ISO27001 and Annex Clause 18 – The Compliance Requirement

Every standard has a requirement that you understand and meet your legal, statutory, regulatory, or contractual obligations. Organisations should have a register to manage these things where you can list out what the requirement is and how you meet that requirement. It shouldn't need a standard to tell you need to meet your obligations, but for some organisations it does and som ISO27001 has a requirement specifically around these things, and you need to commit to meeting them.

The ISO27001 standard for information security management splits the compliance requirements into two sections: A.18.1 Compliance with legal and contractual requirements and A.18.2 Information security reviews - you can think of A18.1 as being largely internal resource driven and A18.2 as externally resource driven.

A.18.1 Compliance with legal and contractual requirement

The objective of this clause is simple and something that should be an underlying theme within your information security management systems, which is "To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements."

To do this, the standard has laid out 5 controls that you need to think about.

A.18.1.1 Identification of applicable legislation and contractual requirements

The key point in this requirement is that all your legal, statutory, regulatory, or contractual obligations "shall be explicitly identified, documented and kept up to date" - notice that "shall", meaning it's not optional. This is about building your compliance register and then putting in a system that means you keep on top of the various requirements to know that those requirements haven't changed, either because of a law change or a contract change for example. Having something that will remind you to recheck these things is a pretty useful tool, as your list could get fairly long.  

A.18.1.2 Intellectual property rights

Here, the standard requires you to implement procedures that are aimed at ensuring your approach to how you manage your IP is in line with all the various requirements you have identified as applicable legal and contractual requirements. This includes things like your ability to use proprietary software or anything custom written for example.  

A.18.1.3 Protection of records

Since ISO27001 for information security is all about protecting your information, it's reasonable to expect them to require you to protect your records from loss, destruction, falsification, unauthorised access or unauthorised release. In other words, you need to implement processes and systems to ensure that your records are safe. 

A.18.1.4 Privacy and protection of personally identifiable information

Personally Identifiable Information (PII) should always be protected. Even if you aren't looking to achieve ISO27001 for Information Security management systems, most countries have a Privacy act in some form which covers this requirement. Personally Identifiable Information is quite broad and is normally defined as any information related to an identifiable person, i.e. if you look at some data and by reading it you know who that person is, or you would be able to easily discover the person, then it's PII data.  

A.18.1.5 Regulation of cryptographic controls

Clause A.18.1.5 of ISO27001 talks about the requirement to use cryptographic controls with all relevant agreements, legislation, and regulations. In other words, if any of those areas requires you to have a cryptographic control in place, it needs to be there. A cryptographic control may just be a digital signature or a secure electronic key or specific level of encryption that is in place.  

A.18.2 Information security reviews

This final clause of ISO27001 for information security has the objective of ensuring that "information security is implemented and operated in accordance with the organisational policies and procedures." Or to put it another way, you are doing what you say you are doing. It's not enough to say that you are doing this yourself, you need to have independent verification that you are.  

A.18.2.1 Independent review of information security

The key requirement here is another "shall" statement, and it says control objectives, controls, policies, processes and procedures for information security shall be reviewed independently at planned intervals or when significant changes occur.

The definition of significant isn't given, and it's something you are going to have to define within your own system as part of the process. Independent means independent, it's not a member of staff doing this, and you also need to have a plan as to when it would happen, e.g. every 6 months or perhaps every year.

A.18.2.2 Compliance with security policies and standards

This is another review requirement, this time around information processing and procedures, importantly however the standard states that managers shall review their area of responsibility. It doesn't say managers can appoint someone or a delegate, it says managers. That is important, it's the manager's responsibility to ensure their areas are working within the requirements that you have set out around security policies and any other requirements. This could be done as planned audits, for example, but them being done by anyone other than the manager of that area doesn't count.  

A.18.2.3 Technical compliance review

The final requirement of the ISO27001:2013 Information security management Systems standard is that your "information systems shall be regularly reviewed for compliance with the organization's information security policies and standards". Which means that you need to be reviewing these via something like an internal audit on a planned basis, to ensure that the information systems you are using are meeting your own requirements.