Table of contents
ISO 27001 Legal Register
The ISO 27001 legal and contractual register is used to identify which laws apply to your organisation, what contractual requirements customers have placed on you, what regulatory requirements there maybe and what standards you are working towards. It is used to evidence that they have been reviewed, agreed and signed off and to show when they will next be reviewed. All of these will inform and influence your information security management system.
ISO 27001 Legal Register Template
I created the ISO 27001 Legal Register Template as a fast track to recording applicable laws, regulations and contractual requirements. It does not constitute legal advice although it does come pre-populated with common UK laws that I have come across over decades in consulting. It can be used globally and is a great foundation and starting point.
ISO 27001 Legal Register Example
This is a great ISO 27001 Legal Register Example taken as an extract from the ISO 27001 Legal Register Template.
How to implement an ISO 27001 Legal Register
The steps to implement an ISO 27001 Legal Register are:
1. Identify which laws apply to you
The first step is to identify the laws that are applicable to you that relate directly to information security. It would be my advice to seek the help of a legal professional in identifying those laws.
Additional things that you can do are to use Google and also to use in country legal and statutory websites.
An example of a legal and statutory website would be the UK Law website Legislation.gov.uk which is a searchable register of all UK laws. Using the search functionality it is possible to identify laws that relate to data and information security.
You should note here that laws that apply to you may well be in the jurisdictions in which operate and not just your home or host country. For example this can include data protection laws such as the GDPR.
2. Identify what contractual requirements apply to you
It can be the case that customers of yours place very specific information security requirements upon you. To identify those requirements you should conduct a contract review of all client and customer requirements to ensure that you fully understand if there are additional requirements for you to implement.
3. Identify what regulatory requirements apply to you
If you are governed by a regulator then the requirements will be clear. It is often the case that regulators just require that you have an information security management system (ISMS) in place and they will cite ISO 27001 as an example of and information security management system. It is rare that they will require you to be ISO 27001 certified.
You will work out what regulators you are regulated by and make contact with them to understand if there are any specific requirements they have of you, your information security management system and your information security controls.
4. Create the legal register
Create a structure format for the legal register using Microsoft Excel. Alternatively, you can download the ISO 27001 Legal Register Template.
5. Document which laws, regulations and contract requirements apply to you
For the laws, regulations and contractual requirements that apply to you document the specific requirements that your organisation must meet. This includes the information security requirements, controls, measures and reporting obligations as well as the data breach and incident reporting requirements.
Once documented , ensure that it is reviewed and approved by a legal professional.
For guidance on information security controls refer to ISO27001:2022 Annex A.
6. Assign Ownership
Assign ownership for each of the legal, regulatory and contractual requirements to ensure accountability, timely updates and that the organisation is meeting those requirements. It is often the case that the head of legal is accountable and the information security office or compliance officer is responsible for the day to day management.
7. Approve the legal register
Once you have a record of the laws that apply to you, you are then going to use your approval mechanism to approve that document in your information security management system (ISMS).
We would use the management review meeting to approve the document and minute the approval in the meeting minutes. Then we would update the document version control to reflect the approval.
8. Integrate into the ISMS
Ensure your Information Security Management System (ISMS) meets applicable laws, regulations and contract requirements.
Once approved you must ensure that any legal requirements that are placed upon you are fully met and enacted in the information security management system (ISMS) and information security controls that you implement.
An example here would be the use of encryption and encryption technology in relation to the requirements of the United States.
9. Update and Review
Maintain the legal register by conducing regular reviews which occur at least annually and when ever there is a significant change. Document the update and review schedule in a plan.
10. Demonstrate Compliance
The legal register will be used to demonstrate compliance to auditors, regulators, interested parties and clients and is required for your ISO 27001 certification. Ensure that you have supporting documents, policies, procedures and references to evidence how your organisation is meeting each of the requirements.
Ensure that the legal register and process is audited at least annually as part of your internal audit process.
Notes
It is unlikely that an ISO 27001 auditor will have an encyclopaedic knowledge of the law and international law but they will have some common knowledge of common laws that apply. Therefore it is not the case that you should over think this but as a minimum that you cover laws that you would reasonably expect to be applicable. An example here would be data protection laws that on the whole, apply globally, to a greater or lesser extent, irrespective of the country in which you operate.
Watch the Videos
For the context of why you need a legal register, let us first take a look at the ISO 27001:2022 requirement – How to implement ISO 27001 Legal Statutory Regulatory and Contractual Requirements: Annex A 5.31
Next let’s look specifically the video on How to Write and ISO 27001 Legal Register where I show you how to create and use a legal and contractual register yourself.
ISO 27001 Legal Register FAQ
It is a document that lists the applicable laws, regulations and customer contractual requirements on your organisation for information security.
All applicable laws, regulations and customer requirements for information security are recorded and implemented in the information security management system (ISMS) and information security controls.
The purpose of the ISO 27001 Legal Register is to record all applicable laws, regulations and customer requirements for information security and to communicate them to relevant people so they can be implemented.
It is used to show what laws and contractual requirements apply to your organisation and evidences that you are aware of them and have reviewed them. These will inform and influence your information security management system.
It includes a list of laws, regulations and customer requirements on information security that apply to your organisation with the date they were last reviewed and the date they will next be reviewed.
The ISO 27001 legal register template can be downloaded at High Table: The ISO 27001 Company.
ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements requires a legal register. It states ‘Legal, statutory, regulatory and contractual requirements relevant to information security and the organisation’s approach to meet these requirements should be identified, documented and kept up to date.’
The information security officer or compliance officer will be responsible for legal register and they will work closely with legal professionals and legal counsel.
The ISO 27001 legal register is updated at least annually and also when significant changes occur. Examples of significant changes would be changes in the law, updates to regulations and changes or new client contractual requirements.
Related ISO 27001 Controls
The requirement to have a legal register for ISO 27001 is covered in ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements. It states
‘Legal, statutory, regulatory and contractual requirements relevant to information security and the organisation’s approach to meet these requirements should be identified, documented and kept up to date.’
ISO27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements
