UnixTime

Research Note

A.5.31 Audit Checklist

Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.

Audit checklist

  • A current requirements register identifies legal, statutory, regulatory, and contractual information security obligations.
  • Each requirement has an owner, review date, jurisdiction or source, applicable scope, control mapping, and evidence location.
  • Changes in laws, regulations, or contracts are tracked through change control and update affected controls.
  • Cryptography, digital signatures, electronic communication, and cross-border obligations are assessed where relevant.
  • Legal or specialist advice is retained for complex jurisdictions or regulated business activities.
  • Responsible personnel can explain their obligations and evidence.

Evidence requested

  • Procedure or register reviewed.
  • Responsible owner interviewed.
  • Sample records selected.
  • Evidence location recorded.
  • Gaps converted into findings or corrective actions.
  • Iso27001
  • ISO27002
  • Template
  • Audit
  • A5 31

Note Metadata

Aliases: A.5.31 Checklist

Source: 90 Templates/A.5.31 Audit Checklist.md

Graph-sourced resources

Templates and evidence

Auditor evidence packs

Evidence collections and audit-facing verification material.