This article provides an overview of Compliance within IT as part of  ISO 27002 compliance.

The objective of  compliance with legal and contractual requirements is to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

The objective of Information security reviews is to ensure that information security is implemented and operated in accordance with the organisational policies and procedures.
Compliance with legal and contractual requirements:

  1. Identification of applicable legislation and contractual requirements – all relevant legislative statutory, regulatory, contractual requirements and the organisation’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organisation.
  2. Intellectual property rights – appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.
  3. Protection of records – records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislation, regulatory, contractual and business requirements.
  4. Privacy and protection of personally identifiable information – privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.
  5. Regulation of cryptographic controls – cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations.


Information security reviews:

  1. Independent review of information security – the organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals and/or when significant changes occur.
  2. Compliance with security policies and standards – managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.
  3. Technical compliance review – information systems should be regularly reviewed for compliance with the organisation’s information security policies and standards.

For more information please contact Morland-Austin at