Control 5.31 : Legal, Statutory, Regulatory and Contractual Requirements

Summary

The organization should identify and document all relevant legal, statutory, regulatory, and contractual requirements related to information security. Compliance with these mandates is non-negotiable for maintaining a legal license to operate.

Applicability

In-Scope: Mandatory for all organizations to ensure they are aware of their legal obligations (e.g., Law 25 in Quebec, GDPR, or specific industry regulations).

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Compliance Mapping: Use Microsoft Purview Compliance Manager to automatically map your technical configurations to specific regulatory frameworks (e.g., ISO 27001, SOC 2, HIPAA).

• Data Sovereignty: Configure Tenant Properties and regional settings to ensure that data residency requirements are met according to local laws.

• Auditing: Enable Purview Audit (Standard/Premium) to maintain the necessary logs required for regulatory proof of compliance.

Evidence Checklist

• Legal/Regulatory Register: A maintained list of all laws and regulations that apply to the organization's information security.

• Contractual Requirements: Excerpts from client or partner contracts that specify security obligations.

• Compliance Assessments: Records of periodic reviews conducted to ensure that the organization remains in compliance with the identified requirements.

Practical Audit Advice

Here are some questions the auditor might ask:

• How does the organization stay informed about changes in the legal and regulatory landscape (e.g., new privacy laws)?

• Can you demonstrate how your specific technical settings in Microsoft 365 satisfy a particular legal requirement (like data encryption)?

• Who is responsible for ensuring that security clauses in client contracts are actually implemented by the technical teams?

• What is the process for reporting a non-compliance issue once it has been identified internally?