Purpose of Control 5.31
Laws, regulations and contractual requirements form a large part of an organisation’s information security responsibilities.
Organisations should have a clear understanding of their obligations at any one time, and be prepared to adapt their information security practices in accordance with their role as a responsible data handler.
It’s important to note that Control 5.31 doesn’t list any specific legal, regulatory or contractual terms that organisations either need to enforce or remain compliant with, nor does it set out a procedure for drafting contracts. Control 5.31 instead focuses on what organisations need to consider from an information security perspective, relating to their unique requirements.
Attributes Table
Control 5.31 is a preventive control that modifies risk by offering guidance on how to operate with a robust information security policy that maintains compliance within all relevant legal and regulatory environments.
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality | #Identify | #Legal and Compliance | #Governance and Ecosystem |
| #Integrity | #Protection | |||
| #Availability |
ISO 27001 made easy
An 81% Headstart from day one
We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.
General Guidance on Control 5.31
There are 5 general guidance points to consider. Organisation’s should keep in mind their legal, statutory, regulatory and contractual requirements when:
- Drafting and/or amending their information security procedures and internal policy documents.
- Designing, amending or implementing information security controls.
- Categorising information when considering their broader information security requirements, either for organisational purposes or related to their relationships with a third party (suppliers etc.)
- Undergoing risk assessments relating to information security activities, including internal roles and responsibilities relating to an organisational structure.
- Establishing the nature of a supplier relationship, and their contractual obligations throughout the supply of products and services.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Legislative and Regulatory Guidance
Organisations should “define and document” internal processes and responsibilities that allow them to:
- Identify, analyse and understand their legislative and regulatory obligations relating to information security, including periodic reviews of legislation and regulations.
- Ensure that they remain compliant across all legislative and regulatory environments in whatever countries they operate in. This extends to the use of products and services that originate outside of the country they usually operate in.
Cryptographic Guidance
In ICT, ‘cryptography’ is a method of protecting information and communications through the use of codes.
As such, the whole concept of encryption and cryptography usually involves specific legal requirements and a considerable amount of topic-specific regulatory guidance that need to be adhered to.
With that in mind, the following guidance needs to be taken into consideration:
- Laws on the import and/or export of hardware or software which either carries out a dedicated cryptographic function, or has the ability to carry out said function.
- Laws relating to the restriction of cryptographic functions.
- Any access to encrypted information that authorities within a country or region have the right to request and enforce.
- The validity and veracity of three key digital elements of encrypted information:
a) Signatures
b) Seals
c) Certificates
Contractual Guidance
Organisations should consider their information security obligations when drafting or signing legally binding contracts with clients, suppliers or vendors (including insurance policies and contracts).
See Control 5.20 for further guidance relating to supplier contracts.
Supporting Controls
- 5.20
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Changes and Differences from ISO 27002:2013
27002:2022-5.31 replaces two controls from 27002:2013-18.1.2 (Intellectual property rights).
- 18.1.1 – Identification of applicable legislation and contractual requirements
- 18.1.5 – Regulation of cryptographic controls
Whereas 27002:2013-18.1.1 offers minimal guidance other than the need for “managers” to identity all legislation that their type of business warrants, 27002:2022-5.31 discusses adherence across legislative, regulatory and cryptographic environments, as well as offering some generalised guidance points and going into far greater detail regarding how to stay on the right side of any prevailing legislation or regulations.
Where encryption is concerned, 27002:2022-5.31 adheres to the same principles as 27002:2013-18.1.5 and contains the same underlying guidance points, but goes one step further by asking organisations to consider hardware and software that has the potential to carry out cryptographic functions.
New ISO 27002 Controls
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | NEW | Threat intelligence |
| 5.23 | NEW | Information security for use of cloud services |
| 5.30 | NEW | ICT readiness for business continuity |
| 7.4 | NEW | Physical security monitoring |
| 8.9 | NEW | Configuration management |
| 8.10 | NEW | Information deletion |
| 8.11 | NEW | Data masking |
| 8.12 | NEW | Data leakage prevention |
| 8.16 | NEW | Monitoring activities |
| 8.23 | NEW | Web filtering |
| 8.28 | NEW | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | NEW | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
How ISMS.online Helps
ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.
Get in touch today to book a demo.
