Compliance with Information Security Legal Requirements
Identify and stay updated on information security legal obligations to avoid breaches.
Plain language
This control ensures your organisation knows and keeps updated with all the legal rules about information security. If you miss these rules, your business might face fines or other legal issues, which could harm your reputation and finances.
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Organisational controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
19 Mar 2026
Maturity levels
N/A
Official control statement
Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.
Why it matters
Failure to track legal requirements could lead to significant fines, litigation risks, and damage to the organisation's reputation.
Operational notes
Maintain a legal/regulatory obligations register; review quarterly with legal counsel and security, record changes, owners and evidence of compliance actions.
Implementation tips
- The IT manager should identify all laws and regulations relevant to information security that could affect the business. This can be done by consulting with legal advisors and checking resources from OAIC for Australian regulations such as the Privacy Act 1988.
- The compliance officer should document legal and regulatory requirements. This involves recording all identified legal obligations in an organised and accessible format, like a compliance register, and ensuring it is stored securely and protected.
- The HR team should assign specific roles within the organisation to take responsibility for meeting these requirements. This might involve designating compliance leadership roles to oversee how well the organisation adapts to changes in legal obligations.
- The Procurement department should ensure that contracts with suppliers and clients include clauses that address compliance with information security requirements. They should work with legal advisors to draft these clauses according to Australian standards.
- The organisation's board should conduct regular reviews of these legal requirements and update policies and procedures accordingly. This can be scheduled as part of quarterly risk review meetings or during the annual policy review process to consider any legislative changes.
Audit / evidence tips
-
AskAsk for the compliance register or document listing legal and regulatory requirements for information security.
GoodA well-maintained compliance register with entries showing recent reviews and updates, clearly identifying who is responsible for compliance.
-
AskAsk to see contracts with suppliers and clients that mention information security requirements.
GoodContracts with clear, relevant information security clauses that align with identified legal and regulatory requirements.
-
AskAsk for records of assigned roles and responsibilities related to legal compliance.
GoodA clear organisational chart or document showing assigned roles with descriptions detailing compliance duties.
-
AskAsk for evidence of regular reviews and updates to compliance documents.
GoodRecent meeting minutes or logs showing discussions and actions on reviewing and updating legal requirement documentation.
-
AskAsk for any communication or workshops held with staff about compliance requirements.
GoodDocumented evidence of regular staff engagement activities on compliance topics, indicating active dissemination of information.
Cross-framework mappings
How Annex A 5.31 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (13) expand_less | ||
| ISM-0009 | ISM-0009 requires identifying supplementary controls needed for a system based on its unique context and risk tolerance | |
| ISM-0041 | ISM-0041 requires documenting a system’s applicable controls and any additional controls in a system security plan annex | |
| ISM-0047 | Annex A 5.31 requires the organisation to document and maintain its information security legal, regulatory, and contractual requirements ... | |
| ISM-0137 | ISM-0137 requires organisations to seek legal advice before permitting continued intrusion activity to gather evidence, explicitly addres... | |
| ISM-0181 | ISM-0181 requires cabling infrastructure to be installed in accordance with relevant Australian Standards, directed by ACMA | |
| ISM-0499 | ISM-0499 requires compliance with ASD communications security doctrine and policy produced for HACE management and operation | |
| ISM-1478 | Annex A 5.31 requires the organisation to identify, document, and keep current all information security legal, statutory, regulatory, and... | |
| ISM-1571 | Annex A 5.31 requires the organisation to identify and document contractual requirements relevant to information security and keep them u... | |
| ISM-1626 | ISM-1626 requires an organisation to seek legal advice when developing and implementing an insider threat mitigation program | |
| ISM-1880 | ISM-1880 requires timely reporting to customers and the public for cyber incidents involving customer data | |
| ISM-2002 | Annex A 5.31 requires identifying and maintaining up-to-date information security legal and regulatory requirements and documenting how t... | |
| ISM-2008 | ISM-2008 mandates compliance conditions for a regulated class of equipment (medical devices) when used in SECRET/TOP SECRET areas, includ... | |
| ISM-2033 | ISM-2033 requires software security requirements to be documented, stored securely, and maintained throughout the SDLC | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.