When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to test whether A.5.31 Legal, Statutory, Regulatory and Contractual Requirements is designed, implemented, operating, and evidenced.
Audit checklist
- A current requirements register identifies legal, statutory, regulatory, and contractual information security obligations.
- Each requirement has an owner, review date, jurisdiction or source, applicable scope, control mapping, and evidence location.
- Changes in laws, regulations, or contracts are tracked through change control and update affected controls.
- Cryptography, digital signatures, electronic communication, and cross-border obligations are assessed where relevant.
- Legal or specialist advice is retained for complex jurisdictions or regulated business activities.
- Responsible personnel can explain their obligations and evidence.
Evidence requested
- Procedure or register reviewed.
- Responsible owner interviewed.
- Sample records selected.
- Evidence location recorded.
- Gaps converted into findings or corrective actions.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 31
Note Metadata
Aliases: A.5.31 Checklist
Source: 90 Templates/A.5.31 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.