ISO 27001 Controls: What Is Annex A:18?

blue retractable pen

ISO 27001:2013 and its controls – like Annex A:18 – pave the way for many organizations that are subject to numerous laws, regulations, and contractual obligations that specify requirements related to the appropriate management and protection of diverse information sets. ISO 27001 Controls provides a deep understanding and maintaining compliance with these different requirements is sometimes a difficult road.

Today we will discuss our last control under ISO 27001 Annex A lists which are very important in terms of compliance and legal regulations, Let’s discuss this below in more depth now.

iso 27001 certification by best practice

ISO 27001 – Controls – Annex A.18: Compliance

Annex A.18 is all about compliance with legal and contractual requirements. Social activities like online platforms etc. can provide access to multiple criminals or hackers who can target a large number of victims. Even the business sources which have legitimate uses, like high-speed internet, peer to peer file-sharing, and encryption methods, criminals are really smart to carry out illegal activities.

woman in white blazer sitting beside man in black suit

Annex A.18:1 Compliance with legal and contractual requirements.

This control has the main objective to oblige the legal and regulatory requirements as per the business needs. A combined group of procedural, information, personnel, information communications technology, and physical security measures identifies the information assets against a range of security threats. Any organization looking to achieve ISO 27001:2013 Certification must get familiarize themselves with the statutory and regulatory legislation.

Annex. A:18.1.1 Identification of Applicable Legislation & Contractual Requirements

To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security and of any security requirements.

laptop internet connection technology

Annex. A:18.1.2 Intellectual Property Rights

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary software products.

To satisfy the criteria for business form, administrators should recognize all the legislation that relates to their organization. If the organization is operating in other countries, managers in all related countries will ensure compliance. This includes identifying and managing jurisdictional, governance, privacy, and security risks associated with the use of suppliers and service providers.

To protect any material regarding any information below guidelines can be followed:

  1. The legitimate use of software in regards to intellectual property;
  2. Maintain awareness and take disciplinary actions against the violation immediately;
  3. Conduct reviews in a timely manner;
  4. Provide an enforcement policy to all the staff.
  5. Maintain a proper record, where the legal documentation could be accessible.

Annex. A:18.1.3 Protection of records

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislator, regulatory, contractual and business requirements.

Records should be categorized into record types, e.g. accounting records, database records, transaction logs, audit logs, and operational procedures, each with details of retention periods and type of allowable storage media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable decryption of the records for the length of time the records are retained. Consideration should be given to the possibility of deterioration of media used for storage of records. Storage and handling procedures should be implemented in accordance with the manufacturer’s recommendations. 

Annex. A:18.1.4 Privacy & Protection of Personally Identifiable Information

Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

Any information handled that contains personally identifiable information (PII) is likely to be subject to the obligations of legislation and regulation. In Australia, the Privacy Act 1988(Cth) consists of laws that reflect the laws of the GDPR Regulations.

The right to privacy gives individuals the right to exercise control over their personal information. The Privacy Act is about the transparency and accountability of any organization. Australian organizations have already adopted measures to keep safe from the threat of data breaches. ISMS 27001 is the safest way to avoid the breach of anyone’s information.

Get Your Free ISO 27001 Gap Analysis Checklist

Annex. A:18.1.5 Regulation of Cryptographic Controls

Cryptographic controls should be used in compliance with all relevant agreements, legislation, and regulations.

Cryptography used to share confidential information on cloud-based systems with the intention is to identify the user and share the information needed. ISO 27001 Annex: A 10 Cryptography, defines Cryptographic controls, Policy on the Utilisation of Cryptographic Controls and Key Management.

Each organization looking to achieve ISO 27001, must implement Cryptographic policy. Below are the needs to consider while designing this policy:

  1. Training to the relevant users on how to protect the general information and use of Cryptographic controls.
  2. A risk assessment procedure- It must include necessary calculations in relation to quality, strength, and type of encryption algorithm.
  3. Usage of encryption to secure information transported by mobile or portable media devices.
  4. Build Strategies for the security of encryption keys.

Annex. A:18.2 Information Security Reviews

Annex. A:18.2.1 Independent Review of Information Security

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards, and any other security requirements.

Managers need to identify legal requirements in terms of protecting information security. They need to set up procedures and policies on how to control them. Automatic measurement and reporting tools should be considered for efficient regular review. It includes:

  • Identify the causes of the non-conformities;
  • Analyze the actions to achieve compliance;
  • Implement appropriate corrective action;
  • Results of reviews and corrective actions carried out by managers should be recorded and these records should be maintained.

A.18.2.2 Compliance with Security Policies and Standards

Managers will review on regular basis compliance with relevant security policies, guidelines, and other security specifications of information processing and procedures within their field of responsibility.

Organizations must follow the cyber security principles as below:

  1. Identify the reasons for failure to comply;
  2. Assess the need for compliance measures;
  3. Implement effective remedial measures;
  4. Review the steps taken to verify their efficiency and recognize any deficiencies or vulnerabilities.

A.18.2.3 Technical Compliance Review

Information systems should be regularly reviewed for compliance with the organization’s information security policies and standards.

Technical compliance reviews revolve around the examination of operational systems to ensure that hardware and software controls have been correctly implemented. Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. Penetration testing and vulnerability assessments are not a substitute for risk assessment. However, a technical risk assessment requires a complete check of all software that been using to provide services.

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover