# ISO 27001 Legal & Regulatory Requirements Register > Identify, document, and track all legal, statutory, regulatory, and contractual requirements relevant to information security per ISO 27001 Control A.5.31. Tags: ISO 27001, ISMS, Compliance, Legal, Regulatory, A.5.31 ## Example Prompts - Create a legal and regulatory requirements register for our ISMS - Map our legal obligations to ISO 27001 controls - Check if our register covers all applicable regulations from the org profile - Validate our legal requirements register for completeness URL: https://rakenne.app/skills/iso27001-legal-requirements-register/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-legal-requirements-register ## Overview ISO 27001 Control A.5.31 requires every organisation to identify, document, and keep current all legal, statutory, regulatory, and contractual requirements relevant to information security — and the organisation's approach to meeting them. Auditors treat this register as a core evidence artifact: if you cannot show which laws apply and how you address them, it is a non-conformity. This skill produces a structured register that maps each obligation to applicable Annex A controls, documents the organisation's compliance approach, tracks status with evidence, and assigns ownership for ongoing review. Two validation tools enforce field-level completeness and cross-reference the register against your organisation profile to catch coverage gaps. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Obligation identification** — systematic capture of laws, regulations, standards, and contractual clauses across all applicable jurisdictions - **Control mapping** — links each requirement to the Annex A controls that address it (e.g., GDPR → A.5.34, A.8.11, A.8.12) - **Compliance approach** — documents *how* the organisation meets each requirement (required by the A.5.31 control statement) - **Coverage analysis** — cross-checks the organisation profile's listed regulations against the register to find gaps - **Ownership and review** — assigns a responsible person and review date per entry for living-document maintenance ## Example Conversation > **You:** We need to create a legal and regulatory requirements register for our ISMS. We're a B2B SaaS company based in São Paulo with 45 employees. We process customer project data and are subject to LGPD. We also have contractual data protection obligations from enterprise clients and standard employment law requirements. > > **Agent:** I'll build the legal requirements register per Control A.5.31. Let me start by loading your organization profile to identify all applicable regulations. > > Your profile lists LGPD and contractual data protection obligations. Let me run the **regulatory_coverage_analyzer** to cross-check against any existing register entries. > > Since no register exists yet, the tool reports all profile regulations as gaps — giving us the full list of entries to create: > > **GAPS (in profile but NOT in register):** > 1. LGPD (Lei Geral de Proteção de Dados) > 2. Contractual data protection obligations > > I'll also add common obligations that apply to Brazilian companies in your sector: employment law (CLT), Marco Civil da Internet, and your NDA obligations with clients. Let me draft the register now. > > I've created 6 entries in the register. Each entry documents the source, jurisdiction, description, applicable Annex A controls, compliance approach, owner, and evidence reference. Let me validate. > > Running **legal_requirement_completeness_check**... > > **RESULT: PASS** — All 6 register entries have required fields populated. Each entry has a documented approach to compliance per A.5.31, mapped controls, assigned owner, and evidence reference. > > Running **regulatory_coverage_analyzer** again... > > **RESULT:** All organization profile regulations are covered in the register. 2 EXTRAS found (employment law, Marco Civil) — these are not in the profile but are valid additions for a Brazilian company. Consider updating the organization profile to include them. > > **You:** Looks good. What about PCI DSS? We use Stripe for payments. > > **Agent:** Since Stripe handles payment processing as a PCI-compliant processor and you never store, process, or transmit cardholder data directly, PCI DSS likely doesn't apply to your organisation — it applies to Stripe. However, I'll add a register entry for your contractual obligation with Stripe that references their compliance, with status "Compliant" and approach "Delegated to PCI-certified payment processor per SAQ-A eligibility." This documents your due diligence per A.5.19 (supplier security). ## Sample Output Excerpt Below is a representative excerpt from a generated legal requirements register showing several entries with their control mappings and compliance approach. --- ### Legal & Regulatory Requirements Register (excerpt) | Field | Value | |-------|-------| | **Document ID** | REG-001 | | **Standard** | ISO/IEC 27001:2022 | | **Control** | A.5.31 — Legal, statutory, regulatory and contractual requirements | | **Version** | 1.0 | | **Owner** | Ana Oliveira — DPO | | **Last Updated** | 2026-03-15 | | **Next Review** | 2026-09-15 | | Req ID | Source | Jurisdiction | Description | Applicable Controls | Status | Approach | Owner | Evidence | Review Date | |--------|--------|-------------|-------------|--------------------:|--------|----------|-------|----------|-------------| | REG-001 | LGPD (Lei Geral de Proteção de Dados) | Brazil | Data protection law requiring legal bases for processing, data subject rights, DPO (Encarregado), ANPD oversight, and international transfer rules. | A.5.34, A.5.10, A.5.12, A.8.11 | Partially Compliant | Designated Encarregado (Ana Oliveira); RIPD process implemented for high-risk processing; consent mechanisms deployed; international transfers mapped to SCCs. | Ana Oliveira — DPO | Privacy policy v2.1; RIPD-001; consent records | 2026-09-15 | | REG-002 | Contractual DPA — Enterprise Clients | Brazil / EU | Data processing agreements with enterprise clients requiring encryption at rest, access logging, 48h breach notification, annual security assessments, and data residency in approved regions. | A.5.10, A.5.19, A.5.20, A.8.24, A.8.15 | Compliant | Standardised DPA template reviewed by legal; encryption via GCP CMEK; access logging via Cloud Audit Logs; breach notification procedure PROC-003 §6.2; annual pentest programme. | Maria Santos — CISO | DPA template v3; pentest report Q1-2026; encryption config doc | 2026-06-30 | | REG-003 | Employment Law (CLT + LGPD) | Brazil | Employee PII processing, workplace monitoring, background checks, remote work security, and disciplinary procedures per CLT and LGPD. | A.5.10, A.5.34, A.6.1, A.6.2, A.6.4 | Partially Compliant | Employee privacy notice issued at onboarding; monitoring policy under legal review; remote work security policy drafted; background check consent form implemented. | Carlos Mendes — HR Director | HR privacy notice; monitoring policy draft; remote work policy | 2026-09-15 | | REG-004 | Marco Civil da Internet | Brazil | Internet framework law requiring data retention for connection logs, judicial order requirements for content removal, and net neutrality provisions. | A.5.33, A.5.34, A.8.15 | Compliant | Connection log retention configured in GCP Cloud Logging (6-month retention); legal response procedure for judicial requests documented. | João Silva — CTO | Cloud Logging config; legal response procedure | 2027-03-15 | ## Extension Tools ### `regulatory_coverage_analyzer` Cross-checks the organisation profile's listed regulations against the register to find coverage gaps: | Check | What It Does | |-------|-------------| | **Profile loading** | Reads the organisation profile JSON (explicit path or auto-discovers `organization-profile.json` in workspace) | | **Regulation extraction** | Parses the profile's `regulations` array for named entries | | **Register parsing** | Reads the register's markdown table and extracts source names per row | | **Fuzzy matching** | Compares profile regulation names against register sources using case-insensitive substring matching | | **Gap detection** | Lists regulations in the profile but missing from the register | | **Extras detection** | Lists register entries that don't match any profile regulation (valid but worth noting) | | **Empty register handling** | If the register doesn't exist yet, treats all profile regulations as gaps and directs the agent to populate using the template | ### `legal_requirement_completeness_check` Validates each register entry against 9 required fields per A.5.31: | Field | Validation Rule | |-------|----------------| | **Source** | Non-empty law, regulation, or contract name | | **Description** | Non-empty description of the obligation | | **Jurisdiction** | Non-empty jurisdiction (country or region) | | **Applicable Controls** | At least one Annex A control reference matching `A.x.x` pattern | | **Compliance Status** | One of: Compliant, Partially Compliant, Non-Compliant, Not Assessed | | **Approach** | Non-empty — A.5.31 requires documenting the organisation's approach to meeting each requirement | | **Owner** | Named person or role assigned | | **Evidence** | Reference to supporting documentation | | **Review Date** | Present and not a placeholder (rejects `YYYY-MM-DD`, `TBD`, `[Date]`, etc.) | Reports per-entry findings with specific error messages, overall PASS/FAIL result, and counts of complete vs. incomplete entries. ## Getting Started Activate the *ISO 27001 Legal & Regulatory Requirements Register* skill. If you've completed the *Organization Profile* skill, load it — the agent uses your industry, jurisdictions, and listed regulations to pre-populate the register and check for coverage gaps. Have this information ready: - Your organisation's jurisdictions (countries where you operate or process data) - Applicable regulations (data protection, industry-specific, financial) - Key contractual obligations with clients or partners (DPAs, NDAs, SLAs) - Current compliance status for each obligation (if known) - Who owns compliance for each area (legal, DPO, CISO, HR) The agent guides you through a 5-step workflow: gather context from the organisation profile, identify requirements using the coverage analyzer, draft the register with all required fields, validate completeness, and finalize for review. The register is designed as a living document — update it when new regulations, contracts, or jurisdictional changes occur. --- Back to [Skill Library](https://rakenne.app/skills/index.md)