ISO 27001:2013 A.18 Compliance

Organizations are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets. Understanding and maintaining compliance with these different requirements is sometimes a difficult road. The path to establishing compliance takes a complete look at the areas in which your Organization has responsibilities, whether legal, regulatory, contractual, or self-imposed. Important elements to consider when developing a plan for compliance  include the following:

  • Awareness of relevant regulations/laws. (Do you know what you need to follow?)
  • Awareness of relevant policies. (Do you know what  policies apply to information use?)
  • Awareness of relevant contractual agreements. (Do you know what agreements your organization has made that impose conditions on the use of data?)
  • Awareness of relevant standards or best practices. (Do you know what standards or best practices your organization chooses to follow with respect to information use?)
  • Management of organizational records. (Do you know what you need to keep and for how long?)
  • Awareness of how records are managed by your organization.
  • Approach to complying with each item. (Do you know what your organization is doing to follow the law?)
  • Awareness of internal and/or external audit activities. (Do you know what internal/external audits exist and what is required to meet or pass these reviews?)

The initial process in developing compliance initiatives is to identify which laws, regulations, and policies are applicable to the organization. To that end, confer with your legal and/or audit departments, and review the most common federal and state data protection laws.
1. Identify key stakeholders and/or partners across the organization who regularly deal with organizational compliance issues (e.g., legal, risk management, privacy, audit). Key stakeholders may vary from campus to campus.
2. Perform a high-level gap analysis of each compliance requirement that is applicable to determine where progress needs to be made.
3. Develop a prioritized action plan that will help you organize your efforts (one section of your Information Security plan).
4. Develop a policy, standard, roles, and responsibilities, and/or procedures in collaboration with other key stakeholders at your organization.
5. Familiarize yourself with common standards and regulations that address specific requirements
6. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you with managing compliance.

A.18.1 Compliance with legal and contractual requirements

To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

A.18.1.1 Identification of applicable legislation and contractual requirements


All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization.

Implementation guidance

The specific controls and individual responsibilities to meet these requirements should also be defined and documented. Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries.

A.18.1.2 Intellectual property rights

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Implementation guidance

The following guidelines should be considered to protect any material that may be considered intellectual property:
a) publishing an intellectual property rights compliance policy which defines the legal use of software and information products;
b) acquiring software only through known and reputable sources, to ensure that copyright is not violated;
c) maintaining awareness of policies to protect intellectual property rights and giving notice of the intent to take disciplinary action against personnel breaching them;
d) maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licenses, master disks, manuals, etc.;
f) implementing controls to ensure that any maximum number of users permitted within the license is not exceeded;
g) carrying out reviews that only authorized software and licensed products are installed;
h) providing a policy for maintaining appropriate license conditions;
i) providing a policy for disposing of or transferring software to others;
j) complying with terms and conditions for software and information obtained from public networks;
k) not duplicating, converting to another format or extracting from commercial recordings (film, audio) other than permitted by copyright law;
l) not copying in full or in part, books, articles, reports or other documents, other than permitted by copyright law.

Other information

Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licenses. Proprietary software products are usually supplied under a license agreement that specifies license terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. The importance and awareness of intellectual property rights should be communicated to staff for software developed by the organization. Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material. In particular, they may require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.

A.18.1.3 Protection of records

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements.

Implementation guidance
When deciding upon the protection of specific organizational records, their corresponding classification based on the organization’s classification scheme should be considered. Records should be categorized into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of retention periods and type of allowable storage media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable decryption of the records for the length of time the records are retained. Consideration should be given to the possibility of deterioration of media used for storage of records. Storage and handling procedures should be implemented in accordance with the manufacturer’s recommendations. Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be established to safeguard against loss due to future technological change. Data storage systems should be chosen such that required data can be retrieved in an acceptable timeframe and format, depending on the requirements to be fulfilled. The system of storage and handling should ensure identification of records and of their retention period as defined by national or regional legislation or regulations, if applicable. This system should permit the appropriate destruction of records after that period if they are not needed by the organization. To meet these record safeguarding objectives, the following steps should be taken within an organization:

  1. guidelines should be issued on the retention, storage, handling and disposal of records and information;
  2. a retention schedule should be drawn up identifying records and the period of time for which they should be retained;
  3. an inventory of sources of key information should be maintained.

Other information
Some records may need to be securely retained to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. Examples include records that may be required as evidence that an organization operates within statutory or regulatory rules, to ensure defence against potential civil or criminal action or to confirm the financial status of an organization to shareholders, external parties and auditors. National law or regulation may set the time period and data content for information retention.

A.18.1.4 Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

Implementation guidance
An organization’s data policy for privacy and protection of personally identifiable information should be developed and implemented. This policy should be communicated to all persons involved in the processing of personally identifiable information. Compliance with this policy and all relevant legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable information requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling personally identifiable information and ensuring awareness of the privacy principles should be dealt with in accordance with relevant legislation and regulations. Appropriate technical and organizational measures to protect personally identifiable information should be implemented.

Other information
ISO/IEC 29100 provides a high-level framework for the protection of personally identifiable information within information and communication technology systems. A number of countries have introduced legislation placing controls on the collection, processing and transmission of personally identifiable information (general information on living individuals who can be identified from that information). Depending on the respective national legislation, such controls may impose duties on those collecting, processing and disseminating personally identifiable information, and may also restrict the ability to transfer personally identifiable information to other countries.

A.18.1.5 Regulation of cryptographic controls

Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations.

Implementation guidance

The following items should be considered for compliance with the relevant agreements, laws and regulations:

  1. restrictions on import or export of computer hardware and software for performing cryptographic functions;
  2. restrictions on import or export of computer hardware and software which is designed to have cryptographic functions added to it;
  3. restrictions on the usage of encryption;
  4. mandatory or discretionary methods of access by the countries’ authorities to information encrypted by hardware or software to provide confidentiality of content.

Legal advice should be sought to ensure compliance with relevant legislation and regulations. Before encrypted information or cryptographic controls are moved across jurisdictional borders, legal advice should also be taken.

Annex A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. It’s an important part of the information security management system (ISMS) . The goal here is to help outline effective practices for identifying compliance obligations, as well as the roles and responsibilities, activities and controls needed to manage all of the organization’s legal, contractual, and records management requirements.

Identification of Applicable Legislation & Contractual Requirements

A good control describes how all relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. Put in simple terms, the organization needs to ensure that it is keeping up to date with and documenting legislation and regulation that affects the achievement of its business objectives and the outcomes of the ISMS. It is important that the organization understands the legislation, regulation and contractual requirements with which it must comply and these should be centrally recorded in the register to allow for ease of management and coordination. The identification of what is relevant will largely depend on; Where the organization is located or operates; What the nature of the organization’s business is; and The nature of information being handled within the organization. The Identification of the relevant legislation, regulation and contractual requirements are likely to include engagement with legal experts, regulatory bodies and contract managers. This is an area that often catches organizations out as there is generally far more legislation and regulation impacting the organization than is first considered.  The auditor will be looking to see how the organization has identified and recorded its legal, regulatory and contractual obligations; the responsibilities for meeting such requirements and any necessary policies, procedures and other controls required for meeting the controls. Additionally, they will look to see that this register is maintained on a regular basis against any relevant change – especially in legislation across common areas that they would expect any organization to be impacted by.  Legal requirements need to be explicitly identified and recognized and a plan in place for meeting applicable requirements. To meet this part of compliance, controls should be developed which:

  1. Identify the persons or person responsible for ascertaining the legal requirements. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements. Each state has breach laws, personal information protection laws, social security protections laws, or other laws related to technology furnished at the organization. Each state must be taken as its own legal island and an organization must know if any of the following impact or enhance security efforts.
  2. Identify the persons or person responsible for reviewing contracts to determine any information security requirements, whether they are requirements of the organization or requirements of the vendor. Those requirements should then be placed against the other controls that exist in some sort of matrix which shows controls in place to meet the requirements.

Every contract that involves organizational data must be documented and any controls specified in that contract must also be documented. It is crucial to know what your contractual responsibilities are so that you can look at the physical and technical controls you have in place and determine if they are adequate for the assumed contractual liability. In instances where contracting parties have access to organizational data, you want to be sure that you can audit the contractual controls and protections that the other party has agreed to follow.

Intellectual Property Rights

Intellectual Property (IP) rights are a dominant issue at any Organizations. Organizations may have many different types of research and proprietary information that can be protected via these rights. These rights are also attached to the different technologies that the organization might buy or license from others (and the rights are then protected via contract provisions). A good control describes how the appropriate procedures ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. Put into simple terms, the organization should implement appropriate procedures which ensure it complies with all its requirements, whether they are legislative, regulatory or contractual – related to its use of software products or intellectual property rights. Policies, processes and technical controls are likely to be needed for both of these aspects. Within asset registers and acceptable use policies it is likely that IPR considerations will need to be made – e.g. where an asset is or contains IPR protection of this asset must consider the IPR aspect. Controls to ensure that only authorized and licensed software are in use within the organization should include regular inspection and audit. The auditor will want to see that registers of licenses owned by the organization for use of others’ software and other assets are being kept and updated. Of particular interest to them will be ensuring that where licenses include a maximum number of users or installations, that this number is not exceeded and user and installation numbers are audited periodically to check compliance. The auditor will also be looking at how the organization protects its own IPR, which might include; Data loss and prevention controls; Policies and awareness program targeting user education; or Non-disclosure and confidentiality agreements that continue post-termination of employment. Appropriate controls to identify and protect intellectual property include:
• An intellectual property rights compliance policy (which meets copyright policy requirements of certain laws);
• Ensuring proper use of software and other technology licenses;
• Education and awareness on respecting IP rights;
• Keeping track of IP assets.

Protection of Records

A good control describes how records are protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with the legislator, regulatory, contractual and business requirements. Different types of record will likely require different levels and methods of protection. It is critical that records are adequately and proportionality protected against loss, destruction, falsification, unauthorized access or release. The protection of records must comply with any relevant legislation, regulation or contractual obligations. It is especially important to understand how long records must, should or could be kept for and what technical or physical issues might affect these over time – bearing in mind that some legislation might trump others for retention and protection. The auditor will be checking to see that considerations for the protection of records have been made based on business requirements, legal, regulatory and contractual obligations. The organizations deal with the issues inherent in managing organizational records and data, whether electronic or in the paper. As part of the compliance controls at every organization, important records as well as records we are legally obligated to retain the need to be protected from loss, destruction, and falsification. ISO has a separate standard, ISO 15489 “Information and Documentation — Records Management.” This standard goes into greater detail about how an organizations recognizes the context in which records are created, received, used, stored, and destroyed as an implicit part of the data governance process. This “records management” function may be placed anywhere in organizations, and sometimes it is part of an organization’s IT structure. Regardless, records management has components of compliance that are unavoidable. Organization’s policies and guidelines on retention, storage, handling, and disposal of records should be reviewed. Oftentimes this will require a security control to ensure that these policies and guidelines are carried out properly. (Refer to the Records Retention and Disposition Toolkit for additional information and templates.). Policies that protect records from loss, destruction, or falsification.

Privacy & Protection of Personally Identifiable Information

A good control describes how privacy and protection of personally identifiable information is assured for relevant legislation and regulation. Any information handled that contains personally identifiable information (PII) is likely to be subject to the obligations of legislation and regulation. PII is especially likely to have high requirements for confidentiality and integrity, and in some cases availability as well (e.g. health information, financial information). Under some legislation (e.g. the GDPR) some types of PII are defined as additionally “sensitive” and require further controls to ensure compliance.  It is important that awareness campaigns are used with staff and stakeholders to ensure a repeated understanding of individual responsibility for protecting PII and privacy. The auditor will be looking to see how PII is handled, if the appropriate controls have been implemented, are being monitored, reviewed and where necessary improved. They will also be looking to check that handling requirements are being met and audited suitably. Additional responsibilities exist too, for example, GDPR will expect a regular audit for areas where personal data is at risk. Smart organizations will tie these audits up alongside their ISO 27001 audits and avoid duplication or gaps.

Regulation of Cryptographic Controls
Cryptographic controls should be used in compliance with all relevant agreements, laws, and regulations. A good control describes how cryptographic controls are used in compliance with all relevant agreements, legislation, and regulations. The use of cryptographic technologies is subject to legislation and regulation in many territories and it is important that an organization understands those that are applicable and implements controls and awareness programs that ensure compliance with such requirements. This is especially true when cryptography is transported or used in territories other than the organization’s or user’s normal place of residence or operation. Trans-border import/export laws may include requirements relating to cryptographic technologies or usage. The auditor will be looking to see that considerations for the appropriate regulation of cryptographic controls have been made and relevant controls and awareness program implemented to ensure compliance.

A. 18.2 Information security reviews


To ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

A.18.2.1 Independent review of information security

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur.

Implementation guidance

Management should initiate an independent review. Such an independent review is necessary to ensure the continuing suitability, adequacy and effectiveness of the organization’s approach to managing information security. The review should include assessing opportunities for improvement and the need for changes to the approach to security, including the policy and control objectives. Such a review should be carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or an external party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience. The results of the independent review should be recorded and reported to the management who initiated the review. These records should be maintained. If the independent review identifies that the organization’s approach and implementation to managing information security are inadequate, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies, management should consider corrective actions.

A.18.2.2 Compliance with security policies and standards

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Implementation guidance

Managers should identify how to review those information security requirements defined in policies, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review. If any non-compliance is found as a result of the review, managers should:

  1. identify the causes of the non-compliance;
  2. evaluate the need for actions to achieve compliance;
  3. implement appropriate corrective action;
  4. review the corrective action taken to verify its effectiveness and identify any deficiencies or weaknesses.

Results of reviews and corrective actions carried out by managers should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews when an independent review takes place in the area of their responsibility.

A.8.2.3 Technical compliance review


Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards.

Implementation guidance

Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed. If penetration tests or vulnerability assessments are used, caution should be exercised as such activities could lead to a compromise of the security of the system. Such tests should be planned, documented and repeatable. Any technical compliance review should only be carried out by competent, authorized persons or under the supervision of such persons.

Other information
Technical compliance reviews involve the examination of operational systems to ensure that hardware and software controls have been correctly implemented. This type of compliance review requires specialist technical expertise. Compliance reviews also cover, for example, penetration testing and vulnerability assessments, which might be carried out by independent experts specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for inspecting how effective the controls are in preventing unauthorized access due to these vulnerabilities. Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s). Penetration testing and vulnerability assessments are not a substitute for risk assessment.

A good control describes the organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur. Ensure that information security compliance requirements are effectively addressed and maintained over time. In order to meet compliance requirements, it is necessary to continually review compliance methods, systems, and processes of departments that are affected by various policies, regulatory requirements, and laws to ensure that their approach to compliance is effective. For example, a particular credit card Point of Sale system (POS) can be implemented at a point in time on your campus, and your reviews may indicate that the application is in full compliance with PCI DSS. However, two years later, the payment application may no longer be considered fully compliant by the PCI SSC and if reviews aren’t conducted on a recurring basis, this could result in non-compliance with PCI DSS requirements. It is good to get an independent review of security risks and controls to ensure impartiality and objectivity as well as benefit from fresh eyes. That doesn’t mean it has to be external, just benefit from another colleague reviewing policies in addition to the main author/administrator.  These reviews should be carried out at planned, regular intervals and when any significant, security-relevant changes occur – ISO interprets regular to be at least annually. The auditor will be looking for both regular independent security review and review when significant changes occur, as well as take confidence there is a plan for regular reviews. They will also require evidence that reviews have been carried out and any issues or improvements identified in the reviews are appropriately managed.

Independent Review of Information Security
It is important to have unbiased reviews of information security organization programs and initiatives on a recurring basis in order to measure and ensure effectiveness. Often, these reviews are carried out by multiple parties: internal audit departments, external auditors, and assessments performed by contractors or consultants. It is also important that individuals performing reviews and assessments are qualified to do so. The primary objective of independent reviews is to measure effectiveness and ensure continuous improvements are made. In the event that your organization does not have an internal audit function, you may be able to develop a cooperative agreement with another organization or hire a consulting firm to conduct an audit and/or assessment of specific areas you need to have assessed. Note: For some organizations, an independent review may include representatives from legal counsel, an executive leadership team, and/or a system office.

Compliance with Security Policies and Standards
Managers have a compliance responsibility to make sure that applicable security procedures related to their area of control are implemented and performed correctly to achieve compliance with internal security policies and standards. Many organizations are considering the implementation of Governance, Risk, and Compliance (GRC) solutions to automate compliance reviews and reporting, as well as assisting with determining corrective actions that need to be managed. Take a look at Governance, Risk, and Compliance (GRC) Systems to help you determine if a GRC system is a good investment for your information security program. ISMS managers should regularly review the compliance of information processing and procedures within their area of responsibility. Policies are only effective if they are enforced and compliance is tested and reviewed on a regular periodic basis. It is usually the responsibility of the line management to ensure that their subordinate staff complies with organizational policies and controls but this should be complemented by occasional independent review and audit. Where non-compliance is identified, it should be logged and managed, identifying why it occurred, how often it is occurring and the need for any improvement actions either relating to the control or to the awareness, education, or training of the user that caused the non-compliance. The auditor will be looking to see that both; Proactive preventative policies, controls, and awareness programs are in place, implemented, and effective; and Reactive compliance monitoring, review, and audit are also in place. They will also be looking to see that there is evidence of how improvements are made over time to ensure an improvement in compliance levels or maintenance if compliance is already at 100%. This dovetails into the main requirements of ISO 27001 for 9 and 10 around internal audits, management reviews, improvements, and non-conformities too.  Staff awareness and engagement in line with A 7.2.2 is also important to tie into this part for compliance confidence.

Technical Compliance Reviews
Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards. Automated tools are normally used to check systems and networks for technical compliance and these should be identified and implemented as appropriate. Where tools such as these are used, it is necessary to restrict their use to a few authorized personnel as to possible and to carefully control and coordinate when they are used to prevent compromise of system availability and integrity. Adequate levels of compliance testing will be dependent on business requirements and risk levels, and the auditor will expect to see evidence of these considerations being made. They will also expect to be able to inspect testing schedules and records. Technical compliance reviews are also performed by many organizations. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information lifecycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a ‘snapshot’ at a point in time and must be repeated at recurring intervals in order to become an effective method or process.


Back to Home Page

If you need assistance or have any doubt and need to ask any question contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s