ISO 27001
Annex A.18- Compliance
Get compliant with ISO 27001 – Annex A.18 and simplify compliance for your organisation.

Get compliant with ISO 27001 – Annex A.18 and simplify compliance for your organisation.
Annex 18 is responsible for how an organisation should comply with legal requirements. For example, the installation of software or intellectual property rights. It focuses on both external and internal compliance
Ensures to protect against any violations of legal, statutory, regulatory, or contractual policies relevant to information to security.
Ensures that the organisation regularly and consistently identifies, documents and updates policies along with how the organisation is complying with them. When identifying applicable legislation, it’s useful to look for the location of the company, the type of the company, and the type of information processed.
To ensure that the organisation complies with all standards and policies associated with intellectual property that is used in its activities. It is recommended that the organisation publishes a guideline for how to legitimately use software and products that are considered intellectual property. There should be awareness and warning against personnel who violate these rights. The organisation should, in general, never replicate or extract from commercial recordings unless they are permitted under the law of copyright.
The organisation should ensure to protect their records from unauthorised access, which could lead to loss, destruction and falsification. This should be done by classifying which documents require protection. The organisation must be aware of the appropriate contractual requirements about how to best protect their records.
To ensure that any agreed data policy requirements concerning privacy are implemented and upheld within the organisation. Personally identifiable information is considered highly sensitive and must be protected by the organisation. However, every individual employee should also be responsible for protecting their own information.
To ensure that the organisation’s cryptographic laws and regulations apply to all devices. The organisation should consider the following:
To ensure that the organisation, in alliance with its policies, correctly implements and operates information security.
To ensure that the organisation takes internal measures to improve their information security management approach by creating own procedures. This should be done by a skilled individual who would independently review the company’s procedures and how effective and consistent they are.
When analysed, the organisation should be given objectives and opportunities for improvement. The results of the review should be recorded, and improvements should be made.
To ensure that the organisation’s compliance policies are reviewed on a regular basis with assessment of security specifications. The nature and procedures around these reviews should be determined by managers. For efficiency, automated measuring tools can be used. If the result of the review reveals issues with compliance, then the result must be logged and appropriate measures should be taken.
To ensure that the organisation reviews their information systems to continue being compliant with the agreed policies surrounding information security. This should be done by using automated assessment tools.
When performing manual assessment, there should be caution taken so that system security is not compromised. Relevantly skilled individuals should assess, and all assessments must be recorded and logged.
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908