A.5.31 — Legal, Statutory, Regulatory and Contractual Requirements

A software company expands into the healthcare sector without updating its compliance register. Six months later, an audit reveals that the organisation has been processing patient data without meeting sector-specific regulatory requirements. The resulting penalties exceed the revenue from the new business line. A.5.31 requires organisations to systematically identify, document and track all legal, regulatory and contractual requirements related to information security — before compliance gaps become costly.

Legal and regulatory requirements form the non-negotiable baseline for any ISMS. The organisation cannot decide whether to comply with applicable law. It can only ensure that it knows which laws apply and that its controls are aligned.

What does the standard require?

Identify applicable requirements. The organisation must identify and document all legal, statutory, regulatory and contractual requirements relevant to information security.
Maintain a register. Requirements are recorded in a central register that is kept current, with clear ownership and review dates.
Consider requirements in control design. Security controls, policies and procedures must be designed to satisfy the identified requirements. Where multiple requirements overlap, the most stringent applies.
Address cryptography specifically. The organisation must identify laws and regulations governing the use of cryptographic controls, including import/export restrictions, in all jurisdictions where it operates.
Review regularly. The register is reviewed at planned intervals and upon significant changes (new legislation, new markets, new contracts).

In practice

Assign monitoring responsibilities. No single person can track changes across all regulatory domains. Assign specific areas to specialists: data protection law to the DPO, sector regulation to the compliance team, contractual requirements to procurement, cryptography restrictions to IT security.

Link requirements to controls. For each requirement in the register, document which control(s) address it. This mapping serves two purposes: it demonstrates compliance during audits and it highlights gaps when new requirements are added.

Monitor legislative changes actively. Subscribe to regulatory newsletters, join industry associations and maintain relationships with legal advisors. Reactive compliance — discovering a new requirement only when audited — is consistently more expensive than proactive monitoring.

Pay special attention to cross-border requirements. Organisations operating in multiple jurisdictions face potentially conflicting requirements (e.g. data localisation laws vs. group-wide data processing). Document these conflicts and the resolution approach explicitly.

Typical audit evidence

Auditors typically expect the following evidence for A.5.31:

Legal and regulatory register — central list of all applicable requirements with source, applicable controls, responsible person and review status
Requirement-to-control mapping — documentation showing which controls satisfy which requirements
Cryptography register — identification of cryptographic controls in use and applicable legal restrictions
Review records — evidence of periodic reviews, including assessment of new or changed requirements
Legal monitoring process — documented approach for staying informed about regulatory changes

KPI

% of applicable legal and regulatory requirements identified and tracked

This KPI measures register completeness and currency. All identified requirements should be documented in the register with assigned ownership and a current review date. Target: 100%.

Supplementary KPIs:

Percentage of requirements with a documented control mapping
Number of new or changed requirements identified in the last 12 months
Number of compliance gaps identified and time to resolution

BSI IT-Grundschutz

A.5.31 maps to the BSI requirements for compliance management:

ORP.5 (Compliance management / requirements management) — requires identification, documentation and tracking of all legal, regulatory and contractual requirements relevant to the organisation’s information security.

A.5.31 provides the legal foundation for several downstream controls:

A.5.29 — IS during disruption: Legal obligations remain in force during disruptions.
A.5.30 — ICT readiness: Regulatory requirements may mandate specific recovery capabilities.
A.5.32 — Intellectual property rights: A specific subset of the legal requirements covered by A.5.31.
A.5.33 — Protection of records: Record retention requirements derive from the legal register.

Sources

ISO/IEC 27001:2022 Annex A, Control A.5.31 — Legal, statutory, regulatory and contractual requirements
ISO/IEC 27002:2022 Section 5.31 — Implementation guidance
BSI IT-Grundschutz, ORP.5 — Compliance management

Frequently asked questions

What belongs in a legal register for information security?

All laws, regulations, standards and contractual clauses that impose requirements on how the organisation handles information. Typical entries: GDPR, national data protection laws, NIS2, sector-specific regulations (banking, healthcare), customer contracts with security clauses, insurance requirements and cryptography export controls.

How often should the legal register be reviewed?

At least annually, plus event-driven reviews when new legislation is enacted, contracts change or the organisation enters new markets. Assign a responsible person for monitoring regulatory changes in each relevant domain.

Does A.5.31 cover contractual requirements as well?

Yes. The control explicitly includes contractual requirements alongside legal, statutory and regulatory ones. Customer contracts, supplier agreements, NDAs and insurance policies often contain information security clauses that must be identified, tracked and fulfilled.

Responsible	Information Security Officer / (C)ISO
Accountable	Information Security Officer / (C)ISO
Consulted	Asset Owner, Data Protection Officer, Department Head, HR Manager, Head of IT, IT Security Officer, Information Security Officer / (C)ISO, Legal Counsel, Risk Owner, Supply Chain Manager
Informed	Asset Owner, Data Protection Officer, Department Head, Head of IT, Risk Owner, Supply Chain Manager, Top Management