ISO/IEC 27001 Control 5.31: Legal, statutory, regulatory and contractual requirements

Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements should be identified, documented and kept up to date.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint documentation provides overview and guidance for compliance with several compliance frameworks. Integral documentation of midPoint can be used to document fulfillment of specific compliance requirements.

MidPoint documentation has a special compliance section, which provides overview and guidance for compliance with several compliance frameworks. Integral documentation of midPoint (a.k.a. midScribe) can be used to maintain deployment documentation together with the configuration, with an ability to automatically generate comprehensive deployment documentation. This approach is ideal for documentation of fulfillment of specific compliance requirements, together with the technical means used to implement them. The documentation can be easily kept up to date, and the configuration can easily be reviewed when compliance requirements change. Certification mechanisms can be used to regularly review applicability of policies (e.g. roles) to satisfy compliance requirements. Certification can also be used to automatically review assignment of information classifications (labeling) and clearances. Access certification is also useful for regular review of security-related roles and responsibilities. Organizational structure and location hierarchies can be used to apply variations of policies to specific organizational units or locations, reflecting specifics of local legislation and regulations. Policy rules can be used to limit transfer of information (e.g. personal data) to regions limited by regulations, or regions that do not provide appropriate protection for information. Risk management capabilities (planned) could be used to identify risk hot-spots, prioritizing them for risk treatment and improvements of related policies.