ISO 27001 - Annex A.18 - compliance

What is Annex A.18?

Annex A.18 states how an organisation should comply with legal and contractual requirements. These requirements cover the installation of software, transference of information, encryption needs and intellectual property rights, to name a few, and requires individuals to assume responsibility for the protection of confidential information. 

It is important to understand what Compliance means in relation to the ISO 27001 standard of information security, and what Annex A.18 entails.

What is Compliance?

Compliance, as outlined in Annex A.18 of the Annex A controls, requires that an organisation adheres to all relevant control objectives, controls, policies, processes, and procedures, whether they be legal, regulatory, contractual or self-imposed, to ensure that information security is enforced and managed.

Let’s take a look at why proper compliance should matter to you and your organisation. 

Why is Compliance important for your organisation?

Network sharing and the installation of softwares can provide access to hackers, making personally identifiable information and confidential business records vulnerable to unauthorised disclosure, loss and falsification. Identifying and maintaining a strict compliance framework can prevent the unauthorised access of an organisation’s diverse information sets. 

What are the Annex A.18 controls?

Annex A.18 comprises 8 controls focused on both external and internal compliance. This section covers how an organisation should identify and comply with relevant legislation, abide by intellectual property laws and licensing requirements, protect business records and personally identifiable information and regularly review compliance with existing information security practices.

• A.18.1 Compliance with legal and contractual requirements

The objective of Annex A.18.1 is to ensure your organisation’s information systems comply with any and all infosec-related obligations, be it laws, regulations or contracts.  

• A.18.1.1 identification of applicable legislation and contractual requirements
  
  Control: It is required that the organisation regularly identifies, documents and updates requirements along with the organisation’s approach to complying with them.
  Implementation: Individual obligations (i.e. the role of specific individuals in complying with requirements) must be identified and documented. All relevant legislatures should be identified and upheld even if business operations are carried out in another country. 
  
  
• A.18.1.2 Intellectual property rights
  
  Control: All legislation surrounding intellectual property rights and proprietary licences must be upheld and complied with.
  The following must be considered before declaring any material as intellectual property in need of protection:
• Fair/legitimate use of software and information products must be recorded in a guideline
• Software must only be purchased from reputed sources to not risk corruption or breaches
• In case of intellectual property violations, disciplinary action must be taken with prior notice
• All assets must be registered along with their intellectual property rights requirements
• Evidence of licence ownership must be recorded
• If there is a set maximum number of users, controls must be implemented to ensure this number isn’t exceeded
• Installed products and software must be reviewed for proof of sole licence
• Appropriate use/conditions of licences must be outlined and enforced via a policy document  
• Information/guidelines surrounding the disposal and transfer of information must be communicated in a strategy
• General terms and conditions of installed software and public networks must be complied with
• The replication, transformation and extraction of audio and video recordings must be restricted to what is permissible under copyright law
• Written media and documents may only be copied as deemed permissible by copyright law
  
  
• A.18.1.3 Protection of records
  
  Control: Organisational records should be protected from unauthorised access and release, as well as loss, destruction and falsification, per all relevant legislation.
  Implementation: The organisation’s classification scheme should dictate which documents require protection. Records should be categorised according to type, and with their retention periods, encryption details and allowed storage formats. Storage should account for the possible destruction of media if and when it is no longer needed.
  
  
• A.18.1.4 Privacy and protection of personally identifiable information
  
  Control: The protection and privacy of information must be stipulated in any relevant legislation, and upheld as such. 
  Implementation: A data policy must be developed and implemented that outlines the requirements for the privacy and protection of personally identifiable information. All those who are involved in the processing of this information must be made aware of this policy. 

A privacy officer must be appointed to assume responsibility for the protection of personally identifiable information and the guidance of personnel in achieving this. Additionally, measures should be implemented to enforce the privacy and protection of personally identifiable information.

• A.18.1.5 Regulation of cryptographic controls
  
  Control: Cryptographic controls must be implemented following business requirements.
  
  The following must be considered when implementing cryptographic controls:
• The import and export of any hardware and software that are used to perform cryptographic functions must be restricted
• The import and export of any hardware and software that have cryptographic functions applied to them must be restricted
• The use of encryption must be restricted
• There must be defined methods of access for information protected by encryption hardware and software

Before information is transported (across countries/jurisdictional boundaries), legal advice must be sought to ensure compliance with country authorities.

• A.18.2 Information Security Reviews

The objective of A.18.2 is to ensure that all infosec requirements are upheld and enforced following organisational policies and procedures. 

• A.18.2.1 Independent review of information security
  
  Control: Internal measures must be taken to improve the organisation's information security management approach. This approach includes policies, procedures and controls etc. 
  Implementation: An independent review should be carried out by a relevantly skilled individual) to ensure the consistency, appropriateness and efficiency of the organisation’s information security procedures. This analysis must include objectives and opportunities for improvement.

Results of this review must be communicated to relevant parties and kept a record of. Corrective measures should be taken in line with the information security policy, in the event compliance requirements are not met.  

• A.18.2.2 Compliance with security policies and standards
  
  Control: Information processing specifications and procedures must be regularly reviewed by managers for compliance.
  Implementation: Stipulated infosec criteria must be assessed in a predetermined manner, using automated measuring and reporting tools when necessary. In the case of non-compliance, causes and corrective actions must be identified and communicated.

• A.18.2.3 Technical compliance review
  
  Control: Information systems must be regularly reviewed to ensure they are compliant with the organisation’s infosec policies and standards.
  Implementation: Technical compliance must ideally be assessed using automated tools. Caution must be exercised when performing manual assessments to ensure system security is not compromised. Assessments must be carried out by or under the supervision of relevant professionals, and must be planned and documented.

Conclusion

While adhering to all 114 Annex A controls isn’t mandatory, it is necessary to identify and implement the controls that are relevant to your organisation’s objectives. 

Annex A.18 outlines best practices for compliance and information security reviews through 8 potential controls that ensure personally identifiable information and business records (such as accounts records and logs) aren’t made available without authorisation. A.18 dictates how organisations may continue to remain compliant with laws, regulations, contracts and policies and strengthen their approach to information security management. 

Schedule a no-obligation phone call with one of our experts at DataGuard to align your organisation with the ISO 27001 standard!