ISO/IEC 27001•

ISO 27001 – Annex A.18: Compliance

See it in action
By Max Edwards | Updated 14 December 2023

Please be aware that as of October 2022, ISO 27001:2013 was revised and is now known as ISO 27001:2022. Please see the full revised ISO 27001 Annex A Controls to see the most up-to-date information.

See revised Annex A controls

Jump to topic


What is the objective of Annex A.18.1?

Annex A.18.1 is about compliance with legal and contractual requirements. The objective is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

It’s an important part of the information security management system (ISMS) especially if you’d like to achieve ISO 27001 certification.

A.18.1.1 Identification of Applicable Legislation & Contractual Requirements

A good control describes how all relevant legislative statutory, regulatory, contractual requirements, and the organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organisation. Put in simple terms, the organisation needs to ensure that it is keeping up to date with and documenting legislation and regulation that affects achievement of its business objectives and the outcomes of the ISMS.

It is important that the organisation understands the legislation, regulation and contractual requirements with which it must comply and these should be centrally recorded in register to allow for ease of management and coordination. The identification of what is relevant will largely depend on; Where the organisation is located or operates; What the nature of the organisation’s business is; and The nature of information being handled within the organisation. The Identification of the relevant legislation, regulation and contractual requirements is likely to include engagement with legal experts, regulatory bodies and contract managers.

This is an area that often catches organisations out as there is generally far more legislation and regulation impacting the organisation than is first considered. The auditor will be looking to see how the organisation has identified and recorded its legal, regulatory and contractual obligations; the responsibilities for meeting such requirements and any necessary policies, procedures and other controls required for meeting the controls.

Additionally, they will look to see that this register is maintained on a regular basis against any relevant change – especially in legislation across common areas that they would expect any organisation to be impacted by.

A.18.1.2 Intellectual Property Rights

A good control describes how the appropriate procedures ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. Put into simple terms, the organisation should implement appropriate procedures which ensure it complies with all its requirements, whether they are legislative, regulatory or contractual – related to its use of software products or intellectual property rights.

There are two aspects of IPR management to consider; Protection of IPR owned by the organisation; and Prevention of misuse or breach of other’s IPR. The former will also be addressed with A.13.24 for non-disclosure and confidentiality agreements, where we also suggest firms manage their broader master contracts with third parties from, and also within A.15 for supply chain specifically. For staff, A7.1.2 Terms and conditions of employment will be covering IPR too.

Policies, processes and technical controls are likely to be needed for both of these aspects. Within asset registers and acceptable use policies it is likely that IPR considerations will need to be made – e.g. where an asset is or contains IPR protection of this asset must consider the IPR aspect. Controls to ensure that only authorised and licensed software are in use within the organisation should include regular inspection and audit.

The auditor will want to see that registers of licenses owned by the organisation for use of others’ software and other assets are being kept and updated. Of particular interest to them will be ensuring that where licenses include a maximum number of users or installations, that this number is not exceeded and user and installation numbers are audited periodically to check compliance. The auditor will also be looking at how the organisation protects its own IPR, which might include; Data loss and prevention controls; Policies and awareness programmes targeting user education; or Non-disclosure and confidentiality agreements that continue post termination of employment.

A.18.1.3 Protection of Records

A good control describes how records are protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with the legislatory, regulatory, contractual and business requirements.

Different types of record will likely require different levels and methods of protection. It is critical that records are adequately and proportionality protected against loss, destruction, falsification, unauthorised access or release. The protection of records must comply with any relevant legislation, regulation or contractual obligations. It is especially important to understand how long records must, should or could be kept for and what technical or physical issues might affect these over time – bearing in mind that some legislation might trump others for retention and protection. The auditor will be checking to see that considerations for the protection of records has been made based on business requirements, legal, regulatory and contractual obligations.

A.18.1.4 Privacy & Protection of Personally Identifiable Information

A good control describes how privacy and protection of personally identifiable information is assured for relevant legislation and regulation. Any information handled that contains personally identifiable information (PII) is likely to be subject to the obligations of legislation and regulation. PII is especially likely to have high requirements for confidentiality and integrity, and in some cases availability as well (e.g. health information, financial information). Under some legislation (e.g. the GDPR) some types of PII are defined as additionally “sensitive” and require further controls to ensure compliance.

It is important that awareness campaigns are used with staff and stakeholders to ensure a repeated understanding of individual responsibility for protecting PII and privacy. The auditor will be looking to see how PII is handled, if the appropriate controls have been implemented, are they being monitored, reviewed and where necessary improved. They will also be looking to check that handling requirements are being met, and audited suitably. Additional responsibilities exist too, for example GDPR will expect a regular audit for areas where personal data is at risk. Smart organisations will tie these audits up alongside their ISO 27001 audits and avoid duplication or gaps.

A.18.1.5 Regulation of Cryptographic Controls

A good control describes how cryptographic controls are used in compliance with all relevant agreements, legislation and regulations. The use of cryptographic technologies is subject to legislation and regulation in many territories and it is important that an organisation understands those that are applicable and implements controls and awareness programmes that ensure compliance with such requirements. This is especially true when cryptography is transported or used in territories other than the organisation’s or user’s normal place of residence or operation. Trans-border import/export laws may include requirements relating to cryptographic technologies or usage. The auditor will be looking to see that considerations for the appropriate regulation of cryptographic controls have been made and relevant controls and awareness programmes implemented to ensure compliance.


What is the objective of Annex A.18.2?

Annex A.18.2 is about information security reviews. The objective in this Annex is to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.

A.18.2.1 Independent Review of Information Security

A good control describes the organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) is reviewed independently at planned intervals or when significant changes occur.

It is good to get an independent review of security risks and controls to ensure impartiality and objectivity as well as benefit from fresh eyes. That doesn’t mean it has to be external, just benefit from another colleague reviewing policies in addition to the main author/administrator. These reviews should be carried out at planned, regular intervals and when any significant, security relevant changes occur – ISO interprets regular to be at least annually.

The auditor will be looking for both regular independent security review and review when significant changes occur, as well as take confidence there is a plan for regular reviews. They will also require evidence that reviews have been carried out and any issues or improvements identified in the reviews are appropriately managed.

A.18.2.2 Compliance with Security Policies & Standards

ISMS managers should regularly review the compliance of information processing and procedures within their area of responsibility. Policies are only effective if they are enforced and compliance is tested and reviewed on a regular periodic basis. It is usually the responsibility of the line management to ensure that their subordinate staff comply with organisational policies and controls but this should be complemented by occasional independent review and audit. Where non-compliance is identified, it should be logged and managed, identifying why it occurred, how often it is occurring and the need for any improvement actions either relating to the control or to the awareness, education or training of the user that caused the non-compliance.

The auditor will be looking to see that both; Proactive preventative policies, controls, and awareness programmes are in place, implemented and effective; and Reactive compliance monitoring, review, and audit are also in place. They will also be looking to see that there is evidence of how improvements are made over time to ensure an improvement in compliance levels or maintenance if compliance is already at 100%. This dovetails into the main requirements of ISO 27001 for 9 and 10 around internal audits, management reviews, improvements, and non-conformities too. Staff awareness and engagement in line with A 7.2.2 is also important to tie into this part for compliance confidence.

A.18.2.3 Technical Compliance Review

Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards. Automated tools are normally used to check systems and networks for technical compliance and these should be identified and implemented as appropriate. Where tools such as these are used, it is necessary to restrict their use to a few authorised personnel as possible and to carefully control and coordinate when they are used to prevent compromise of system availability and integrity. Adequate levels of compliance testing will be dependent on business requirements and risk levels, and the auditor will expect to see evidence of these considerations being made. They will also expect to be able to inspect testing schedules and records.


How does ISMS.online help with Compliance?

ISMS.online makes much of the compliance side of information security considerably easier. The built-in approval processes and automated reminders for reviews make life much easier and offer up a ‘living plan’ to show auditors you are in control of the ISMS. The pre-populated applicable legislation risk tool includes many common areas of legislation and regulation that are frequently overlooked as well as making that whole area of management easier. Internal and external audits, corrective actions, improvements, and non-conformities are all easily managed with the pre-built tools and features. Human resource compliance, whether staff, suppliers or others is easily demonstrated with the Policy Pack tool as well. ISMS.online partners also offer specialist independent health checks and audit support working inside your platform if required.

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001 requirements


ISO 27001 Annex A Controls


About ISO 27001


Streamline your workflow with our new Jira integration! Learn more here.