What does control A.3.13 require?
Legal, statutory, regulatory and contractual requirements relevant to information security related to PII processing and the organisation’s approach to meet these requirements shall be documented and this documentation kept up to date.
This control sits within the Shared security controls annex (A.3) and establishes a fundamental obligation: you cannot comply with legal requirements if you have not identified what they are. This control ensures that organisations maintain a living register of all applicable obligations and a documented approach for meeting each one.
What does the Annex B implementation guidance say?
Annex B (section B.3.13) provides the following guidance:
- Identify potential sanctions — Organisations should identify the potential legal sanctions for failing to meet their obligations, including substantial fines that supervisory authorities can impose for non-compliance
- International standards as contract basis — In some jurisdictions, international standards like ISO 27701 can form the basis for contractual agreements between parties, providing a recognised framework for privacy obligations
- See also A.3.3: Policies for Information Security for related requirements
- See also A.3.4: Information Security Roles and Responsibilities for related requirements
The guidance is deliberately broad because the specific legal requirements vary enormously by jurisdiction, industry sector and type of PII processed. The principle is the same everywhere: know your obligations and document how you meet them.
How does this map to GDPR?
Control A.3.13 maps to several GDPR articles:
- Article 5(1)(f) — Integrity and confidentiality principle, which underpins the security requirements
- Article 32(1)(d) — A process for regularly testing, assessing and evaluating the effectiveness of measures
- Article 32(2) — Assessing appropriate level of security, taking account of risks presented by processing
- Article 5(2) — The accountability principle, requiring the controller to be responsible for and demonstrate compliance
- Article 32(1)(b) — Ensuring ongoing confidentiality, integrity, availability and resilience
Under GDPR, the potential fines for non-compliance can reach up to 4% of annual global turnover or EUR 20 million, whichever is higher — making the identification of legal requirements a business-critical activity.
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, this requirement was covered by Clauses 6.15.1.1 (identification of applicable legislation and contractual requirements) and 6.15.1.5 (regulation of cryptographic controls). The 2025 edition consolidates these into a single control (A.3.13), broadening the scope to cover all legal, statutory, regulatory and contractual requirements in one place. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
What evidence do auditors expect?
When assessing compliance with A.3.13, auditors will typically look for:
- Legal and regulatory register — A documented register listing all applicable laws, regulations and contractual obligations related to PII processing, including jurisdiction and effective dates
- Compliance mapping — Evidence showing how each legal requirement is addressed by the organisation’s policies, procedures or controls
- Review schedule — A defined process for reviewing and updating the register when laws change, new jurisdictions are entered or new contracts are signed
- Sanctions awareness — Documentation showing that the organisation understands the potential consequences of non-compliance, including financial penalties
- Version history — Evidence that the documentation has been actively maintained, not just created once and forgotten
What are the related controls?
| Control | Relationship |
|---|---|
| A.3.10 Supplier agreements | Contractual requirements with suppliers must be identified and documented |
| A.3.11 Incident management planning | Breach notification procedures must account for applicable legal timelines |
| A.3.16 Compliance with policies | Regular reviews verify that legal requirements are being met in practice |
| A.3.14 Protection of records | Legal and compliance records must be protected and retained appropriately |
| A.3.15 Independent review | Independent audits can verify that legal compliance mapping is accurate |
Who does this control apply to?
A.3.13 is a shared control that applies to both PII controllers and PII processors. Controllers typically face a broader range of legal obligations (data protection laws, sector-specific regulations, contractual commitments to data subjects), while processors must also identify their own obligations under processing agreements and applicable legislation. Both roles need a maintained compliance register.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for tracking legal and regulatory requirements?
ISMS.online provides practical tools for maintaining your compliance register and demonstrating ongoing awareness:
- Regulatory register — Maintain a structured register of all applicable laws, regulations and contractual requirements with jurisdictional tagging and effective dates
- Compliance mapping — Link each legal requirement to the specific policies, controls and evidence that demonstrate compliance
- Automated review reminders — Set review cycles so your register is checked at planned intervals, with task assignments for updates
- Change management — Track legislative changes and new contractual obligations with version history and audit trail
- Multi-framework alignment — Map legal requirements across ISO 27701, ISO 27001, GDPR and other frameworks in a single view
FAQs
How often should the legal requirements register be reviewed?
The standard requires documentation to be kept up to date. At minimum, organisations should review the register annually and whenever a significant change occurs — such as entering a new jurisdiction, launching a new product that processes PII, or when relevant legislation is amended. Tying reviews to management review cycles helps ensure they happen consistently.
Can ISO 27701 certification satisfy contractual compliance obligations?
The implementation guidance notes that in some jurisdictions, international standards like ISO 27701 can form the basis for contractual agreements. While certification demonstrates a robust privacy management system, individual contracts may impose additional requirements beyond the standard. Each contractual obligation should be assessed on its own merits and included in the compliance register.
What are the consequences of failing to identify applicable legal requirements?
Failure to identify applicable legal requirements can result in substantial fines from supervisory authorities, contractual breach claims from customers and partners, loss of business and reputational damage. Under GDPR, fines can reach up to 4% of annual global turnover. Beyond financial penalties, ignorance of a legal requirement is not a defence in enforcement proceedings.
