ISO27001:2022 FAQ

Home / ISO 27001 Templates / ISO 27001 Legal Register Explained + Template

ISO 27001 Legal Register Explained + Template

Last updated Sep 25, 2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

The ISO 27001 legal and contractual register is used to identify which laws apply to your organisation, what contractual requirements customers have placed on you, what regulatory requirements there maybe and what standards you are working towards. It is used to evidence that they have been reviewed, agreed and signed off and to show when they will next be reviewed. All of these will inform and influence your information security management system.

Think of it as your personal checklist for all the laws and regulations that affect how you handle information and data.

What Is It?
Applicability to Small Businesses, Tech Startups, and AI Companies
ISO 27001 Legal Register Template
Why You Need It
When You Need It
Who Needs It?
Where You Need It
How to Write It
How to Implement It
Examples of using it for small businesses
Examples of using it for tech startups
Examples of using it for AI companies
How the ISO 27001 toolkit can help
Information Security Standards That Need It
List of Relevant ISO 27001:2022 Controls
ISO 27001 Legal Register Example
ISO 27001 Legal Register FAQ

What Is It?

Simply put, an ISO 27001 Legal Register is a document you create to list all the laws and regulations related to information security that your organisation must follow. It’s a key part of getting and keeping your ISO 27001 certification.

Applicability to Small Businesses, Tech Startups, and AI Companies

This legal register is useful for businesses of all sizes, including small businesses, tech startups, and AI companies.

Small Businesses: You might think this is just for big corporations, but even small businesses have to handle customer data and follow privacy laws. It helps you avoid big fines and keep your customers happy and trusting.
Tech Startups: As a startup, you’re probably dealing with lots of user data. A Legal Register helps you build trust with your first customers and gives you a solid foundation for future growth. Plus, it makes you look more professional to investors.
AI Companies: If you’re an AI company, you’re likely working with vast amounts of data. This makes it crucial to know the rules about data usage, privacy, and even ethical guidelines.

ISO 27001 Legal Register Template

The ISO 27001:2022 Legal Register Template is designed to fast track your implementation and give you an exclusive, industry best practice policy template that is pre written and ready to go. It is included in the ISO 27001 toolkit. It is recording applicable laws, regulations and contractual requirements. It does not constitute legal advice although it does come pre-populated with common UK laws that I have come across over decades in consulting. It can be used globally and is a great foundation and starting point.

Get the Legal and Contractual Register Template

Why You Need It

A legal register helps you show auditors (and yourself) that you’re taking your legal responsibilities seriously. It proves you’ve identified all the relevant laws and you have a plan to meet them. Without it, you can’t get certified!

When You Need It

You need a legal register when you’re building your Information Security Management System (ISMS) to meet the ISO 27001 standard. It’s one of the first things you’ll do!

Who Needs It?

Basically, anyone aiming for ISO 27001 certification needs one. This includes:

Small Businesses: You might think you’re too small, but even a local shop with a website handles customer data, so you need to be compliant.
Tech Startups: Your whole business is built on data, so it’s super important to know and follow the rules.
AI Companies: You’re dealing with massive amounts of data, often personal or sensitive, so a legal register is absolutely critical.

Where You Need It

You’ll keep this document as part of your ISMS, so it should be easily accessible to your team. Think of it as a living document, not just a one-time thing. You’ll need to review and update it regularly.

How to Write It

To create a legal register, start by identifying your industry and the countries where you operate. Then, research all the information security and data privacy laws that apply to you. List them out, noting key details like the law’s name, what it requires you to do, and who is responsible for it in your company.

How to Implement It

Once you’ve written it, you need to put it into action. This means making sure the right people are aware of their responsibilities and your company policies reflect the legal requirements you’ve identified.

Examples of using it for small businesses

Imagine you run a small online store. Your legal register might include the General Data Protection Regulation (GDPR) because you collect customer names and addresses. It would also list local consumer protection laws.

Examples of using it for tech startups

If your startup develops a new app, your legal register would include data privacy laws like the California Consumer Privacy Act (CCPA) if you have users in California. It would also list rules about handling sensitive financial data if your app processes payments.

Examples of using it for AI companies

As an AI company, your legal register would be more complex. You’d need to include laws on the use of personal data for training AI models, like the EU AI Act, and potentially intellectual property laws if you’re using copyrighted data.

How the ISO 27001 toolkit can help

The ISO 27001 toolkit is a collection of pre-made documents, templates, and guides. It can make creating your legal register much easier, giving you a ready-made template and guidance on what to include.

Get the Small Business ISO 27001 Toolkit >

Information Security Standards That Need It

This legal register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:

GDPR (General Data Protection Regulation)
CCPA (California Consumer Privacy Act)
DORA (Digital Operational Resilience Act)
NIS2 (Network and Information Security (NIS) Directive)
SOC 2 (Service Organisation Control 2)
NIST (National Institute of Standards and Technology)
HIPAA (Health Insurance Portability and Accountability Act)

List of Relevant ISO 27001:2022 Controls

The ISO 27001:2022 standard has specific controls that relate to secure development. Some of the most important ones include:

ISO 27001:2022 Annex A 5.31 Legal, statutory, regulatory and contractual requirements.

ISO 27001 Legal Register Example

This is a great ISO 27001 Legal Register Example taken as an extract from the ISO 27001 Legal Register Template.

ISO 27001 Legal Register FAQ

What is an ISO 27001 legal register?

It is a document that lists the applicable laws, regulations and customer contractual requirements on your organisation for information security.

What is the ISO 27001 legal register principle?

All applicable laws, regulations and customer requirements for information security are recorded and implemented in the information security management system (ISMS) and information security controls.

What is the purpose of the ISO 27001 Legal Register?

The purpose of the ISO 27001 Legal Register is to record all applicable laws, regulations and customer requirements for information security and to communicate them to relevant people so they can be implemented.

Why use an ISO 27001 legal and contractual register?

It is used to show what laws and contractual requirements apply to your organisation and evidences that you are aware of them and have reviewed them. These will inform and influence your information security management system.

What does an ISO 27001 legal and contractual register include?

It includes a list of laws, regulations and customer requirements on information security that apply to your organisation with the date they were last reviewed and the date they will next be reviewed.

Where can I download an ISO 27001 legal register?

The ISO 27001 legal register template can be downloaded at High Table: The ISO 27001 Company.

What ISO 27001 clause requires and ISO 27001 legal register?

ISO 27001 Annex A 5.31 Legal, statutory, regulatory and contractual requirements requires a legal register. It states ‘Legal, statutory, regulatory and contractual requirements relevant to information security and the organisation’s approach to meet these requirements should be identified, documented and kept up to date.’

Who is responsible for the ISO 27001 legal register?

The information security officer or compliance officer will be responsible for legal register and they will work closely with legal professionals and legal counsel.

How often is the ISO 27001 legal register updated?

The ISO 27001 legal register is updated at least annually and also when significant changes occur. Examples of significant changes would be changes in the law, updates to regulations and changes or new client contractual requirements.

What if I miss a law?

You should regularly review and update your register to catch any new or overlooked laws.

Is this the same as a risk register?

No, a legal register is about compliance, while a risk register is about managing threats.

Is it a requirement for certification?

Yes, it’s a non-negotiable part of the ISO 27001 process.

Does it have to be a specific format?

No, but it should be a clear, organised document, usually a spreadsheet or a table.

What’s the difference between a law and a regulation?

Laws are passed by a legislature; regulations are rules created by agencies to implement those laws.

Who is responsible for the register?

A designated person or team, often the Information Security Manager.

What if my business operates in multiple countries?

You need to include the laws for all countries where you operate.

Do I need a lawyer to write it?

While a lawyer can help, you can often research and draft it yourself, especially with a good template.

What happens if I don’t have one?

An auditor will find this a major non-conformity, and you won’t get certified.

Can I use a spreadsheet?

Yes, a spreadsheet is a common and effective way to organise your legal register.

Is this only for big companies?

No, it’s for any business, big or small, seeking ISO 27001 certification.

What’s the easiest way to start?

Begin by identifying the countries you operate in and then search for their data protection laws.

What’s the most important thing to remember?

That your legal register is a tool to help you stay compliant, not just a document to check a box!

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call

ISO 27001 Toolkit: Tech Startup Edition

ISO 27001 Toolkit: Small Business Edition

ISO 27001 Toolkit: Consultant Edition

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.