ISO 27001 Control 5.31: Legal, Statutory, Regulatory and Contractual Requirements
Control 5.31 requires organizations to systematically identify and document all legal, statutory, regulatory, and contractual requirements that impact information security. This foundational control ensures your compliance obligations are visible, tracked, and continuously maintained—preventing costly gaps and audit failures.
What this means
This control mandates that you establish a comprehensive inventory of all external requirements affecting your information security posture. This includes industry-specific regulations (GDPR, HIPAA, PCI-DSS), statutory obligations, contractual commitments to customers and partners, and relevant legal frameworks in jurisdictions where you operate. Your organization must not only identify these requirements but document them clearly and keep them current as regulations and business relationships evolve.
How to comply
- 1.Conduct a requirements inventory workshop with legal, compliance, and operations teams to identify all applicable laws, regulations, industry standards, and contractual obligations
- 2.Document each requirement with its source, scope, applicable systems, and key compliance deadlines
- 3.Map requirements to relevant information security controls and business processes
- 4.Establish a review schedule (quarterly minimum) to capture regulatory changes, new customer contracts, and evolving legal landscape
- 5.Create a central register or database of all requirements with ownership and status tracking
- 6.Communicate identified requirements to relevant stakeholders and ensure understanding across departments
- 7.Link compliance requirements to your risk assessment and control implementation roadmap
Evidence auditors look for
- Legal requirements register detailing GDPR, local data protection laws, and industry regulations
- Contractual obligations log showing customer NDA requirements, SLA commitments, and vendor security clauses
- Regulatory mapping document linking specific requirements to implemented controls
- Minutes from quarterly compliance review meetings showing requirement updates and changes
- Audit trail showing when requirements were added, updated, and communicated to teams
- Matrix correlating business contracts to their security and compliance obligations
- Statutory requirement checklists for each jurisdiction where the organization operates
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically centralizes and tracks all your legal, statutory, and contractual requirements in one searchable register, alerts you to regulatory changes relevant to your industry, and maps requirements directly to your controls—eliminating spreadsheet chaos and ensuring nothing falls through the cracks.
See how GRCWatch handles this control automatically
Start free trial