A.5.31 / A.5.34 / A.5.35 — Are legal/regulatory/privacy obligations identified and IS subject to independent review?
Demonstrate that the organization maintains a complete register of legal, regulatory, and privacy obligations affecting its ISMS, and that the ISMS undergoes scheduled independent reviews to verify compliance with these obligations and internal policies.
Description
What this control does
This combined control ensures the organization systematically identifies and maintains a current inventory of all applicable legal, statutory, regulatory, contractual, and privacy obligations relevant to information security and data protection. It requires that the information security management system (ISMS) undergo periodic independent review to verify compliance with these obligations and the organization's own policies. The control bridges legal compliance (A.5.31), privacy (A.5.34), and independent audit/review (A.5.35) requirements, creating a closed-loop governance process where obligations are documented, mapped to controls, and externally verified.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete register of legal, regulatory, and privacy obligations affecting its ISMS, and that the ISMS undergoes scheduled independent reviews to verify compliance with these obligations and internal policies.
Associated risks
Risks this control addresses
- Regulatory penalties and fines due to unidentified or unaddressed compliance obligations (e.g., GDPR, HIPAA, PCI DSS requirements)
- Breach of contractual obligations with customers, partners, or vendors resulting in litigation or termination
- Unauthorized cross-border data transfers violating data sovereignty or localization laws
- Failure to implement required security controls mandated by sector-specific regulations (financial services, healthcare, critical infrastructure)
- Insider bias or blind spots in self-assessment leading to undetected control deficiencies or policy violations
- Privacy violations from processing personal data without lawful basis, adequate notices, or data subject rights mechanisms
- Reputational damage and loss of customer trust following public disclosure of non-compliance or regulatory enforcement actions
Testing procedure
How an auditor verifies this control
- Request and review the current legal, regulatory, and privacy obligations register or compliance matrix maintained by the organization.
- Verify the register includes jurisdiction-specific laws, industry regulations, contractual requirements, and data protection obligations applicable to all business units and geographies.
- Examine the documented methodology and frequency for updating the obligations register, including responsibility assignments and triggers for review (e.g., new jurisdictions, services, or regulation changes).
- Select a sample of 5-7 obligations from the register and trace each to corresponding ISMS policies, procedures, or technical controls demonstrating implementation.
- Obtain evidence of the most recent independent review of the ISMS, verifying reviewer independence (external auditor, different business unit, or corporate audit function with no operational responsibility).
- Review the scope, findings, and recommendations from the independent review, confirming it covered compliance with legal/regulatory obligations and ISMS policy adherence.
- Interview the compliance officer or legal counsel to assess their involvement in identifying new obligations and communicating changes to the ISMS team.
- Verify that independent review findings have been tracked, remediated, and closed within documented timeframes, with evidence of management acceptance of residual risks where applicable.