In this article we lay bare the ISO 27001 Legal Register. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Legal Register.
Table of contents
What is an ISO 27001 Legal Register?
The ISO 27001 legal and contractual register is used to identify which laws apply to your organisation, what contractual requirements customers have placed on you, what regulatory requirements there maybe and what standards you are working towards. It is used to evidence that they have been reviewed, agreed and signed off and to show when they will next be reviewed. All of these will inform and influence your information security management system.
ISO 27001 requirements for the legal register
ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements requires a legal register. It states
‘Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.’
ISO 27001 Annex A 5.31
ISO 27001 Legal and Contractual Register Walkthrough
In this ISO 27001 Legal and Contractual Register tutorial I show you how to create and use a legal and contractual register yourself.
ISO 27001 Legal Register Template
I created the ISO 27001 Legal Register as a fast track to recording applicable laws, regulations and contractual requirements. It does not constitute legal advice although it does come pre-populated with common UK laws that I have come across over decades in consulting. It can be used globally and is a great foundation and starting point.

Legal and Contractual Register FAQ
It is a document that lists the applicable laws and customer contractual requirements on your organisation.
It is used to show what laws and contractual requirements apply to your organisation and evidences that you are aware of them and have reviewed them. These will inform and influence your information security management system.
It includes a list of laws and customer requirements on information security that apply to your organisation with the date they were last reviewed and the date they will next be reviewed.
The ISO 27001 legal and contractual register template can be downloaded at High Table: The ISO 27001 Company.
ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements requires a legal register. It states’ Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.’