ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.31 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.31 Legal, Statutory, Regulatory and Contractual Requirements

ISO 27001 Annex A 5.31 requires organizations to identify, document, and keep up-to-date all external rules that impact their information security. Its purpose is to ensure you don’t just “feel” secure, but that you are actually compliant with the specific laws (like GDPR) and client contracts (like NDAs) that govern your business.

Core Requirements for Compliance:

The Legal Register: You must create a centralized document (a “Legal Register”) that lists every law, regulation, and contract clause applicable to your security. This is the primary artifact for this control.
Specific Ownership: It is not enough to list a law; you must assign a specific person (e.g., “Head of HR”) to be responsible for monitoring that law.
Cryptographic Controls: You must specifically identify laws regarding encryption, especially if you operate internationally, as some countries restrict the import/export of cryptographic software.
Regular Review: Laws change. You must review your register at planned intervals (e.g., every 6 or 12 months) to ensure you haven’t missed a new regulation.

Audit Focus: Auditors will ask for your Legal Register immediately. They are checking for “Living Evidence”:

Completeness: Did you forget the Data Protection Act? Did you forget your client’s SLA requirements?
Currency: Is the register dated from 2019? (Major non-conformity).
Traceability: If you list “GDPR” as a requirement, can you show the auditor the specific Privacy Policy or Data Retention Procedure you built to satisfy it?

Obligation Examples:

Requirement Type	Legal Definition	Industry-Specific Examples	ISO 27001:2022 Mapping
Legislative / Statutory	Mandatory laws passed by regional or national governments.	UK GDPR, Data Protection Act 2018, HIPAA, CCPA.	5.31 (Legal requirements)
Regulatory	Enforceable rules issued by industry-specific oversight bodies.	PCI-DSS (Payments), FCA Handbooks (Finance), SOC2.	5.31 (Regulatory requirements)
Contractual	Binding security obligations defined in private legal agreements.	Service Level Agreements (SLAs), Non-Disclosure Agreements (NDAs).	5.31 (Contractual requirements)

What is ISO 27001 Annex 5.31?
Watch the ISO 27001 Annex A 5.31 Tutorial
ISO 27001 Annex A 5.31 Podcast
ISO 27001 Annex 5.31 Implementation Guidance
How to implement ISO 27001 Annex 5.31
Obligation Examples Table
ISO 27001 Annex A 5.31 Templates
What are the benefits of Legal, statutory, regulatory and contractual requirements?
Why are legal, statutory, regulatory and contractual requirements important?
Applicability of ISO 27001 Annex A 5.31 across different business models.
Fast Track ISO 27001 Annex A 5.31 Compliance with the ISO 27001 Toolkit
ISO 27001 Annex A 5.31 FAQ
Related ISO 27001 Controls
Further Reading
ISO 27001 Controls and Attribute values

What is ISO 27001 Annex 5.31?

ISO 27001 Annex 5.31 Legal, statutory, regulatory and contractual requirements is an ISO 27001 control that wants you understand external requirements on your information security and implement them. Specifically it is concerned with legal, regulatory, statutory and contractual requirements that may include specifics directly related to how you manage and implement information security.

What is the purpose of ISO 27001 Annex 5.31?

The purpose of ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements is to ensure you comply with legal, statutory, regulatory and contractual requirements related to information security.

An organisations information security responsibilities are informed by laws, regulations and contractual requirements.

Organisations should have a clear understanding of their obligations and be prepared to include those in their information security practices.

What is the definition of ISO 27001 Annex 5.31?

The ISO 27001 standard defines ISO 27001 Annex A 5.31 as:

Legal, statutory, regulatory and contractual requirements relevant to information security and the organisations approach to meet these requirements should be identified, documented and kept up to date.
ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements

Watch the ISO 27001 Annex A 5.31 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.31 and how to pass the audit.

ISO 27001 Annex A 5.31 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex 5.31 Implementation Guidance

Annex A 5.31 requirements are to understand and record the requirements on your information security from any legal, statutory, regulatory or contractual requirements.

There are 5 general guidance points to consider.

Organisation’s should take into consideration external requirements for their legal, statutory, regulatory and contractual requirements when:

Developing your information security policies and processes
Developing or changing your information security controls
Classifying your data and assets
Doing risk assessments and risk management
Performing supplier management and supplier contracts

Legal and Regulatory Guidance on Control A 5.31

You should record your legal and regulatory requirements in an ISO 27001 Legal Register.

You are going to identify all of the laws and regulations that apply to you and write them down in order to be aware of the requirements and how they apply to you.

It is best practice to get legal advice to help you comprise this list.

It can be difficult as you have to consider the compliance requirements of all the countries in which you operate. This includes the transfer of information across borders where those countries laws could apply to you.

Cryptographic Guidance on Control A 5.31

It is recommended to get legal advice on all aspects of this control, including on the cryptography. It can be quite specialised in its requirements.

The legal advice will look at any restrictions on the import and export of cryptographic technologies and usage.

A significant one to note is the requirements of in country requirements to access encrypted information.

All in all, get some legal advice.

Contract Guidance on Control A 5.31

Which contracts could have requirements that impact your information security implementation? Well there are many but they would include

contracts with your suppliers
contracts with your clients
contracts with your insurers
contracts with your investors / funding

Guidance relating to supplier contracts is covered in ISO 27001 Annex A 5.20

How to implement ISO 27001 Annex 5.31

Implementing ISO 27001 Annex A 5.31 (Control 5.31 in the 2022 update) is a foundational requirement for aligning your Information Security Management System (ISMS) with the global legal landscape. By transitioning from a general understanding of laws to a documented, actionable compliance framework, organisations can mitigate the risk of regulatory fines and contractual breaches while providing clear evidence of due diligence to certification auditors.

1. Formalise the Legal and Regulatory Register

Identify and document all applicable legislation and regulations relevant to information security based on your geographic operations and industry sector.

Audit all jurisdictions where the organisation operates to identify primary data protection laws such as UK GDPR, EU GDPR, or CCPA.
Identify sector-specific mandates, including the NIS2 Directive for critical infrastructure or PCI DSS for payment processing.
Document statutory requirements for record retention and data encryption specific to your business vertical.

2. Centralise Contractual Security Obligations

Review and extract specific security requirements from client and supplier contracts to ensure they are codified within the ISMS.

Perform a comprehensive review of Service Level Agreements (SLAs) and Non-Disclosure Agreements (NDAs).
Extract mandatory technical requirements, such as specific MFA configurations or encryption standards (e.g., AES-256), required by key stakeholders.
Formalise these obligations into a “Contractual Requirements Matrix” to ensure they are visible to operational teams.

3. Map Legal Mandates to Internal Security Controls

Establish a direct link between external legal requirements and the internal policies or technical controls designed to satisfy them.

Utilise a Cross-Walk or Traceability Matrix to map GDPR articles to specific ISO 27001:2022 controls (e.g., mapping PII protection to Control 5.34).
Ensure that technical configuration baselines reflect the most stringent legal or contractual requirement identified.
Document this mapping as primary evidence for auditors to prove that “Compliance by Design” is integrated into the ISMS.

4. Provision a Compliance Monitoring and Update Workflow

Establish a recurring process to monitor changes in the legal and regulatory environment to maintain continuous compliance.

Subscribe to regulatory update services, professional bodies, or legal news alerts relevant to cybersecurity and privacy.
Formalise a quarterly review of the Legal Register to assess the impact of new legislation, such as the EU AI Act or updated state privacy laws.
Trigger the ISMS Change Management process immediately when a legal change necessitates an update to technical controls or IAM roles.

5. Institutionalise Reporting and Management Review

Report the compliance status and any identified legal risks to senior management to ensure strategic oversight and resource allocation.

Include a summary of the Legal and Regulatory Register status as a standing item in the Management Review Meeting (Clause 9.3).
Formalise a Register of Entrants (ROE) or compliance log that tracks the completion of mandatory regulatory filings and certifications.
Verify that all identified legal and contractual breaches are logged in the Incident Register and subjected to a formal root cause analysis.

Obligation Examples Table

Type	Definition	Example
Legal (Statutory)	Laws passed by government.	Data Protection Act (UK) / GDPR.
Regulatory	Rules from industry bodies.	PCI-DSS (Payments) / FCA (Finance).
Contractual	Agreements with clients/suppliers.	SLA (99.9% Uptime) / NDA.

ISO 27001 Annex A 5.31 Templates

ISO 27001 Legal Register Template

Having an ISO 27001 template for control 5.31 can help fast track your implementation. You can read a beginners guide to the ISO 27001 Legal Register and you can download a copy of the ISO 27001 Legal Register that comes pre populated with common laws. As always, you should seek legal advice.

ISO27001 Legal and Contractual Requirements Register - ISO 27001 Annex 5.31 template

Get the ISO 27001 Legal Register

What are the benefits of Legal, statutory, regulatory and contractual requirements?

Other than your ISO 27001 certification requiring it, the following are the top 5 benefits of ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements:

You cannot get ISO 27001 certification without it.
Improved security: You will have an effective information security implementation that meets your external requirements for law, regulation, statute and contracts
Reduced risk: You will reduce the information security risks of not meeting external requirements and obligations
Improved compliance: Standards and regulations require you to meet your external requirements
Reputation Protection: In the event of a breach having an effective legal, regulatory, statutory and contract process in place will reduce the potential for fines and reduce the PR impact of an event

Why are legal, statutory, regulatory and contractual requirements important?

In a highly regulated world, no matter what sector you work in or where in the world you work there are bodies that have very specific requirements for information security that relate directly to you. These can be written in to contracts, the laws of the land, the regulations of regulators under which you come and more. Having a thorough understanding of what those external requirements are and how you meet them will mean that you do not violate them and suffer the consequences. The consequences can be severe, ranging from fines, criminal prosecution, repetitional impact and loss of customers. Work out what your requirements are, get legal advice and implement those requirements.

Applicability of ISO 27001 Annex A 5.31 across different business models.

Business Type	Applicability	Examples of Control Implementation
Small Businesses	Focuses on fundamental legal awareness to prevent fines and maintain commercial viability. The goal is to identify core laws (like GDPR and local tax rules) and basic client NDAs that dictate how data must be secured.	Maintaining a Legal Register that lists the UK Data Protection Act 2018 and standard customer NDAs. Mapping the requirement for “7-year financial record retention” from tax law directly to the internal backup and archiving process. Reviewing standard employment contracts to ensure they include enforceable confidentiality clauses as required by law.
Tech Startups	Critical for managing multi-jurisdictional compliance and enterprise-level customer contracts. Compliance involves tracking a high volume of security “annexes” in client SLAs and staying updated on emerging digital laws.	Creating a centralized Contractual Register that tracks specific security obligations (e.g., 24-hour breach notification) found in enterprise client agreements. Identifying and documenting compliance requirements for international laws like CCPA (California) or the EU NIS2 Directive for infrastructure. Implementing automated alerts for the legal team when a new regulatory update is published by industry bodies like the FCA or ICO.
AI Companies	Vital for navigating the complex legal landscape surrounding data training and algorithmic integrity. Focus is on specialized AI legislation and strict data-sourcing contracts.	Identifying obligations within the EU AI Act, specifically documenting requirements for risk management and data quality in high-risk AI systems. Documenting contractual “Permitted Use” clauses from data providers to ensure training sets are not used in breach of intellectual property rights. Mapping government-mandated requirements for cryptographic import/export controls if the company develops proprietary encryption for model weights.

Fast Track ISO 27001 Annex A 5.31 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.31 (Legal, statutory, regulatory and contractual requirements), the requirement is to identify and document all relevant legal, statutory, regulatory, and contractual requirements related to information security. This ensures your organization remains compliant with the law and its obligations to third parties.

Compliance Factor	SaaS Compliance Platforms	High Table ISO 27001 Toolkit	Audit Evidence Example
Register Ownership	Rents access to your legal history; if you cancel the subscription, your documented regulatory mapping and history vanish.	Permanent Assets: Fully editable Word/Excel Legal and Regulatory Registers that you own forever.	A localized “Legal and Regulatory Register” stored on your secure drive defining specific GDPR, HIPAA, or local act mappings.
Legal Interpretation	Attempts to “automate” laws via generic feeds that cannot interpret how a specific statute applies to your unique business model.	Governance-First: Provides the framework for your team or legal counsel to document and risk-assess real-world obligations.	A completed “Contractual Requirements List” proving you have identified security obligations within specific client SLAs.
Cost Efficiency	Charges a “Compliance Feed Tax” that increases costs based on the number of jurisdictions or regulatory feeds monitored.	One-Off Fee: A single payment covers your legal governance for 5 requirements or 50.	Allocating budget to actual professional legal counsel rather than paying monthly “platform” fees for generic data.
Strategic Freedom	Mandates rigid reporting structures that may not align with specialized industry contracts or unique jurisdictional mixes.	100% Agnostic: Procedures adapt to any environment—from small domestic firms to complex international processors.	The ability to evolve your legal strategy and audit responses without reconfiguring a rigid SaaS compliance module.

Own Your ISMS, Don’t Rent It

Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit

Get the Ultimate ISO 27001 Toolkit

Summary: For Annex A 5.31, the auditor wants to see that you have identified all relevant legal and contractual requirements and have a formal process for ensuring compliance. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

ISO 27001 Annex A 5.31 FAQ

What is ISO 27001 Annex A 5.31?

ISO 27001 Annex A 5.31 (formerly A.18.1.1) is an organisational control that mandates the identification and documentation of all legal, statutory, regulatory, and contractual requirements related to information security.

It defines the compliance landscape for the Information Security Management System (ISMS).
It ensures the organisation avoids legal breaches and potential litigation.
It requires a formalised process for tracking legislative and regulatory changes.
It provides the legal foundation for the Statement of Applicability (SoA).

Is a Legal and Regulatory Register mandatory for ISO 27001?

Yes, while the standard does not explicitly name it a “Legal Register,” maintaining a documented list of all relevant legal and contractual requirements is mandatory to satisfy the requirements of Control 5.31.

It serves as primary evidence for Stage 1 and Stage 2 certification audits.
It categorises obligations by jurisdiction and business relevance.
It links specific external laws to internal security controls.
It demonstrates a proactive approach to compliance monitoring.

How often should the legal register be reviewed?

The legal register should be reviewed at least annually or whenever significant changes occur in the business environment, technology stack, or geographic operations.

Reviews are triggered when entering new markets (e.g., expanding into the US or EU).
Updates are required following major legislative changes like the introduction of NIS2 or AI Acts.
It should be a standing item in the annual ISMS Management Review Meeting.
Contractual changes with major clients or suppliers may necessitate an immediate update.

What is the difference between Annex A 5.31 and Clause 4.2?

Clause 4.2 is a high-level governance requirement for understanding the needs of interested parties, whereas Annex A 5.31 is the operational control used to document and manage the specific legal requirements derived from those parties.

Clause 4.2 identifies “who” the interested parties are.
Annex A 5.31 documents “what” specific laws and contracts those parties require you to follow.
Clause 4.2 is part of the “Context of the Organisation,” while 5.31 is an Annex A security control.

What are examples of requirements covered under 5.31?

Requirements under 5.31 encompass all applicable data protection laws, industry-specific regulations, and private service level agreements (SLAs) with clients.

Data Privacy laws such as UK GDPR, EU GDPR, or CCPA.
Industry regulations like PCI DSS for payments or SOC2 requirements.
Cybersecurity legislation such as the NIS2 Directive.
Specific security annexes and NDAs found in client contracts.

How do you prove compliance with 5.31 to an auditor?

To prove compliance, you must provide a current Legal and Regulatory Register and evidence that these requirements are actively monitored and communicated to relevant stakeholders.

Show a documented list of laws and contracts mapped to your internal policies.
Provide evidence of legal updates (e.g., emails from a legal subscription service or professional body).
Demonstrate that specific technical controls (like encryption) are implemented to meet identified legal mandates.
Present signed contracts that contain specific security and privacy obligations.

ISO 27001 Annex A 5.33 Protection Of Records

ISO 27001 Controls and Attribute values

Control type	Information security properties	Cybersecurity concepts	Operational capabilities	Security domains
Preventive	Availability	Identify	Legal and compliance	Protection
	Confidentiality			Governance and EcoSystem
	Integrity

Availability, Confidentiality, Governance and Ecosystem, Identify, Integrity, Legal and Compliance, Preventive, Protection

Stuart Barker

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents