ISO 27001 controls: What is Annex A:18?

ISO 27001:2013 and its controls – like Annex A:18 – pave the way for many organisations subject to numerous laws, regulations, and contractual obligations specifying requirements for managing and protecting diverse information sets. ISO 27001 controls provide a deep understanding and help maintain compliance with these requirements, which can be challenging.

Today, we will discuss our final control under ISO 27001 Annex A, which is crucial in terms of compliance and legal regulations. Let’s delve deeper into this important topic.

ISO 27001 – Controls – Annex A.18: Compliance

Annex A.18 focuses on compliance with legal and contractual requirements. Social activities, such as online platforms, can provide access to criminals or hackers targeting many victims. Even legitimate business resources, like high-speed internet, peer-to-peer file sharing, and encryption methods, can be exploited for illegal activities.

Annex A.18.1 Compliance with legal and contractual requirements

This control aims to ensure compliance with legal and regulatory requirements based on business needs. A combination of procedural, informational, personnel, information communications technology, and physical security measures identify the information assets against a range of security threats. Organisations aiming for ISO 27001:2013 certification must familiarise themselves with statutory and regulatory legislation.

Annex A.18.1.1 Identification of applicable legislation & contractual requirements

To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security.

Annex A.18.1.2 Intellectual property rights

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary software products.

Administrators should recognise all legislation relating to their organisation. If operating in other countries, managers must ensure compliance in all relevant jurisdictions. This includes identifying and managing jurisdictional, governance, privacy, and security risks associated with using suppliers and service providers.

To protect material regarding any information, follow these guidelines:

• Legitimate use of software regarding intellectual property
• Maintain awareness and take disciplinary action against violations immediately
• Conduct timely reviews
• Provide an enforcement policy to all staff
• Maintain proper records where legal documentation is accessible

Annex A.18.1.3 Protection of records

Records should be protected from loss, destruction, falsification, unauthorised access, and unauthorised release, per legislative, regulatory, contractual, and business requirements. Records should be categorised into types, each with details of retention periods and allowable storage media. Cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable record decryption for the length of time the records are retained.

Annex A.18.1.4 Privacy & protection of personally identifiable information

Privacy and protection of personally identifiable information (PII) should be ensured as required by relevant legislation and regulation. In Australia, the Privacy Act 1988 (Cth) reflects the GDPR regulations. ISMS 27001 is the safest way to avoid breaches of personal information.

Annex A.18.1.5 Regulation of cryptographic controls

Cryptographic controls should comply with all relevant agreements, legislation, and regulations. Cryptography is used to share confidential information on cloud-based systems. Organisations aiming for ISO 27001 must implement a cryptographic policy, including:

• Training users on protecting general information and using cryptographic controls
• Conducting risk assessments
• Using encryption to secure information transported by mobile or portable media devices
• Developing strategies for encryption key security

Annex A.18.2 Information security reviews

This section focuses on the regular review and assessment of information security measures to ensure compliance with organisational policies, standards, and legal requirements. Regular reviews help identify vulnerabilities, implement corrective actions, and maintain robust information security practices. Let’s explore the key controls in Annex A.18.2.

Annex A.18.2.1 Independent review of Information Security

Managers should regularly review the compliance of information processing and procedures with the appropriate security policies, standards, and other security requirements. Managers need to set up procedures and policies to control legal requirements for protecting information security.

Annex A.18.2.2 Compliance with security policies and standards

Managers should regularly review compliance with relevant security policies, guidelines, and other security specifications for information processing and procedures within their field of responsibility. Organisations must follow cybersecurity principles to address non-compliance, implement remedial measures, and verify their effectiveness.

Annex A.18.2.3 Technical compliance review

Information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards. Technical compliance reviews examine operational systems to ensure correct implementation of hardware and software controls. Penetration testing and vulnerability assessments provide a snapshot of a system at a specific time but are not substitutes for risk assessment.