A.18.1.

1 Identification of Applicable Legislation & Contractual Requirements

A good control describes how all relevant legislative statutory, regulatory, contractual requirements, and the
organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date
for each information system and the organisation. Put in simple terms, the organisation needs to ensure that it is
keeping up to date with and documenting legislation and regulation that affects achievement of its business
objectives and the outcomes of the ISMS.
It is important that the organisation understands the legislation, regulation and contractual requirements with which
it must comply and these should be centrally recorded in register to allow for ease of management and coordination.
The identification of what is relevant will largely depend on; Where the organisation is located or operates; What
the nature of the organisation’s business is; and The nature of information being handled within the organisation.
The Identification of the relevant legislation, regulation and contractual requirements is likely to include engagement
with legal experts, regulatory bodies and contract managers.
This is an area that often catches organisations out as there is generally far more legislation and regulation impacting
the organisation than is first considered. The auditor will be looking to see how the organisation has identified and
recorded its legal, regulatory and contractual obligations; the responsibilities for meeting such requirements and
any necessary policies, procedures and other controls required for meeting the controls.
Additionally, they will look to see that this register is maintained on a regular basis against any relevant change –
especially in legislation across common areas that they would expect any organisation to be impacted by.

A.18.1.2 Intellectual Property Rights

A good control describes how the appropriate procedures ensure compliance with legislative, regulatory and
contractual requirements related to intellectual property rights and use of proprietary software products. Put into
simple terms, the organisation should implement appropriate procedures which ensure it complies with all its
requirements, whether they are legislative, regulatory or contractual – related to its use of software products or
intellectual property rights.
There are two aspects of IPR management to consider; Protection of IPR owned by the organisation; and Prevention
of misuse or breach of other’s IPR. The former will also be addressed with A.13.24 for non-disclosure and
confidentiality agreements, where we also suggest firms manage their broader master contracts with third parties
from, and also within A.15 for supply chain specifically. For staff, A7.1.2 Terms and conditions of employment will
be covering IPR too.
Policies, processes and technical controls are likely to be needed for both of these aspects. Within asset registers
and acceptable use policies it is likely that IPR considerations will need to be made – e.g. where an asset is or contains
IPR protection of this asset must consider the IPR aspect. Controls to ensure that only authorised and licensed
software are in use within the organisation should include regular inspection and audit.
The auditor will want to see that registers of licenses owned by the organisation for use of others’ software and
other assets are being kept and updated. Of particular interest to them will be ensuring that where licenses include
a maximum number of users or installations, that this number is not exceeded and user and installation numbers
are audited periodically to check compliance. The auditor will also be looking at how the organisation protects its
own IPR, which might include; Data loss and prevention controls; Policies and awareness programmes targeting user
education; or Non-disclosure and confidentiality agreements that continue post termination of employment.

A.18.1.3 Protection of Records

A good control describes how records are protected from loss, destruction, falsification, unauthorised access and
unauthorised release, in accordance with the legislatory, regulatory, contractual and business requirements.
Different types of record will likely require different levels and methods of protection. It is critical that records are
adequately and proportionality protected against loss, destruction, falsification, unauthorised access or release. The
protection of records must comply with any relevant legislation, regulation or contractual obligations. It is especially
important to understand how long records must, should or could be kept for and what technical or physical issues
might affect these over time – bearing in mind that some legislation might trump others for retention and protection.
The auditor will be checking to see that considerations for the protection of records has been made based on
business requirements, legal, regulatory and contractual obligations.
A.18.1.4 Privacy & Protection of Personally Identifiable Information

A good control describes how privacy and protection of personally identifiable information is assured for relevant
legislation and regulation. Any information handled that contains personally identifiable information (PII) is likely to
be subject to the obligations of legislation and regulation. PII is especially likely to have high requirements for
confidentiality and integrity, and in some cases availability as well (e.g. health information, financial
information). Under some legislation (e.g. the GDPR) some types of PII are defined as additionally “sensitive” and
require further controls to ensure compliance.
It is important that awareness campaigns are used with staff and stakeholders to ensure a repeated understanding
of individual responsibility for protecting PII and privacy. The auditor will be looking to see how PII is handled, if the
appropriate controls have been implemented, are they being monitored, reviewed and where necessary improved.
They will also be looking to check that handling requirements are being met, and audited suitably. Additional
responsibilities exist too, for example GDPR will expect a regular audit for areas where personal data is at risk. Smart
organisations will tie these audits up alongside their ISO 27001 audits and avoid duplication or gaps.

A.18.1.5 Regulation of Cryptographic Controls

A good control describes how cryptographic controls are used in compliance with all relevant agreements, legislation
and regulations. The use of cryptographic technologies is subject to legislation and regulation in many territories and
it is important that an organisation understands those that are applicable and implements controls and awareness
programmes that ensure compliance with such requirements. This is especially true when cryptography is
transported or used in territories other than the organisation’s or user’s normal place of residence or
operation. Trans-border import/export laws may include requirements relating to cryptographic technologies or
usage. The auditor will be looking to see that considerations for the appropriate regulation of cryptographic controls
have been made and relevant controls and awareness programmes implemented to ensure compliance.

What is the objective of Annex A.18.2 of ISO 27001:2013?

Annex A.18.2 is about information security reviews. The objective in this Annex is to ensure that information security
is implemented and operated in accordance with the organisational policies and procedures.

A.18.2.1 Independent Review of Information Security

A good control describes the organisation’s approach to managing information security and its implementation (i.e.
control objectives, controls, policies, processes and procedures for information security) is reviewed independently
at planned intervals or when significant changes occur.
It is good to get an independent review of security risks and controls to ensure impartiality and objectivity as well as
benefit from fresh eyes. That doesn’t mean it has to be external, just benefit from another colleague reviewing
policies in addition to the main author/administrator. These reviews should be carried out at planned, regular
intervals and when any significant, security relevant changes occur – ISO interprets regular to be at least annually.
The auditor will be looking for both regular independent security review and review when significant changes occur,
as well as take confidence there is a plan for regular reviews. They will also require evidence that reviews have been
carried out and any issues or improvements identified in the reviews are appropriately managed.

A.18.2.2 Compliance with Security Policies & Standards

ISMS managers should regularly review the compliance of information processing and procedures within their area
of responsibility. Policies are only effective if they are enforced and compliance is tested and reviewed on a regular
periodic basis. It is usually the responsibility of the line management to ensure that their subordinate staff comply
with organisational policies and controls but this should be complemented by occasional independent review and
audit. Where non-compliance is identified, it should be logged and managed, identifying why it occurred, how often
it is occurring and the need for any improvement actions either relating to the control or to the awareness, education
or training of the user that caused the non-compliance. The auditor will be looking to see that both; Proactive
preventative policies, controls, and awareness programmes are in place, implemented and effective; and Reactive
compliance monitoring, review, and audit are also in place. They will also be looking to see that there is evidence of
how improvements are made over time to ensure an improvement in compliance levels or maintenance if
compliance is already at 100%. This dovetails into the main requirements of ISO 27001 for 9 and 10 around internal
audits, management reviews, improvements, and non-conformities too. Staff awareness and engagement in line
with A 7.2.2 is also important to tie into this part for compliance confidence.

A.18.2.3 Technical Compliance Review

Information systems should be regularly reviewed for compliance with the organisation’s information security
policies and standards. Automated tools are normally used to check systems and networks for technical compliance
and these should be identified and implemented as appropriate. Where tools such as these are used, it is necessary
to restrict their use to a few authorised personnel as possible and to carefully control and coordinate when they are
used to prevent compromise of system availability and integrity. Adequate levels of compliance testing will be
dependent on business requirements and risk levels, and the auditor will expect to see evidence of these
considerations being made. They will also expect to be able to inspect testing schedules and records.