14. Compliance
This category ensures that the organization complies with legal, regulatory, and contractual requirements related to information security. It includes implementing measures to avoid breaches of legal, statutory, regulatory, or contractual obligations and security requirements.
Controls (A.18):
A.18.1.1: Identification of Applicable Legislation and Contractual Requirements
A.18.1.2: Intellectual Property Rights
A.18.1.3: Protection of Records
A.18.1.4: Privacy and Protection of Personally Identifiable Information (PII)
A.18.1.5: Regulation of Cryptographic Controls
A.18.2.1: Independent Review of Information Security
A.18.2.2: Compliance with Security Policies and Standards
A.18.2.3: Technical Compliance Review
Control A.18.1.1: Identification of Applicable Legislation and Contractual Requirements
Audit Questions:
How does the organization identify applicable legal, regulatory, and contractual requirements?
Are there documented procedures to ensure compliance with these requirements?
Common Non-Conformities (NC):
Lack of a formal process to identify applicable requirements.
Incomplete or outdated documentation of requirements.
Control A.18.1.2: Intellectual Property Rights
Audit Questions:
How does the organization ensure compliance with intellectual property rights (IPR) regulations?
Are there measures to protect and manage IPR?
Common Non-Conformities (NC):
Inadequate measures to comply with IPR regulations.
Lack of protection and management of IPR.
Control A.18.1.3: Protection of Records
Audit Questions:
What controls are in place to protect records from loss, destruction, and falsification?
How are records maintained and stored securely?
Common Non-Conformities (NC):
Inadequate controls to protect records.
Poor maintenance and storage of records.
Control A.18.1.4: Privacy and Protection of Personally Identifiable Information (PII)
Audit Questions:
How does the organization ensure the privacy and protection of PII?
Are there policies and procedures to handle PII securely?
Common Non-Conformities (NC):
Lack of measures to protect PII.
Poor handling of PII, leading to potential breaches.
Control A.18.1.5: Regulation of Cryptographic Controls
Audit Questions:
How does the organization comply with regulations related to cryptographic controls?
Are cryptographic controls used in accordance with legal requirements?
Common Non-Conformities (NC):
Non-compliance with cryptographic control regulations.
Improper use of cryptographic controls.
Control A.18.2.1: Independent Review of Information Security
Audit Questions:
Are independent reviews of information security conducted regularly?
How are findings from independent reviews addressed and resolved?
Common Non-Conformities (NC):
No independent reviews of information security.
Findings from reviews not addressed or resolved.
Control A.18.2.2: Compliance with Security Policies and Standards
Audit Questions:
How does the organization ensure compliance with its security policies and standards?
Are there regular assessments to verify compliance?
Common Non-Conformities (NC):
Poor compliance with security policies and standards.
Lack of regular compliance assessments.
Control A.18.2.3: Technical Compliance Review
Audit Questions:
Are technical compliance reviews conducted regularly to ensure adherence to security standards?
How are non-compliances identified and rectified?
Common Non-Conformities (NC):
No regular technical compliance reviews.
Non-compliances not identified or rectified.
Last updated