A.15 Compliance

A.15.1 Compliance with legal requirements

Objective: To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.

A.15.1.1 Identification of applicable legislation

Control

All relevant statutory, regulatory and contractual requirements and the organization’s approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization.

A.15.1.2 Intellectual property rights (IPR)

Control

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products.

A.15.1.3 Protection of organizational records

Control

Important records shall be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

A.15.1.4 Data protection and privacy of personal information

Control

Data protection and privacy shall be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.

A.15.1.5 Prevention of misuse of information processing facilities

Control

Users shall be deterred from using information processing facilities for unauthorized purposes.

A.15.1.6 Regulation of cryptographic controls

Control

Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.