Skip to content

Purpose of Control 5.31

Laws, regulations and contractual requirements form a large part of an organisation’s information security responsibilities.

Organisations should have a clear understanding of their obligations at any one time, and be prepared to adapt their information security practices in accordance with their role as a responsible data handler.

It’s important to note that Control 5.31 doesn’t list any specific legal, regulatory or contractual terms that organisations either need to enforce or remain compliant with, nor does it set out a procedure for drafting contracts. Control 5.31 instead focuses on what organisations need to consider from an information security perspective, relating to their unique requirements.

Attributes Table

Control 5.31 is a preventive control that modifies risk by offering guidance on how to operate with a robust information security policy that maintains compliance within all relevant legal and regulatory environments.

Control Type Information Security Properties Cybersecurity Concepts Operational Capabilities Security Domains
#Preventive #Confidentiality #Identify #Legal and Compliance #Governance and Ecosystem
#Integrity #Protection
#Availability



ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.




General Guidance on Control 5.31

There are 5 general guidance points to consider. Organisation’s should keep in mind their legal, statutory, regulatory and contractual requirements when:

  1. Drafting and/or amending their information security procedures and internal policy documents.
  2. Designing, amending or implementing information security controls.
  3. Categorising information when considering their broader information security requirements, either for organisational purposes or related to their relationships with a third party (suppliers etc.)
  4. Undergoing risk assessments relating to information security activities, including internal roles and responsibilities relating to an organisational structure.
  5. Establishing the nature of a supplier relationship, and their contractual obligations throughout the supply of products and services.



climbing

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.




Legislative and Regulatory Guidance

Organisations should “define and document” internal processes and responsibilities that allow them to:

  1. Identify, analyse and understand their legislative and regulatory obligations relating to information security, including periodic reviews of legislation and regulations.
  2. Ensure that they remain compliant across all legislative and regulatory environments in whatever countries they operate in. This extends to the use of products and services that originate outside of the country they usually operate in.

Cryptographic Guidance

In ICT, ‘cryptography’ is a method of protecting information and communications through the use of codes.

As such, the whole concept of encryption and cryptography usually involves specific legal requirements and a considerable amount of topic-specific regulatory guidance that need to be adhered to.

With that in mind, the following guidance needs to be taken into consideration:

  1. Laws on the import and/or export of hardware or software which either carries out a dedicated cryptographic function, or has the ability to carry out said function.
  2. Laws relating to the restriction of cryptographic functions.
  3. Any access to encrypted information that authorities within a country or region have the right to request and enforce.
  4. The validity and veracity of three key digital elements of encrypted information:

    a) Signatures
    b) Seals
    c) Certificates

Contractual Guidance

Organisations should consider their information security obligations when drafting or signing legally binding contracts with clients, suppliers or vendors (including insurance policies and contracts).

See Control 5.20 for further guidance relating to supplier contracts.

Supporting Controls

  • 5.20



ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.




Changes and Differences from ISO 27002:2013

27002:2022-5.31 replaces two controls from 27002:2013-18.1.2 (Intellectual property rights).

  1. 18.1.1 – Identification of applicable legislation and contractual requirements
  2. 18.1.5 – Regulation of cryptographic controls

Whereas 27002:2013-18.1.1 offers minimal guidance other than the need for “managers” to identity all legislation that their type of business warrants, 27002:2022-5.31 discusses adherence across legislative, regulatory and cryptographic environments, as well as offering some generalised guidance points and going into far greater detail regarding how to stay on the right side of any prevailing legislation or regulations.

Where encryption is concerned, 27002:2022-5.31 adheres to the same principles as 27002:2013-18.1.5 and contains the same underlying guidance points, but goes one step further by asking organisations to consider hardware and software that has the potential to carry out cryptographic functions.

New ISO 27002 Controls

New Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.7 NEW Threat intelligence
5.23 NEW Information security for use of cloud services
5.30 NEW ICT readiness for business continuity
7.4 NEW Physical security monitoring
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.16 NEW Monitoring activities
8.23 NEW Web filtering
8.28 NEW Secure coding
Organisational Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
5.1 05.1.1, 05.1.2 Policies for information security
5.2 06.1.1 Information security roles and responsibilities
5.3 06.1.2 Segregation of duties
5.4 07.2.1 Management responsibilities
5.5 06.1.3 Contact with authorities
5.6 06.1.4 Contact with special interest groups
5.7 NEW Threat intelligence
5.8 06.1.5, 14.1.1 Information security in project management
5.9 08.1.1, 08.1.2 Inventory of information and other associated assets
5.10 08.1.3, 08.2.3 Acceptable use of information and other associated assets
5.11 08.1.4 Return of assets
5.12 08.2.1 Classification of information
5.13 08.2.2 Labelling of information
5.14 13.2.1, 13.2.2, 13.2.3 Information transfer
5.15 09.1.1, 09.1.2 Access control
5.16 09.2.1 Identity management
5.17 09.2.4, 09.3.1, 09.4.3 Authentication information
5.18 09.2.2, 09.2.5, 09.2.6 Access rights
5.19 15.1.1 Information security in supplier relationships
5.20 15.1.2 Addressing information security within supplier agreements
5.21 15.1.3 Managing information security in the ICT supply chain
5.22 15.2.1, 15.2.2 Monitoring, review and change management of supplier services
5.23 NEW Information security for use of cloud services
5.24 16.1.1 Information security incident management planning and preparation
5.25 16.1.4 Assessment and decision on information security events
5.26 16.1.5 Response to information security incidents
5.27 16.1.6 Learning from information security incidents
5.28 16.1.7 Collection of evidence
5.29 17.1.1, 17.1.2, 17.1.3 Information security during disruption
5.30 5.30 ICT readiness for business continuity
5.31 18.1.1, 18.1.5 Legal, statutory, regulatory and contractual requirements
5.32 18.1.2 Intellectual property rights
5.33 18.1.3 Protection of records
5.34 18.1.4 Privacy and protection of PII
5.35 18.2.1 Independent review of information security
5.36 18.2.2, 18.2.3 Compliance with policies, rules and standards for information security
5.37 12.1.1 Documented operating procedures
People Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
6.1 07.1.1 Screening
6.2 07.1.2 Terms and conditions of employment
6.3 07.2.2 Information security awareness, education and training
6.4 07.2.3 Disciplinary process
6.5 07.3.1 Responsibilities after termination or change of employment
6.6 13.2.4 Confidentiality or non-disclosure agreements
6.7 06.2.2 Remote working
6.8 16.1.2, 16.1.3 Information security event reporting
Physical Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
7.1 11.1.1 Physical security perimeters
7.2 11.1.2, 11.1.6 Physical entry
7.3 11.1.3 Securing offices, rooms and facilities
7.4 NEW Physical security monitoring
7.5 11.1.4 Protecting against physical and environmental threats
7.6 11.1.5 Working in secure areas
7.7 11.2.9 Clear desk and clear screen
7.8 11.2.1 Equipment siting and protection
7.9 11.2.6 Security of assets off-premises
7.10 08.3.1, 08.3.2, 08.3.3, 11.2.5 Storage media
7.11 11.2.2 Supporting utilities
7.12 11.2.3 Cabling security
7.13 11.2.4 Equipment maintenance
7.14 11.2.7 Secure disposal or re-use of equipment
Technological Controls
ISO/IEC 27002:2022 Control Identifier ISO/IEC 27002:2013 Control Identifier Control Name
8.1 06.2.1, 11.2.8 User endpoint devices
8.2 09.2.3 Privileged access rights
8.3 09.4.1 Information access restriction
8.4 09.4.5 Access to source code
8.5 09.4.2 Secure authentication
8.6 12.1.3 Capacity management
8.7 12.2.1 Protection against malware
8.8 12.6.1, 18.2.3 Management of technical vulnerabilities
8.9 NEW Configuration management
8.10 NEW Information deletion
8.11 NEW Data masking
8.12 NEW Data leakage prevention
8.13 12.3.1 Information backup
8.14 17.2.1 Redundancy of information processing facilities
8.15 12.4.1, 12.4.2, 12.4.3 Logging
8.16 NEW Monitoring activities
8.17 12.4.4 Clock synchronization
8.18 09.4.4 Use of privileged utility programs
8.19 12.5.1, 12.6.2 Installation of software on operational systems
8.20 13.1.1 Networks security
8.21 13.1.2 Security of network services
8.22 13.1.3 Segregation of networks
8.23 NEW Web filtering
8.24 10.1.1, 10.1.2 Use of cryptography
8.25 14.2.1 Secure development life cycle
8.26 14.1.2, 14.1.3 Application security requirements
8.27 14.2.5 Secure system architecture and engineering principles
8.28 NEW Secure coding
8.29 14.2.8, 14.2.9 Security testing in development and acceptance
8.30 14.2.7 Outsourced development
8.31 12.1.4, 14.2.6 Separation of development, test and production environments
8.32 12.1.2, 14.2.2, 14.2.3, 14.2.4 Change management
8.33 14.3.1 Test information
8.34 12.7.1 Protection of information systems during audit testing

How ISMS.online Helps

ISO 27002 implementation is simpler with our step-by-step checklist that guides you through the whole process, from defining the scope of your ISMS through risk identification and control implementation.

Get in touch today to book a demo.


Sam Peters

Sam is Chief Product Officer at ISMS.online and leads the development on all product features and functionality. Sam is an expert in many areas of compliance and works with clients on any bespoke or large-scale projects.

Take a virtual tour

Start your free 2-minute interactive demo now and see
ISMS.online in action!

platform dashboard full on crystal

We’re a Leader in our Field

4/5 Stars
Users Love Us
Leader - Fall 2025
High Performer, Small Business - Fall 2025 UK
Regional Leader - Fall 2025 Europe
Regional Leader - Fall 2025 EMEA
Regional Leader - Fall 2025 UK
High Performer - Fall 2025 Europe Mid-market

"ISMS.Online, Outstanding tool for Regulatory Compliance"

— Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

— Karen C.

"Innovative solution to managing ISO and other accreditations"

— Ben H.