ISO 27001 Legal Registers for the UK

ISO 27001 is the internationally recognised standard for information security management systems (ISMS) and it provides a comprehensive framework to safeguard critical data. The latest edition of the standard, ISO 27001:2022, contains control 5.31 Legal, statutory, regulatory and contractual requirements which requires organisations to identify applicable legal requirements and document their approach to complying with them. Often the easiest way to do this is via a Legal Register but where do you start?

On this page we discuss what an ISO 27001 legal register is, its significance, and provide a dynamically generated list of legislation the MAY be applicable to your ISMS.

What is an ISO 27001 Legal Register?

An ISO 27001 legal register is a structured and documented list of relevant legal and regulatory requirements applicable to an organisation’s information security management. This register serves as a central repository for tracking and ensuring compliance with various laws, regulations, industry standards, and contractual obligations that relate to data protection and security.

What Should be Included in an ISO 27001 Legal Register?

An effective ISO 27001 legal register should include the following key components:

Applicable Laws and Regulations: Identify and document all relevant laws and regulations related to information security and data protection that apply to your organisation’s operations, industry, and geographic location.

Industry Standards: Include any industry-specific standards and guidelines that your organisation must adhere to, such as those set by regulatory bodies or industry associations.

Contractual Obligations: Document contractual agreements that require compliance with specific information security requirements, such as data protection clauses in customer agreements or vendor contracts.

Timelines and Updates: Specify compliance deadlines and ensure the register is regularly updated to reflect changes in laws, regulations, and contractual obligations.

Responsibilities: Assign responsibilities to individuals or teams responsible for monitoring and ensuring compliance with each requirement.

Evidence of Compliance: Include references to documents, policies, procedures, and other evidence that demonstrate how your organisation meets each requirement.

Is ISO 27001 a Legal Requirement?

No, ISO 27001 itself is not a legal requirement. It is a globally recognised standard that outlines best practices for establishing, implementing, maintaining, and continually improving an information security management system. Organisations can choose to adopt ISO 27001 voluntarily to enhance their information security posture, demonstrate their commitment to data protection, and gain a competitive edge.

What should my ISO 27001 Legal Register Look Like?

A legal register can take many forms and you should choose a format that works for your organisation. Resilify.io provides a Legal Register Template in Excel form, that can be downloaded from our page: https://www.resilify.io/knowledge-base/uk-legal-register-template/

Speak to an ISO 27001 Consultant

For support building and maintaining your ISO 27001 legal register, implementing the standard or conducting internal audits, Assent Risk Management’s ISO 27001 Consultants can help.
Speak to an Expert!

How do I keep my ISO 27001 Legal Register Up-to-date?

Legislation and industry updates can come from many places. It can be useful to sign up to the newsletters of relevant government departments, organisations and professional bodies.

In addition, ISO Consultants Assent Risk Management provide a free monthly legislation update email. Sign Up Here.

List of ISO 27001 Legislation

Title: Bribery Act 2010 amended 2011
Country: UK
Standard(s): ISO 27001, ISO 9001, ISO 37001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Communications Data Acquisition Regs (2019)
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active Under Review


Title: Computer Misuse Act 1990
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: active


Title: Copyright and Duration of Rights in Performances Regulations 2013
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Copyright, Designs and Patents Act 1988
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Counter-Terrorism and Border Security Act 2019
Country: UK
Standard(s): ISO 27001, ISO 22301
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Counter-Terrorism and Border Security Act 2019 (Commencement No. 1) (Northern Ireland) Regulations 2021
Country: Northern Ireland
Standard(s): ISO 27001, ISO 22301
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Cyber (Sanctions) (Overseas Territories) Order 2020
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active Under Review


Title: Data Protection Act 2018
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Data Retention and Investigatory Powers Act 2014
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Defamation (Operators of Websites) Regulations 2013
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Defamation Act 2013
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Defamation and Malicious Publication (Scotland) Act 2021 (Commencement and Transitional Provision) Regulations 2022
Country: Scotland
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Pending 8/8/2022


Title: eIDAS Regulation UK
Country: UK
Standard(s): ISO 27001
Industry(ies): Technology
Status: Active Under Review


Title: Electronic Communications Act 2000
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Electronic Trade Documents Act 2023
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Electronic Money Regulations 2011
Country: UK
Standard(s): ISO 27001
Industry(ies): Financial Services, Payment Services, Banks
Status: Active Under Review


Title: General Data Protection Regulations (EU)
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Global Anti-Corruption Sanctions Regulations 2021
Country: UK
Standard(s): ISO 37001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Intellectual Property Act 2014
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) (No. 02) Regulations 2020
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Investigatory Powers (Communications data) (Relevant Public Authorities and Designated Senior Officers) Regulations 2020
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Investigatory Powers Act 2016
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Network and Information Systems (Amendment and Transitional Provision etc) Regulations 2020
Country: UK
Standard(s): ISO 9001, ISO 27001, ISO 22301
Industry(ies): Public Sector
Status: Active


Title: Network and Information Systems (EU Exit) (Amendment) Regulations 2021
Country: UK
Standard(s): ISO 9001, ISO 27001, ISO 22301
Industry(ies): Public Sector
Status: Active


Title: Network and Information Systems Regulations 2018
Country: UK
Standard(s): ISO 9001, ISO 27001, ISO 22301
Industry(ies): Public Sector
Status: Active


Title: Official Secrets Act 1989
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Patents Act 2004
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Patents Designs and Marks Act 1986
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Payment Services Regulations 2017
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): Financial Services, Payment Services, Banks
Status: Active Under Review


Title: Police and Criminal Evidence Act 1984
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Privacy and Electronic Communications Regulations 2003 amendment 2018
Country: UK
Standard(s): ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active Under Review


Title: Private Security Industry (Licence Fee) Order 2020
Country: UK
Standard(s): ISO 27001, ISO 9001
Industry(ies): Security
Status: Active


Title: Regulation of Investigatory Powers Act 2000 (RIP or RIPA)
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Sanctions and Anti-Money Laundering Act 2018
Country: UK
Standard(s): ISO 27001
Industry(ies): Financial Services, Payment Services, Banks
Status: Active


Title: Sanctions and Anti-Money Laundering Act 2018
Country: UK
Standard(s): ISO 27001
Industry(ies): Financial Services, Payment Services, Banks
Status: Active


Title: Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
Country: UK
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Regulation of Investigatory Powers (Scotland) Act 2000
Country: Scotland
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Freedom of Information (Scotland) Act 2002
Country: Scotland
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Wales Accord on the Sharing of Personal Information (WASPI) 2018
Country: Wales
Standard(s): ISO 27001
Industry(ies): Public Sector
Status: Active


Title: Economic Crime and Corporate Transparency Act 2023
Country: UK
Standard(s): ISO 9001, ISO 27001, ISO 37001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: Online Safety Act 2023
Country: UK
Standard(s): ISO 9001, ISO 27001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Active


Title: European Union Artificial Intelligence Act
Country: Europe
Standard(s): ISO 27001, ISO 42001
Industry(ies): All, Accounting, Agriculture, Automotive, Banks, Chemicals, Construction, Energy Companies, Financial Services, Food and Drink, Healthcare, Logistics, Manufacturing, Payment Services, Security, Technology, Public Sector, Water Companies, Waste
Status: Draft


Title: The Online Safety (List of Overseas Regulators) Regulations 2024
Country: UK
Standard(s): ISO 27001, ISO 9001
Industry(ies): Technology
Status: Active


Title: Artificial intelligence liability directive
Country: Europe
Standard(s): ISO 42001, ISO 9001, ISO 27001
Industry(ies): Artificial Intelligence, Technology
Status: Draft


Title: Artificial Intelligence (Regulation) Bill
Country: UK
Standard(s): ISO 42001, ISO 9001, ISO 27001
Industry(ies): Artificial Intelligence, Technology
Status: Draft


Title: AI Training Act
Country: US
Standard(s): ISO 42001, ISO 9001, ISO 27001
Industry(ies): Artificial Intelligence, Technology
Status: Active


Title: Algorithmic Accountability Act of 2022
Country: US
Standard(s): ISO 42001, ISO 9001, ISO 27001
Industry(ies): Artificial Intelligence, Technology
Status: Active


Record Count: 48

Powered by Clemark.Technology

Disclaimer: Errors and omissions excepted, Resilify and Assent are not legal advisors and we do not provide legal advice. However, over many years of implemented ISO Management Systems and undergoing external audit by Accredited Certification Bodies, we have developed a good understanding of how to comply with the legal and contractual clauses of many ISO standards.
To answer specific legal queries we can refer you to a properly qualified and experienced legal counsel.