ISO 27001:2013 A.

18 Compliance
isoconsultantkuwait.com/2019/12/24/iso-270012013-a-18-compliance

December 24, 2019

Organizations are subject to numerous laws, regulations, and contractual obligations that
specify requirements related to the appropriate management and protection of diverse
information sets. Understanding and maintaining compliance with these different
requirements is sometimes a difficult road. The path to establishing compliance takes a
complete look at the areas in which your Organization has responsibilities, whether legal,
regulatory, contractual, or self-imposed. Important elements to consider when developing
a plan for compliance include the following:

Awareness of relevant regulations/laws. (Do you know what you need to follow?)
Awareness of relevant policies. (Do you know what policies apply to information
use?)
Awareness of relevant contractual agreements. (Do you know what agreements
your organization has made that impose conditions on the use of data?)
Awareness of relevant standards or best practices. (Do you know what standards or
best practices your organization chooses to follow with respect to information use?)
Management of organizational records. (Do you know what you need to keep and for
how long?)
Awareness of how records are managed by your organization.
Approach to complying with each item. (Do you know what your organization is
doing to follow the law?)
Awareness of internal and/or external audit activities. (Do you know what
internal/external audits exist and what is required to meet or pass these reviews?)

The initial process in developing compliance initiatives is to identify which laws,

regulations, and policies are applicable to the organization. To that end, confer with your
legal and/or audit departments, and review the most common federal and state data
protection laws.
1. Identify key stakeholders and/or partners across the organization who regularly deal
with organizational compliance issues (e.g., legal, risk management, privacy, audit). Key
stakeholders may vary from campus to campus.
2. Perform a high-level gap analysis of each compliance requirement that is applicable to

1/12
determine where progress needs to be made.
3. Develop a prioritized action plan that will help you organize your efforts (one section of
your Information Security plan).
4. Develop a policy, standard, roles, and responsibilities, and/or procedures in
collaboration with other key stakeholders at your organization.
5. Familiarize yourself with common standards and regulations that address specific
requirements
6. Determine whether Governance, Risk, and Compliance (GRC) solutions can assist you
with managing compliance.

A.18.1 Compliance with legal and contractual requirements

Objective:
To avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements.

A.18.1.1 Identification of applicable legislation and contractual requirements

Control

All relevant legislative statutory, regulatory, contractual requirements and the

organization’s approach to meet these requirements should be explicitly identified,
documented and kept up to date for each information system and the organization.

Implementation guidance

The specific controls and individual responsibilities to meet these requirements should
also be defined and documented. Managers should identify all legislation applicable to
their organization in order to meet the requirements for their type of business. If the
organization conducts business in other countries, managers should consider
compliance in all relevant countries.

A.18.1.2 Intellectual property rights

Control
Appropriate procedures should be implemented to ensure compliance with legislative,
regulatory and contractual requirements related to intellectual property rights and use
of proprietary software products.

Implementation guidance

The following guidelines should be considered to protect any material that may be
considered intellectual property:
a) publishing an intellectual property rights compliance policy which defines the legal
use of software and information products;
b) acquiring software only through known and reputable sources, to ensure that
copyright is not violated;
c) maintaining awareness of policies to protect intellectual property rights and giving
notice of the intent to take disciplinary action against personnel breaching them;

2/12
d) maintaining appropriate asset registers and identifying all assets with requirements
to protect intellectual property rights;
e) maintaining proof and evidence of ownership of licenses, master disks, manuals, etc.;
f) implementing controls to ensure that any maximum number of users permitted within
the license is not exceeded;
g) carrying out reviews that only authorized software and licensed products are
installed;
h) providing a policy for maintaining appropriate license conditions;
i) providing a policy for disposing of or transferring software to others;
j) complying with terms and conditions for software and information obtained from
public networks;
k) not duplicating, converting to another format or extracting from commercial
recordings (film, audio) other than permitted by copyright law;
l) not copying in full or in part, books, articles, reports or other documents, other than
permitted by copyright law.

Other information

Intellectual property rights include software or document copyright, design rights,

trademarks, patents and source code licenses. Proprietary software products are
usually supplied under a license agreement that specifies license terms and conditions,
for example, limiting the use of the products to specified machines or limiting copying to
the creation of backup copies only. The importance and awareness of intellectual
property rights should be communicated to staff for software developed by the
organization. Legislative, regulatory and contractual requirements may place
restrictions on the copying of proprietary material. In particular, they may require that
only material that is developed by the organization or that is licensed or provided by the
developer to the organization, can be used. Copyright infringement can lead to legal
action, which may involve fines and criminal proceedings.

A.18.1.3 Protection of records

Control
Records should be protected from loss, destruction, falsification, unauthorized access
and unauthorized release, in accordance with legislator, regulatory, contractual and
business requirements.

Implementation guidance
When deciding upon the protection of specific organizational records, their
corresponding classification based on the organization’s classification scheme should be
considered. Records should be categorized into record types, e.g. accounting records,
database records, transaction logs, audit logs and operational procedures, each with
details of retention periods and type of allowable storage media, e.g. paper, microfiche,
magnetic, optical. Any related cryptographic keys and programs associated with
encrypted archives or digital signatures should also be stored to enable decryption of the
records for the length of time the records are retained. Consideration should be given to
the possibility of deterioration of media used for storage of records. Storage and

3/12
handling procedures should be implemented in accordance with the manufacturer’s
recommendations. Where electronic storage media are chosen, procedures to ensure the
ability to access data (both media and format readability) throughout the retention
period should be established to safeguard against loss due to future technological
change. Data storage systems should be chosen such that required data can be retrieved
in an acceptable timeframe and format, depending on the requirements to be fulfilled.
The system of storage and handling should ensure identification of records and of their
retention period as defined by national or regional legislation or regulations, if
applicable. This system should permit the appropriate destruction of records after that
period if they are not needed by the organization. To meet these record safeguarding
objectives, the following steps should be taken within an organization:

1. guidelines should be issued on the retention, storage, handling and disposal of

records and information;
2. a retention schedule should be drawn up identifying records and the period of time
for which they should be retained;
3. an inventory of sources of key information should be maintained.

Other information
Some records may need to be securely retained to meet statutory, regulatory or
contractual requirements, as well as to support essential business activities. Examples
include records that may be required as evidence that an organization operates within
statutory or regulatory rules, to ensure defence against potential civil or criminal action
or to confirm the financial status of an organization to shareholders, external parties
and auditors. National law or regulation may set the time period and data content for
information retention.

A.18.1.4 Privacy and protection of personally identifiable information

Control
Privacy and protection of personally identifiable information should be ensured as
required in relevant legislation and regulation where applicable.

Implementation guidance
An organization’s data policy for privacy and protection of personally identifiable
information should be developed and implemented. This policy should be communicated
to all persons involved in the processing of personally identifiable information.
Compliance with this policy and all relevant legislation and regulations concerning the
protection of the privacy of people and the protection of personally identifiable
information requires appropriate management structure and control. Often this is best
achieved by the appointment of a person responsible, such as a privacy officer, who
should provide guidance to managers, users and service providers on their individual
responsibilities and the specific procedures that should be followed. Responsibility for
handling personally identifiable information and ensuring awareness of the privacy
principles should be dealt with in accordance with relevant legislation and regulations.
Appropriate technical and organizational measures to protect personally identifiable
information should be implemented.

4/12
Other information
ISO/IEC 29100 provides a high-level framework for the protection of personally
identifiable information within information and communication technology systems. A
number of countries have introduced legislation placing controls on the collection,
processing and transmission of personally identifiable information (general
information on living individuals who can be identified from that information).
Depending on the respective national legislation, such controls may impose duties on
those collecting, processing and disseminating personally identifiable information, and
may also restrict the ability to transfer personally identifiable information to other
countries.

A.18.1.5 Regulation of cryptographic controls

Control
Cryptographic controls should be used in compliance with all relevant agreements,
legislation and regulations.

Implementation guidance

The following items should be considered for compliance with the relevant agreements,
laws and regulations:

1. restrictions on import or export of computer hardware and software for

performing cryptographic functions;
2. restrictions on import or export of computer hardware and software which is
designed to have cryptographic functions added to it;
3. restrictions on the usage of encryption;
4. mandatory or discretionary methods of access by the countries’ authorities to
information encrypted by hardware or software to provide confidentiality of
content.

Legal advice should be sought to ensure compliance with relevant legislation and
regulations. Before encrypted information or cryptographic controls are moved across
jurisdictional borders, legal advice should also be taken.

Annex A.18.1 is about compliance with legal and contractual requirements. The objective
is to avoid breaches of legal, statutory, regulatory or contractual obligations related to
information security and of any security requirements. It’s an important part of the
information security management system (ISMS) . The goal here is to help outline
effective practices for identifying compliance obligations, as well as the roles and
responsibilities, activities and controls needed to manage all of the organization’s legal,
contractual, and records management requirements.

Identification of Applicable Legislation & Contractual Requirements

A good control describes how all relevant legislative statutory, regulatory, contractual
requirements and the organization’s approach to meet these requirements should be
explicitly identified, documented and kept up to date for each information system and the

5/12
organization. Put in simple terms, the organization needs to ensure that it is keeping up to
date with and documenting legislation and regulation that affects the achievement of its
business objectives and the outcomes of the ISMS. It is important that the organization
understands the legislation, regulation and contractual requirements with which it must
comply and these should be centrally recorded in the register to allow for ease of
management and coordination. The identification of what is relevant will largely depend
on; Where the organization is located or operates; What the nature of the organization’s
business is; and The nature of information being handled within the organization. The
Identification of the relevant legislation, regulation and contractual requirements are
likely to include engagement with legal experts, regulatory bodies and contract managers.
This is an area that often catches organizations out as there is generally far more
legislation and regulation impacting the organization than is first considered. The auditor
will be looking to see how the organization has identified and recorded its legal,
regulatory and contractual obligations; the responsibilities for meeting such requirements
and any necessary policies, procedures and other controls required for meeting the
controls. Additionally, they will look to see that this register is maintained on a regular
basis against any relevant change – especially in legislation across common areas that
they would expect any organization to be impacted by. Legal requirements need to be
explicitly identified and recognized and a plan in place for meeting applicable
requirements. To meet this part of compliance, controls should be developed which:

1. Identify the persons or person responsible for ascertaining the legal requirements.
Those requirements should then be placed against the other controls that exist in
some sort of matrix which shows controls in place to meet the requirements. Each
state has breach laws, personal information protection laws, social security
protections laws, or other laws related to technology furnished at the organization.
Each state must be taken as its own legal island and an organization must know if
any of the following impact or enhance security efforts.
2. Identify the persons or person responsible for reviewing contracts to determine any
information security requirements, whether they are requirements of
the organization or requirements of the vendor. Those requirements should then be
placed against the other controls that exist in some sort of matrix which shows
controls in place to meet the requirements.

Every contract that involves organizational data must be documented and any controls
specified in that contract must also be documented. It is crucial to know what your
contractual responsibilities are so that you can look at the physical and technical controls
you have in place and determine if they are adequate for the assumed contractual liability.
In instances where contracting parties have access to organizational data, you want to be
sure that you can audit the contractual controls and protections that the other party has
agreed to follow.

Intellectual Property Rights

Intellectual Property (IP) rights are a dominant issue at any Organizations. Organizations
may have many different types of research and proprietary information that can be
protected via these rights. These rights are also attached to the different technologies that

6/12
the organization might buy or license from others (and the rights are then protected via
contract provisions). A good control describes how the appropriate procedures ensure
compliance with legislative, regulatory and contractual requirements related to
intellectual property rights and use of proprietary software products. Put into simple
terms, the organization should implement appropriate procedures which ensure it
complies with all its requirements, whether they are legislative, regulatory or contractual
– related to its use of software products or intellectual property rights. Policies, processes
and technical controls are likely to be needed for both of these aspects. Within asset
registers and acceptable use policies it is likely that IPR considerations will need to be
made – e.g. where an asset is or contains IPR protection of this asset must consider the
IPR aspect. Controls to ensure that only authorized and licensed software are in use
within the organization should include regular inspection and audit. The auditor will want
to see that registers of licenses owned by the organization for use of others’ software and
other assets are being kept and updated. Of particular interest to them will be ensuring
that where licenses include a maximum number of users or installations, that this number
is not exceeded and user and installation numbers are audited periodically to check
compliance. The auditor will also be looking at how the organization protects its own IPR,
which might include; Data loss and prevention controls; Policies and awareness program
targeting user education; or Non-disclosure and confidentiality agreements that continue
post-termination of employment. Appropriate controls to identify and protect intellectual
property include:
• An intellectual property rights compliance policy (which meets copyright policy
requirements of certain laws);
• Ensuring proper use of software and other technology licenses;
• Education and awareness on respecting IP rights;
• Keeping track of IP assets.

Protection of Records

A good control describes how records are protected from loss, destruction, falsification,
unauthorized access and unauthorized release, in accordance with the legislator,
regulatory, contractual and business requirements. Different types of record will likely
require different levels and methods of protection. It is critical that records are adequately
and proportionality protected against loss, destruction, falsification, unauthorized access
or release. The protection of records must comply with any relevant legislation, regulation
or contractual obligations. It is especially important to understand how long records
must, should or could be kept for and what technical or physical issues might affect these
over time – bearing in mind that some legislation might trump others for retention and
protection. The auditor will be checking to see that considerations for the protection of
records have been made based on business requirements, legal, regulatory and
contractual obligations. The organizations deal with the issues inherent in managing
organizational records and data, whether electronic or in the paper. As part of the
compliance controls at every organization, important records as well as records we are
legally obligated to retain the need to be protected from loss, destruction, and
falsification. ISO has a separate standard, ISO 15489 “Information and Documentation —
Records Management.” This standard goes into greater detail about how an organizations

7/12
recognizes the context in which records are created, received, used, stored, and destroyed
as an implicit part of the data governance process. This “records management” function
may be placed anywhere in organizations, and sometimes it is part of an organization’s IT
structure. Regardless, records management has components of compliance that are
unavoidable. Organization’s policies and guidelines on retention, storage, handling, and
disposal of records should be reviewed. Oftentimes this will require a security control to
ensure that these policies and guidelines are carried out properly. (Refer to the Records
Retention and Disposition Toolkit for additional information and templates.). Policies
that protect records from loss, destruction, or falsification.

Privacy & Protection of Personally Identifiable Information

A good control describes how privacy and protection of personally identifiable

information is assured for relevant legislation and regulation. Any information handled
that contains personally identifiable information (PII) is likely to be subject to the
obligations of legislation and regulation. PII is especially likely to have high requirements
for confidentiality and integrity, and in some cases availability as well (e.g. health
information, financial information). Under some legislation (e.g. the GDPR) some types
of PII are defined as additionally “sensitive” and require further controls to ensure
compliance. It is important that awareness campaigns are used with staff and
stakeholders to ensure a repeated understanding of individual responsibility for
protecting PII and privacy. The auditor will be looking to see how PII is handled, if the
appropriate controls have been implemented, are being monitored, reviewed and where
necessary improved. They will also be looking to check that handling requirements are
being met and audited suitably. Additional responsibilities exist too, for example, GDPR
will expect a regular audit for areas where personal data is at risk. Smart organizations
will tie these audits up alongside their ISO 27001 audits and avoid duplication or gaps.

Regulation of Cryptographic Controls

Cryptographic controls should be used in compliance with all relevant agreements, laws,
and regulations. A good control describes how cryptographic controls are used in
compliance with all relevant agreements, legislation, and regulations. The use of
cryptographic technologies is subject to legislation and regulation in many territories and
it is important that an organization understands those that are applicable and implements
controls and awareness programs that ensure compliance with such requirements. This is
especially true when cryptography is transported or used in territories other than the
organization’s or user’s normal place of residence or operation. Trans-border
import/export laws may include requirements relating to cryptographic technologies or
usage. The auditor will be looking to see that considerations for the appropriate
regulation of cryptographic controls have been made and relevant controls and awareness
program implemented to ensure compliance.

A. 18.2 Information security reviews

Objective:

8/12
To ensure that information security is implemented and operated in accordance with the
organizational policies and procedures.

A.18.2.1 Independent review of information security

Control
The organization’s approach to managing information security and its implementation
(i.e. control objectives, controls, policies, processes and procedures for information
security) should be reviewed independently at planned intervals or when significant
changes occur.

Implementation guidance

Management should initiate an independent review. Such an independent review is

necessary to ensure the continuing suitability, adequacy and effectiveness of the
organization’s approach to managing information security. The review should include
assessing opportunities for improvement and the need for changes to the approach to
security, including the policy and control objectives. Such a review should be carried out
by individuals independent of the area under review, e.g. the internal audit function, an
independent manager or an external party organization specializing in such reviews.
Individuals carrying out these reviews should have the appropriate skills and
experience. The results of the independent review should be recorded and reported to the
management who initiated the review. These records should be maintained. If the
independent review identifies that the organization’s approach and implementation to
managing information security are inadequate, e.g. documented objectives and
requirements are not met or not compliant with the direction for information security
stated in the information security policies, management should consider corrective
actions.

A.18.2.2 Compliance with security policies and standards

Control
Managers should regularly review the compliance of information processing and
procedures within their area of responsibility with the appropriate security policies,
standards and any other security requirements.

Implementation guidance

Managers should identify how to review those information security requirements

defined in policies, standards and other applicable regulations are met. Automatic
measurement and reporting tools should be considered for efficient regular review. If
any non-compliance is found as a result of the review, managers should:

1. identify the causes of the non-compliance;

2. evaluate the need for actions to achieve compliance;
3. implement appropriate corrective action;
4. review the corrective action taken to verify its effectiveness and identify any
deficiencies or weaknesses.

9/12
Results of reviews and corrective actions carried out by managers should be recorded
and these records should be maintained. Managers should report the results to the
persons carrying out independent reviews when an independent review takes place in
the area of their responsibility.

A.8.2.3 Technical compliance review

Control

Information systems should be regularly reviewed for compliance with the

organization’s information security policies and standards.

Implementation guidance

Technical compliance should be reviewed preferably with the assistance of automated

tools, which generate technical reports for subsequent interpretation by a technical
specialist. Alternatively, manual reviews (supported by appropriate software tools, if
necessary) by an experienced system engineer could be performed. If penetration tests
or vulnerability assessments are used, caution should be exercised as such activities
could lead to a compromise of the security of the system. Such tests should be planned,
documented and repeatable. Any technical compliance review should only be carried out
by competent, authorized persons or under the supervision of such persons.

Other information
Technical compliance reviews involve the examination of operational systems to ensure
that hardware and software controls have been correctly implemented. This type of
compliance review requires specialist technical expertise. Compliance reviews also
cover, for example, penetration testing and vulnerability assessments, which might be
carried out by independent experts specifically contracted for this purpose. This can be
useful in detecting vulnerabilities in the system and for inspecting how effective the
controls are in preventing unauthorized access due to these vulnerabilities. Penetration
testing and vulnerability assessments provide a snapshot of a system in a specific state
at a specific time. The snapshot is limited to those portions of the system actually tested
during the penetration attempt(s). Penetration testing and vulnerability assessments
are not a substitute for risk assessment.

A good control describes the organization’s approach to managing information security

and its implementation (i.e. control objectives, controls, policies, processes and
procedures for information security) is reviewed independently at planned intervals or
when significant changes occur. Ensure that information security compliance
requirements are effectively addressed and maintained over time. In order to meet
compliance requirements, it is necessary to continually review compliance methods,
systems, and processes of departments that are affected by various policies, regulatory
requirements, and laws to ensure that their approach to compliance is effective. For
example, a particular credit card Point of Sale system (POS) can be implemented at a
point in time on your campus, and your reviews may indicate that the application is in full
compliance with PCI DSS. However, two years later, the payment application may no

10/12
longer be considered fully compliant by the PCI SSC and if reviews aren’t conducted on a
recurring basis, this could result in non-compliance with PCI DSS requirements. It is good
to get an independent review of security risks and controls to ensure impartiality and
objectivity as well as benefit from fresh eyes. That doesn’t mean it has to be external, just
benefit from another colleague reviewing policies in addition to the main
author/administrator. These reviews should be carried out at planned, regular intervals
and when any significant, security-relevant changes occur – ISO interprets regular to be
at least annually. The auditor will be looking for both regular independent security review
and review when significant changes occur, as well as take confidence there is a plan for
regular reviews. They will also require evidence that reviews have been carried out and
any issues or improvements identified in the reviews are appropriately managed.

Independent Review of Information Security

It is important to have unbiased reviews of information security organization programs
and initiatives on a recurring basis in order to measure and ensure effectiveness. Often,
these reviews are carried out by multiple parties: internal audit departments, external
auditors, and assessments performed by contractors or consultants. It is also important
that individuals performing reviews and assessments are qualified to do so. The primary
objective of independent reviews is to measure effectiveness and ensure continuous
improvements are made. In the event that your organization does not have an internal
audit function, you may be able to develop a cooperative agreement with
another organization or hire a consulting firm to conduct an audit and/or assessment of
specific areas you need to have assessed. Note: For some organizations, an independent
review may include representatives from legal counsel, an executive leadership team,
and/or a system office.

Compliance with Security Policies and Standards

Managers have a compliance responsibility to make sure that applicable security
procedures related to their area of control are implemented and performed correctly to
achieve compliance with internal security policies and standards. Many organizations are
considering the implementation of Governance, Risk, and Compliance (GRC) solutions to
automate compliance reviews and reporting, as well as assisting with determining
corrective actions that need to be managed. Take a look at Governance, Risk, and
Compliance (GRC) Systems to help you determine if a GRC system is a good investment
for your information security program. ISMS managers should regularly review the
compliance of information processing and procedures within their area of responsibility.
Policies are only effective if they are enforced and compliance is tested and reviewed on a
regular periodic basis. It is usually the responsibility of the line management to ensure
that their subordinate staff complies with organizational policies and controls but this
should be complemented by occasional independent review and audit. Where non-
compliance is identified, it should be logged and managed, identifying why it occurred,
how often it is occurring and the need for any improvement actions either relating to the
control or to the awareness, education, or training of the user that caused the non-
compliance. The auditor will be looking to see that both; Proactive preventative policies,
controls, and awareness programs are in place, implemented, and effective; and Reactive
compliance monitoring, review, and audit are also in place. They will also be looking to

11/12
see that there is evidence of how improvements are made over time to ensure an
improvement in compliance levels or maintenance if compliance is already at 100%. This
dovetails into the main requirements of ISO 27001 for 9 and 10 around internal audits,
management reviews, improvements, and non-conformities too. Staff awareness and
engagement in line with A 7.2.2 is also important to tie into this part for compliance
confidence.

Technical Compliance Reviews

Information systems should be regularly reviewed for compliance with the organization’s
information security policies and standards. Automated tools are normally used to check
systems and networks for technical compliance and these should be identified and
implemented as appropriate. Where tools such as these are used, it is necessary to restrict
their use to a few authorized personnel as to possible and to carefully control and
coordinate when they are used to prevent compromise of system availability and integrity.
Adequate levels of compliance testing will be dependent on business requirements and
risk levels, and the auditor will expect to see evidence of these considerations being made.
They will also expect to be able to inspect testing schedules and records. Technical
compliance reviews are also performed by many organizations. From vulnerability and
DLP (data loss prevention) assessments to penetration testing, there are a number of
technical solutions available to help information security teams conduct effective reviews
of IT infrastructure and the information lifecycle (processing, transmitting, storing).
Some of these tools can disrupt business and IT operations if used by untrained
individuals, which leads some campuses to use third parties for these purposes. However,
these examinations are just a ‘snapshot’ at a point in time and must be repeated at
recurring intervals in order to become an effective method or process.

Back to Home Page

If you need assistance or have any doubt and need to ask any question contact me at
preteshbiswas@gmail.com. You can also contribute to this discussion and I shall be happy
to publish them. Your comments and suggestion are also welcome.

12/12