Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
organisational Preventive Identify High Priority

A.5.31 Legal Statutory Regulatory and Contractual Requirements

M365 Admin Path: Microsoft Purview compliance portal > Compliance Manager

Evidence Source: the ISMS register, Microsoft Purview, SharePoint

ISO 27001 control A.5.31 Legal, Statutory, Regulatory and Contractual Requirements ensures the organisation identifies, documents, and maintains compliance with all relevant legal, statutory, regulatory, and contractual requirements related to information security. The organisation maintains a formal register of these requirements and uses Microsoft Purview Compliance Manager to continuously measure technical compliance against applicable regulations including POPIA, GDPR, and UK DPA 2018.

How to implement A.5.31 in Microsoft 365

Implement A.5.31 by establishing a SharePoint-based Legal Register listing all legal, statutory, regulatory, and contractual requirements with sources and mapped ISMS controls. Activate Microsoft Purview Compliance Manager and configure assessment templates for applicable regulations including POPIA and GDPR. Map technical configurations from Intune, Entra, and Purview to the legal requirements. Conduct annual reviews of the Register, triggered immediately upon significant changes such as new jurisdiction or major legislation.

Ensure all cryptographic controls comply with jurisdictional restrictions

Ensure all cryptographic controls comply with jurisdictional restrictions on import, export, and use.

What an auditor checks for A.5.31

  • Auditors will verify active Microsoft Purview Compliance Manager assessments with real-time compliance scores.
  • They will check the formal Register of Legal, Statutory, Regulatory, and Contractual Requirements is maintained in SharePoint.
  • Auditors will verify Compliance Manager assessments are mapped to specific regulations including POPIA and GDPR.
  • They will review the repository of executed supplier contracts as evidence of contractual requirements management.
  • Auditors will check documented annual review of the Register with CISO sign-off.

See how your organisation scores against A.5.31 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Communication Compliance Info Gov

Microsoft Purview Communication Compliance

Registered Email Encryption Info Gov

Court-admissible proof of encrypted delivery for external communications, closing the evidence gap for A.5.14 (Information Transfer) and A.5.31 (Legal/Regulatory Requirements)

Proof of Delivery Info Gov

Registered Receipt records with immutable timestamps, content proof, and self-authenticating encryption evidence — directly addressing A.8.24 (Use of Cryptography) audit requirements