A.5.31 Legal Statutory Regulatory and Contractual Requirements

What is this control?

ISO 27001 control A.5.31 Legal, Statutory, Regulatory and Contractual Requirements ensures the organisation identifies, documents, and maintains compliance with all relevant legal, statutory, regulatory, and contractual requirements related to information security. The organisation maintains a formal register of these requirements and uses Microsoft Purview Compliance Manager to continuously measure technical compliance against applicable regulations including POPIA, GDPR, and UK DPA 2018.

How to implement in Microsoft 365

Implement A.5.31 by establishing a SharePoint-based Legal Register listing all legal, statutory, regulatory, and contractual requirements with sources and mapped ISMS controls. Activate Microsoft Purview Compliance Manager and configure assessment templates for applicable regulations including POPIA and GDPR. Map technical configurations from Intune, Entra, and Purview to the legal requirements.

Conduct annual reviews of the Register, triggered immediately upon significant changes such as new jurisdiction or major legislation. Ensure all cryptographic controls comply with jurisdictional restrictions on import, export, and use.

What an auditor looks for

Auditors will verify active Microsoft Purview Compliance Manager assessments with real-time compliance scores. They will check the formal Register of Legal, Statutory, Regulatory, and Contractual Requirements is maintained in SharePoint. Auditors will verify Compliance Manager assessments are mapped to specific regulations including POPIA and GDPR.

They will review the repository of executed supplier contracts as evidence of contractual requirements management. Auditors will check documented annual review of the Register with CISO sign-off.

Related controls

• A.5.34
• A.5.36