ISO 27001:2022 - A.5 Organisational Controls (Legal, Regulatory and Contractual)

In a previous blog, titled ISO 27001:2022 - A.5 Organisational Controls (Information Security Management), we discussed the importance of having clear and documented security policies in place within your organisation.  These policies allow you to promote awareness and set expectations with your users, ensuring that all individuals understand their responsibilities when it comes to security.  In addition to your policies, there will also be other security requirements that you need to comply with.  These include acts of legislation implemented by governments, rules imposed by regulatory bodies, as well as the contractual agreements you have in place with your employees and suppliers.

These checks and balances enable organisations to effectively protect their data in line with best practice.  They also help organisations to avoid legal repercussions (such as prosecutions, fines, or loss of business licence), reputational damage, and ensure appropriate reporting channels are available that enable security incidents to be dealt with appropriately.  Finally, these requirements uphold the principle of defence-in-depth by ensuring that organisations take a layered approach to information security, ensure that organisations acknowledge security incidents and hold themselves accountable to their stakeholders, and reduce the overall impact and likelihood of a security incident taking place.

According to ISO 27002:2022, the controls we will discuss in this blog are categorised as preventive and corrective controls.

• Preventive controls are intended to stop an information security incident from occurring, as well as to prevent recurrence and the occurrence of similar incidents in other areas.
• Corrective controls are intended to close off or resolve a security incident or issue that has already occurred.

A.5.31 – Legal, statutory, regulatory and contractual requirements

For this control, your organisation needs to identify and document the laws and regulations of the jurisdictions in which you operate.  This includes laws and regulations that are mandatory at the national, regional and local levels.  If you operate in multiple countries, you will need to acknowledge the relevant laws and regulations of all these countries, as well as any rules that may be applicable in multiple countries, such as the EU General Data Protection Regulation (GDPR).  Your organisation should also regularly review these items to identify any updates or repeals, and to identify any new laws or regulations that may have taken effect since the last review. Prior to an audit that covers this control, you should formally determine who is responsible for keeping your organisation’s legal and regulatory awareness up to date.  If your organisation is fully remote, you may not be required to comply with regional or local government requirements to the same degree (if at all), unless the remote workers’ roles involve the completion of work for the authorities of those regions.  However, it is advisable to seek legal expertise if in doubt.

To demonstrate conformance to the above, it is common practice to have a documented legal register. This should contain the laws and regulations you need to comply with, a summary of their requirements, and the date that each item was last reviewed.  Each item on the legal register should be reviewed at regular intervals (e.g., annually) and upon significant change to an item on the register.  It is also advantageous for the register to contain a column that states where evidence of compliance with these laws and regulations can be found (such as policies, systems, or records).  Alternatively, conformance can be demonstrated by documenting relevant laws and regulations in your information security policy.

In addition to laws and regulations, you should also ensure that your organisation has acknowledged the relevant information security requirements of its contractual agreements with certain interested parties.  These parties include your customers, your suppliers, and insurance providers, as appropriate.* Typically, these requirements will be documented in the contractual agreements themselves.  Parties with whom you have a contractual agreement (such as customers or suppliers) can also be added to your interested parties list, unless they have been acknowledged elsewhere.

* For further information on supplier agreements and ISO 27001 conformance, see our blog on ISO 27001 A.5 - Organisational Controls (Supplier Management).

A.5.32 – Intellectual property rights

Here, you will need to appropriately acknowledge and uphold the intellectual property rights of your organisation and external parties.  This includes any intellectual property rights concerning patents, trademarks, document or software copyright, design rights and source code licences.  Conformance to this control can be demonstrated by implementing a documented intellectual property policy.  Other measures include not downloading images or music from the internet unless authorised to do so, ensuring no unauthorised software or copies of software are present on your network, and ensuring only software from a reputable provider is used by your personnel.  Doing so will help your organisation avoid copyright infringement.  It is also common practice to include an intellectual property section within your employment contracts, customer agreements and other statements of work.  This section should address the rights and responsibilities of all parties with respect to intellectual property concerns.

Further best practices include documenting your organisation’s rules for the acceptable and compliant use of intellectual property in your acceptable use policy, and recording intellectual property owned by your organisation on your asset register.

A.5.33 – Protection of records

The purpose of this control is to maintain the confidentiality, integrity and availability (CIA) of information contained in documented records.  This includes practices such as assigning a classification to a record, categorising records according to their purpose (e.g., finance, legal, sales, HR), assigning ownership to individual records and groups of records, as well as documenting the systems or locations in which records are stored. Digital records should be backed up, and chains of custody should be in place to ensure the records are admissible in a court of law or a disciplinary hearing.

If your organisation has hardcopy records, you need to implement physical security measures to secure those records, such as limiting access to the rooms that contain them (e.g., via smart cards, or keys), or locking drawers and cupboards when leaving them unoccupied.

To meet the legal and regulatory requirements of record protection, your organisation should have a documented data retention schedule, and a documented procedure for securely disposing of records when they are no longer required.  The individuals responsible for disposing of these records must be made aware of this procedure.  Your disposal procedure may assign the responsibility for disposing of records, specify the methods/tools to be used for disposal, and specify that certificates of destruction must be obtained if necessary.

A.5.34 – Privacy and protection of PII

Whilst A.5.31 requires legal, regulatory and contractual requirements for information security to be acknowledged and adhered to, A.5.34 adds an additional component to this. It requires you to acknowledge and adhere to the legal, regulatory and contractual requirements you are subject to that relate to privacy and personal identifiable information (PII). To conform to these requirements, you need to include any privacy laws or regulations you are subject to within your organisation’s legal register.  These laws may also need to be acknowledged in other relevant documents, such as your privacy policy/privacy notice, employment contracts, customer agreements, or non-disclosure agreements (NDAs).

Common practice is to appoint a data protection officer (DPO), or a designated privacy officer, who will ensure that personnel are aware of their obligations when handling PII.  Individuals completing work for your organisation (whether an employee or a contractor) should understand who they are required to notify if a data breach involving PII occurs, and should be aware of the consequences of not following your organisation’s rules on PII privacy and protection.  You will also need to implement practical measures to protect PII; these measures may include classifying documents containing PII, limiting access to PII according to the principle of least privilege, encrypting files and systems containing PII, and regularly reviewing PII requirements for changes or additions.

A.5.35 – Independent review of information security

For this control, your organisation needs to regularly review information security measures for ongoing suitability and effectiveness.  These checks could be conducted in alignment with your organisation’s internal audit programme (a mandatory requirement of ISO 27001) or in alignment with departmental or function-based audit schedules.  These checks also need to be completed at pre-defined intervals, such as monthly, quarterly, or annually, and whenever there is an important change within the business. Relevant changes that may prompt a review include changes to legal or regulatory requirements, relocation to a new physical premises, major expansions or reductions of the business, entry into a new business market, or critical changes to your information security measures.

Reviews should be conducted by individuals who are impartial and objective, i.e., not personally responsible for managing the measure in question.  For example, your antivirus program should not be audited by a program administrator, but by an individual who has non-administrative privileges.  Once the reviews have been completed, relevant management should be informed of the review findings to maintain managerial oversight.

Some checks of technological measures can be completed using automated tools (e.g.,  vulnerability scanning tools), as long as you can verify that the tools themselves have not undergone any modifications that may affect the accuracy of the results.

A.5.36 – Compliance with policies, rules and standards for information security

This control requires you to ensure that any security measures you have in place are aligned with the requirements or principles of your information security policy.  Other relevant policies that define the information security rules your staff must abide by should also be consulted to verify that current practice aligns with current requirements, as well as the requirements of other frameworks and standards (including ISO 27001).  Managers should also be accountable for ensuring the teams and departments for which they are responsible maintain conformance to your security policies and rules. This can be achieved by requiring all staff to read relevant policies and attend any mandatory security training or briefings.  If any staff are unable to attend, managers should ensure their staff are updated or briefed on their security obligations afterwards. Compliance reviews should take on a regular basis, such as annually, quarterly or monthly.  A simple way to check compliance with your policies is to implement an internal audit programme, as required by Clause 9.2 of the Standard.  If appropriate, automated tools can be used to notify relevant personnel of these reviews’ upcoming due dates to prevent them being missed; or, if such tools aren’t available, review dates can be added to your work calendar.

Your organisation may have rules or frameworks requiring specific technological measures to be in place.  If so, it may be necessary for other reviews to be conducted outside of your audit programme, such as a control measures assessment or a managerial review.  Examples of rules that could be checked in such a review include:

• Does every user have our antivirus program installed and running on their devices?
• Are clocks on computers automatically synchronised to our time server every Monday?
• Are staff solely storing company passwords in the approved password manager tool?
• Are staff locking their devices when they temporarily leave their workstation?
• Have staff who have left the business returned all their equipment, including their access badge and their laptop?

Whilst this control does not specify which individuals should conduct these reviews or whether they should be impartial, good practice is to ensure impartiality whenever possible.  This will not only facilitate effective conformance to this control, but also alignment with other relevant controls and requirements (such as Clause 9.2, and Controls A.5.1 and A.5.35).

A.5.37 – Documented operating procedures

This control requires you to have documented step-by-step instructions for tasks involving the systems, services and equipment you use to store and manage company data, as well as the physical location housing these resources.  Such documentation should identify key responsibilities, tools or equipment needed to follow the procedure successfully, and may include procedures relating to:

• How you grant, adjust or revoke user access your computer systems
• How you dispose of ICT equipment, such as computers, servers or digital applications
• How you retrieve backups when a system fails
• How you determine which areas of your premises can be accessible to an employee.

Documenting these procedures enables them to be carried out in a consistent manner in order to avoid putting your information assets at risk.  Additionally, as this control does not specify what operating procedures you need to document (since every organisation is different), your organisation needs to take a decision as to which procedures should be documented.  Documenting operating procedures is particularly important if a potential human error in a procedure could have a significant impact.  It is also essential to document operating procedures if the procedures need to be conducted in the same way by several people or so rarely that they risk being forgotten, if the procedure in question is new, or if responsibility for it is transferred to new ownership.

Once documented, your operating procedures also need to be shared with personnel who are (or may be) involved in the procedures.  For example, a backup procedure will need to be shared with IT personnel who will be responsible for retrieving the backup if a system fails.  Finally, since Clause 7.5.2 of the Standard requires you to ensure your information security management system (ISMS) is suitable for use, it is recommended that these documented procedures be reviewed regularly, as well as when a significant change occurs that may impact the steps of the procedure.

Customers, suppliers, regulators, and even governments have a vested interest in the success of your ISMS.  To satisfy the needs and expectations of these interested parties, it is imperative for your organisation to address the legal, regulatory and contractual requirements when developing and implementing your internal security programme.  Doing so will help your organisation to avoid breaches, avoid reputational damage, and conduct information security in accordance with these requirements alongside your own policies and procedures.

‍