ISO 27001 Information Security Management Standard - Clause A.18

Posted by Craig Thornton

Part 37 - A18 Compliance 

It almost goes without saying that when you commit to ISO 27001 that you then must commit to all your legal, statutory, regulatory or contractual obligations.

It seems a strange thing to say but you need to commit to the laws of the countries you are in and the requirements of your customers.

But some organisations do consciously breach these obligations. If you seek ISO 27001 then your organisation can’t consciously breach requirements.

The Annex A starts with compliance with legal and contractual requirements.

COMPLIANCE

 

A.18.1 Compliance with legal and contractual requirements 

The objective of this is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

The clause then lists what you need to achieve:

  1. Identification of applicable legislation and contractual requirements. You need to explicitly identify, document and kept up to date all relevant legislative statutory, regulatory, contractual requirements.
  2. Intellectual property rights. You need to implement appropriate procedures ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
  3. Protection of records. You need records to be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements.
  4. Privacy and protection of personally identifiable information. Your privacy and protection of personally identifiable information shall be protected as required in relevant legislation and regulation where applicable.
  5. Regulation of cryptographic controls. Your cryptographic controls must be used in compliance with all relevant agreements, legislation and regulations.

 

A.18.2 Information Security Reviews 

The objective of this is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

  1. Independent review of information security. Your organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.
  2. Compliance with security policies and standards. You Managers need to regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
  3. Technical compliance review. Your information systems shall be regularly reviewed for compliance with the organization’s information security policies and standards.

 

Takeaways

  1. Commit to the laws of the countries you are in and the requirements of your customers.
  2. Identification of applicable legislation and contractual requirements.
  3. Manage intellectual property rights.
  4. Protect your records.
  5. Protect the privacy and protection of personally identifiable information.
  6. Ensure your cryptographic controls meet regulation
  7. Independently review your information security.
  8. Your Managers need to regularly review the compliance of information processing and procedures within their area of responsibility.
  9. Conduct technical compliance reviews.


View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Part 34 - ISO 27001 Information Security Management Standard: Clause A15

Part 35 - ISO 27001 Information Security Management Standard: Clause A16

Part 36 - ISO 27001 Information Security Management Standard: Clause A17

Tags: ISO 27001, information security, ISO 27001 Certification