could have requirements that impact your information security implementation? Well there are many but they would include
- contracts with your suppliers
- contracts with your clients
- contracts with your insurers
- contracts with your investors / funding
Guidance relating to supplier contracts is covered in ISO 27001 Annex A 5.20
How to implement ISO 27001 Annex 5.31
Implementing ISO 27001 Annex A 5.31 is more than a legal hurdle: it is about building a defensible security posture that satisfies regulators, clients, and partners. As an ISO 27001 Lead Auditor, I expect to see a robust system for identifying and maintaining compliance. Follow these ten technical steps to formalise your legal, statutory, regulatory, and contractual obligations and ensure you pass your certification audit.
1. Identify Applicable Jurisdictions and Legal Frameworks
Identify all geographical and industry specific jurisdictions where the organisation operates. Result: Establishes a comprehensive list of legal boundaries to ensure no regional mandate is overlooked in the ISMS scope.
- Review business locations to identify local data protection and employment laws.
- Consult legal counsel to determine industry specific regulations such as HIPAA, PCI-DSS, or DORA.
- Document the process for determining legal applicability for future audit evidence.
2. Formalise the Legal and Regulatory Requirements Register
Formalise a central Legal Register that lists every identified statutory and regulatory requirement. Result: Provides the Incident Response Team and Auditors with a single source of truth for compliance mapping.
- Include the source of the law, a brief description, and the specific ISO control it relates to.
- Assign a “Compliance Owner” for every entry to ensure accountability.
- Link the register to your Risk Management Framework to track legal risks.
3. Map and Document Intellectual Property Rights (IPR)
Map all intellectual property, including software licences and proprietary source code. Result: Protects the organisation from litigation regarding copyright infringement and unauthorised use of proprietary assets.
- Perform an audit of software install counts versus purchased licence entitlements.
- Update the Asset Register to include unique data sets and trade secrets.
- Include IPR protection clauses in employee and contractor Rules of Engagement (ROE) documents.
4. Verify Privacy and Data Protection Alignment
Verify that your technical and organisational controls align with GDPR and local privacy statutes. Result: Ensures personal data is processed lawfully and reduces the risk of significant regulatory fines.
- Conduct Data Protection Impact Assessments (DPIAs) for high risk processing activities.
- Confirm that Privacy Notices are transparent, up to date, and easily accessible.
- Verify that specific IAM roles are restricted based on data residency requirements.
5. Audit Contractual Security Obligations
Audit all client and vendor agreements to extract specific information security commitments. Result: Guarantees the organisation is technically capable of meeting its promised security levels to external parties.
- Create a “Contractual Matrix” that maps client security requirements to technical controls.
- Ensure vendor contracts include the “Right to Audit” and mandatory breach notification timelines.
- Communicate specific contractual uptime or encryption requirements to the technical team.
6. Provision Cryptographic Controls and Export Compliance
Provision cryptographic systems that align with national and international export laws. Result: Prevents legal breaches regarding the transfer of restricted encryption technologies across borders.
- Identify any jurisdictions where the import of high strength encryption is restricted.
- Verify that your Cryptographic Policy accounts for statutory requirements for lawful intercept.
- Maintain technical documentation for all cryptographic modules used in the infrastructure.
7. Synchronise the Asset Register with Compliance Metadata
Synchronise the Asset Register by tagging specific assets with their governing legal requirements. Result: Enables granular reporting and ensures that technical controls are applied specifically where mandated by law.
- Label assets that process PII, financial data, or sensitive government information.
- Map technical owners to the specific compliance requirements of the assets they manage.
- Ensure the register is updated whenever a new legislative requirement is identified.
8. Establish IAM Roles and MFA for Regulated Data
Establish strict Identity and Access Management (IAM) roles and Multi-Factor Authentication (MFA) for systems containing regulated data. Result: Provides the forensic evidence of restricted access required to satisfy regulatory scrutiny.
- Implement mandatory MFA for all accounts with access to legally sensitive data sets.
- Perform quarterly access reviews for users with “Privileged Access” to regulated systems.
- Automate the revocation of access for “Leavers” to prevent residual compliance risks.
9. Establish a Recurring Legislative Review Cycle
Establish a formal process for monitoring and reviewing changes in the legal and regulatory landscape. Result: Prevents “compliance drift” by ensuring the ISMS evolves in tandem with emerging global laws.
- Schedule bi-annual reviews of the Legal Register with key stakeholders.
- Subscribe to regulatory update services or industry bodies for early warning of changes.
- Document any changes to technical controls that were triggered by legislative updates.
10. Validate Compliance through Internal Audit Evidence
Validate the effectiveness of implementation through a rigorous internal audit programme. Result: Confirms that the organisation is fully prepared for the external Stage 2 certification audit.
- Test a sample of legal requirements to verify that documented controls are active.
- Ensure any compliance gaps are logged in the Corrective Action Log and remediated.
- Review the Statement of Applicability (SoA) to confirm it correctly references Annex A 5.31.
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
Obligation Examples Table
| Type | Definition | Example |
| Legal (Statutory) | Laws passed by government. | Data Protection Act (UK) / GDPR. |
| Regulatory | Rules from industry bodies. | PCI-DSS (Payments) / FCA (Finance). |
| Contractual | Agreements with clients/suppliers. | SLA (99.9% Uptime) / NDA. |
How to Audit ISO 27001 Annex A 5.31
Auditing ISO 27001 Annex A 5.31 is a critical exercise in verifying that your organisation is not only secure but also legally compliant. As a Lead Auditor, I look for a systematic approach to identifying legislation and a clear mapping to your technical environment. This 10-step audit process ensures you have the documented evidence required to satisfy the legal, statutory, regulatory, and contractual obligations of the standard.
1. Identify Applicable Legal and Regulatory Jurisdictions
Identify all geographical and industry-specific jurisdictions in which the organisation operates. Result: Establishes a comprehensive scope for the ISMS compliance boundary and prevents the omission of international mandates.
- Cross-reference business locations with local data protection and privacy laws.
- Review industry-specific regulations such as PCI-DSS, HIPAA, or financial services directives.
- Document the process used to determine which laws apply to the current business model.
2. Formalise the Legal and Regulatory Requirements Register
Formalise a central register that lists all identified legal, statutory, and regulatory requirements. Result: Creates a central source of truth that allows for efficient tracking and review of compliance status.
- Ensure the register includes a description of the requirement and its source.
- Check that every entry has an assigned owner responsible for its compliance.
- Verify that the register is integrated into the broader Risk Management Framework.
3. Audit Intellectual Property Rights (IPR) Compliance
Audit the organisation’s procedures for protecting intellectual property and managing software licences. Result: Mitigates legal risks associated with software piracy, copyright infringement, and unauthorised use of proprietary data.
- Inspect software licence management tools to ensure install counts match licence entitlements.
- Verify that the Asset Register accounts for proprietary software and unique data sets.
- Review evidence of “Proof of Purchase” documentation for all critical business applications.
4. Verify Data Protection and Privacy Law Alignment
Verify that technical and organisational controls align with the Data Protection Act 2018 and GDPR. Result: Ensures that personal data is processed lawfully and reduces the risk of heavy regulatory fines.
- Inspect the Data Protection Impact Assessment (DPIA) process for high-risk processing activities.
- Confirm that Privacy Notices are up to date and accessible to data subjects.
- Verify that IAM roles are configured to support the “Principle of Least Privilege” for personal data access.
5. Inspect Contractual Security Obligations
Inspect all client and vendor contracts for specific information security clauses. Result: Guarantees that the organisation is technically capable of meeting its promised security commitments to third parties.
- Review a sample of client contracts to identify specific encryption or uptime requirements.
- Check that these requirements are communicated to the relevant technical teams.
- Verify that vendor contracts include the “Right to Audit” and clear security reporting lines.
6. Review Cryptographic and Export Control Restrictions
Review the organisation’s use of cryptography against national and international export laws. Result: Prevents legal breaches regarding the transfer of restricted encryption technologies across borders.
- Identify any use of high-strength encryption in jurisdictions with import restrictions.
- Verify that the Cryptographic Policy aligns with statutory requirements for lawful intercept or access.
- Ensure that technical staff are aware of export control classifications for proprietary code.
7. Provision an Asset Register with Compliance Metadata
Provision metadata within the Asset Register to link specific assets to their governing legal requirements. Result: Enables granular reporting and ensures that technical controls are applied specifically where mandated by law.
- Label assets that process PII, financial data, or sensitive government information.
- Map technical owners to the specific compliance requirements of the assets they manage.
- Ensure the register is updated whenever a new legislative requirement is identified.
8. Audit IAM Roles and Access Reviews for Legal Compliance
Audit Identity and Access Management (IAM) roles to ensure access to legally sensitive data is reviewed at defined intervals. Result: Provides evidence that access controls are maintained in accordance with statutory requirements.
- Inspect logs of quarterly or bi-annual access reviews for systems containing regulated data.
- Verify that Multi-Factor Authentication (MFA) is mandated for access to all compliance-sensitive systems.
- Check the joiner, mover, and leaver process for timely revocation of access to legal records.
9. Formalise the Legislative Monitoring and Review Cycle
Formalise a recurring process for monitoring changes in the legal and regulatory landscape. Result: Ensures the organisation remains compliant as laws evolve and prevents “Compliance Drift.”
- Assign responsibility for tracking legal updates to a specific role, such as a Compliance Officer or Legal Lead.
- Review evidence of recent legal updates being assessed for their impact on the ISMS.
- Verify that the Management Review meeting minutes include a section on legal changes.
10. Validate implementation through Internal Audit Evidence
Validate that all legal and contractual requirements have been tested through the internal audit programme. Result: Provides the final assurance and objective evidence required for the Lead Auditor during the Stage 2 certification audit.
- Review internal audit reports for specific mentions of Annex A 5.31.
- Check that any non-conformities related to legal requirements have been added to the Corrective Action Log.
- Confirm that the Statement of Applicability (SoA) correctly references the implementation of these controls.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Annex A 5.31 Templates
ISO 27001 Legal Register Template
Having an ISO 27001 template for control 5.31 can help fast track your implementation. You can read a beginners guide to the ISO 27001 Legal Register and you can download a copy of the ISO 27001 Legal Register that comes pre populated with common laws. As always, you should seek legal advice.
Applicability of ISO 27001 Annex A 5.31 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on fundamental legal awareness to prevent fines and maintain commercial viability. The goal is to identify core laws (like GDPR and local tax rules) and basic client NDAs that dictate how data must be secured. |
|
| Tech Startups | Critical for managing multi-jurisdictional compliance and enterprise-level customer contracts. Compliance involves tracking a high volume of security “annexes” in client SLAs and staying updated on emerging digital laws. |
|
| AI Companies | Vital for navigating the complex legal landscape surrounding data training and algorithmic integrity. Focus is on specialized AI legislation and strict data-sourcing contracts. |
|
Fast Track ISO 27001 Annex A 5.31 Compliance with the ISO 27001 Toolkit
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Register Ownership | Rents access to your legal history; if you cancel the subscription, your documented regulatory mapping and history vanish. | Permanent Assets: Fully editable Word/Excel Legal and Regulatory Registers that you own forever. | A localized “Legal and Regulatory Register” stored on your secure drive defining specific GDPR, HIPAA, or local act mappings. |
| Legal Interpretation | Attempts to “automate” laws via generic feeds that cannot interpret how a specific statute applies to your unique business model. | Governance-First: Provides the framework for your team or legal counsel to document and risk-assess real-world obligations. | A completed “Contractual Requirements List” proving you have identified security obligations within specific client SLAs. |
| Cost Efficiency | Charges a “Compliance Feed Tax” that increases costs based on the number of jurisdictions or regulatory feeds monitored. | One-Off Fee: A single payment covers your legal governance for 5 requirements or 50. | Allocating budget to actual professional legal counsel rather than paying monthly “platform” fees for generic data. |
| Strategic Freedom | Mandates rigid reporting structures that may not align with specialized industry contracts or unique jurisdictional mixes. | 100% Agnostic: Procedures adapt to any environment—from small domestic firms to complex international processors. | The ability to evolve your legal strategy and audit responses without reconfiguring a rigid SaaS compliance module. |
ISO 27001 Annex A 5.31 Applicable Laws and Related Standards
| Standard / Law | Relevant Control / Article | Mapping and Requirements |
|---|---|---|
| NIST CSF v2.0 | GV.OC-03, GV.RM-02 | Requires that legal, regulatory, and contractual requirements regarding cybersecurity are understood, managed, and used to inform risk management. |
| NIST SP 800-53 Rev 5 | PM-1, PL-2, SA-4 | Mandates the identification of legal and regulatory requirements as part of the Information Security Program Plan and system acquisition process. |
| EU GDPR / UK GDPR | Article 5(2), Article 24, Article 32 | Mandates accountability and the implementation of appropriate technical and organisational measures to ensure and demonstrate compliance with data protection laws. |
| UK Data (Use and Access) Act 2025 | Part 1 (Smart Data), Part 2 (Digital Verification) | Requires organisations to identify new statutory obligations regarding customer data portability and the use of certified digital identity services while maintaining high security thresholds. |
| NIS2 Directive (EU) | Article 21, Article 23 | Entities must include legal compliance in their cybersecurity risk-management measures and identify mandatory reporting timelines for “significant incidents.” |
| UK Cyber Security and Resilience Bill | Managed Service Provider (MSP) Clauses | Mandates that MSPs identify themselves as “regulated entities” and follow expanded mandatory reporting and security resilience requirements. |
| DORA (EU) | Article 4, Article 5, Article 24 | Requires financial entities to identify and document ICT-related legal requirements and align their governance frameworks with specific EU financial resilience mandates. |
| SOC2 (Trust Services Criteria) | CC1.1, CC1.2, CC2.1 | The organisation must demonstrate a commitment to integrity and ethical values, which includes identifying and complying with applicable laws and regulations. |
| EU AI Act | Article 17, Article 18, Article 60 | High-risk AI providers must identify legal requirements for quality management systems, post-market monitoring, and conformity assessments. |
| ISO/IEC 42001:2023 (AI) | Annex A.5, Annex A.10 | Requires the identification of AI-specific legal, statutory, and regulatory requirements (e.g., algorithmic transparency) and their inclusion in the AI Management System. |
| CIRCIA (USA) | Section 2242 | Mandates that “covered entities” in critical infrastructure sectors identify their status and implement the capability for 72-hour incident reporting. |
| EU Product Liability Directive (PLD) | Article 4 (Defectiveness), Article 7 | Software providers must identify their strict liability obligations for cybersecurity flaws and ensure technical documentation proves “state of the art” security. |
| ECCF (European Cybersecurity Cert) | Harmonised Security Labels | Requires organisations to identify which security assurance levels (Basic, Substantial, High) are required by law for their specific products or services. |
| HIPAA (USA) | 164.308(a)(1), 164.316 | Mandates the identification of statutory requirements for protecting ePHI and the documentation of policies to meet those legal standards. |
| CCPA / CPRA (California) | 1798.100, 1798.150 | Requires identification of consumer privacy rights and the implementation of “reasonable security” procedures mandated by California state law. |
| PCI-DSS v4.0 | Requirement 12.5, 12.10 | Requires the identification of regulatory and legal requirements related to cardholder data and ensures an annual review of these obligations. |
ISO 27001 Annex A 5.31 FAQ
ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements is a security control that mandates the systematic identification of all legal obligations. Implementing this ensures the ISMS remains compliant with 100% of applicable laws, providing the Business Benefit of avoiding regulatory fines and litigation.
Managing legal, statutory, regulatory, and contractual requirements is a foundational pillar of the ISO 27001:2022 framework. This FAQ provides technical guidance and industry statistics to help organisations maintain 100% compliance within their Information Security Management System (ISMS).
What is ISO 27001 Annex A 5.31?
ISO 27001 Annex A 5.31 (formerly A.18.1.1) is an organisational control that mandates the identification and documentation of all legal, statutory, regulatory, and contractual requirements related to information security. It defines the compliance landscape for the ISMS, ensuring the organisation avoids legal breaches and potential litigation while providing the foundation for the Statement of Applicability (SoA).
- It defines the compliance landscape for the Information Security Management System (ISMS).
- It ensures the organisation avoids legal breaches and potential litigation.
- It requires a formalised process for tracking legislative and regulatory changes.
- It provides the legal foundation for the Statement of Applicability (SoA).
Is a Legal and Regulatory Register mandatory for ISO 27001?
Yes, while the standard does not explicitly name it a “Legal Register,” maintaining a documented list of all relevant legal and contractual requirements is mandatory to satisfy the requirements of Control 5.31. This register serves as primary evidence for Stage 1 and Stage 2 certification audits, categorising obligations by jurisdiction and business relevance to demonstrate a proactive compliance posture.
- It serves as primary evidence for Stage 1 and Stage 2 certification audits.
- It categorises obligations by jurisdiction and business relevance.
- It links specific external laws to internal security controls.
- It demonstrates a proactive approach to compliance monitoring.
How often should the legal register be reviewed?
The legal register should be reviewed at least annually or whenever significant changes occur in the business environment, technology stack, or geographic operations. Reviews are specifically triggered when entering new markets, following major legislative changes like the introduction of NIS2 or the EU AI Act, or when contractual changes with major clients occur.
- Reviews are triggered when entering new markets (e.g., expanding into the US or EU).
- Updates are required following major legislative changes like the introduction of NIS2 or AI Acts.
- It should be a standing item in the annual ISMS Management Review Meeting.
- Contractual changes with major clients or suppliers may necessitate an immediate update.
What is the difference between Annex A 5.31 and Clause 4.2?
Clause 4.2 is a high-level governance requirement for understanding the needs of interested parties, whereas Annex A 5.31 is the operational control used to document and manage the specific legal requirements derived from those parties. While Clause 4.2 identifies “who” cares about your security, Annex A 5.31 documents “what” specific laws and contracts those parties require you to follow.
- Clause 4.2 identifies “who” the interested parties are.
- Annex A 5.31 documents “what” specific laws and contracts those parties require you to follow.
- Clause 4.2 is part of the “Context of the Organisation,” while 5.31 is an Annex A security control.
What are examples of requirements covered under 5.31?
Requirements under 5.31 encompass all applicable data protection laws, industry-specific regulations, and private service level agreements (SLAs) with clients. This includes global privacy statutes like the UK GDPR or EU GDPR, industry mandates like PCI DSS, cybersecurity legislation such as NIS2, and technical security annexes found in client contracts.
- Data Privacy laws such as UK GDPR, EU GDPR, or CCPA.
- Industry regulations like PCI DSS for payments or SOC2 requirements.
- Cybersecurity legislation such as the NIS2 Directive.
- Specific security annexes and NDAs found in client contracts.
How do you prove compliance with 5.31 to an auditor?
To prove compliance, you must provide a current Legal and Regulatory Register and evidence that these requirements are actively monitored and communicated to relevant stakeholders. Auditors expect to see a documented list of laws mapped to internal policies, evidence of legal update subscriptions, and implementation of technical controls like encryption to meet specific mandates.
- Show a documented list of laws and contracts mapped to your internal policies.
- Provide evidence of legal updates (e.g., emails from a legal subscription service or professional body).
- Demonstrate that specific technical controls (like encryption) are implemented to meet identified legal mandates.
- Present signed contracts that contain specific security and privacy obligations.
How does the EU AI Act affect Annex A 5.31 compliance?
The EU AI Act represents a new statutory requirement that organisations using high-risk AI must identify under Annex A 5.31. In 2026, organisations must document their adherence to Article 17 regarding Quality Management and Article 62 concerning Serious Incident Reporting to prove their ISMS is legally robust and avoid potential fines of up to 7% of global turnover.
What is the financial risk of failing an Annex A 5.31 audit?
Failing an Annex A 5.31 audit leads to certification failure and significant financial exposure, as regulatory fines for non-compliance exceeded €2.4 million on average in 2025. Beyond the loss of the ISO 27001 certificate, failing to document and manage contractual obligations can trigger 100% liability for data breach costs during client-led litigation.
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability | Identify | Legal and compliance | Protection |
| Confidentiality | Governance and EcoSystem | |||
| Integrity |
About the author
