Inverifi logo

ISO 27001

Annex A.18- Compliance

Get compliant with ISO 27001 – Annex A.18 and simplify compliance for your organisation.

Annex 18 is responsible for how an organisation should comply with legal requirements. For example, the installation of software or intellectual property rights. It focuses on both external and internal compliance

A.18.1 – Compliance with legal and contractual requirements

Ensures to protect against any violations of legal, statutory, regulatory, or contractual policies relevant to information to security.

A.18.1.1 Identification of applicable legislation and contractual requirements

Ensures that the organisation regularly and consistently identifies, documents and updates policies along with how the organisation is complying with them. When identifying applicable legislation, it’s useful to look for the location of the company, the type of the company, and the type of information processed.

A.18.1.2 Intellectual property rights

To ensure that the organisation complies with all standards and policies associated with intellectual property that is used in its activities. It is recommended that the organisation publishes a guideline for how to legitimately use software and products that are considered intellectual property. There should be awareness and warning against personnel who violate these rights. The organisation should, in general, never replicate or extract from commercial recordings unless they are permitted under the law of copyright.

A.18.1.3 Protection of records

The organisation should ensure to protect their records from unauthorised access, which could lead to loss, destruction and falsification. This should be done by classifying which documents require protection. The organisation must be aware of the appropriate contractual requirements about how to best protect their records.

A.18.1.4 Privacy and protection of personally identifiable information

To ensure that any agreed data policy requirements concerning privacy are implemented and upheld within the organisation. Personally identifiable information is considered highly sensitive and must be protected by the organisation. However, every individual employee should also be responsible for protecting their own information.

A.18.1.5 Regulation of cryptographic controls

To ensure that the organisation’s cryptographic laws and regulations apply to all devices. The organisation should consider the following:

  • Restriction on importing and exporting hardware and software for performing cryptographic functions.
  • Restriction on the use of encryption.
  • Creating a definitive guide about how to access encrypted information.

A.18.2 – Information security reviews

To ensure that the organisation, in alliance with its policies, correctly implements and operates information security.

A.18.2.1 Independent review of information security

To ensure that the organisation takes internal measures to improve their information security management approach by creating own procedures. This should be done by a skilled individual who would independently review the company’s procedures and how effective and consistent they are.


When analysed, the organisation should be given objectives and opportunities for improvement. The results of the review should be recorded, and improvements should be made.

A.18.2.2 Compliance with security policies and standards

To ensure that the organisation’s compliance policies are reviewed on a regular basis with assessment of security specifications. The nature and procedures around these reviews should be determined by managers. For efficiency, automated measuring tools can be used. If the result of the review reveals issues with compliance, then the result must be logged and appropriate measures should be taken.

A.18.2.3 Technical compliance review

To ensure that the organisation reviews their information systems to continue being compliant with the agreed policies surrounding information security. This should be done by using automated assessment tools.


When performing manual assessment, there should be caution taken so that system security is not compromised. Relevantly skilled individuals should assess, and all assessments must be recorded and logged.