GOV-010 Legal, Regulatory, and Contractual Compliance Inventory
Description
The organization maintains a current inventory of applicable legal, statutory, regulatory, and contractual information security requirements. The inventory is reviewed at least annually and updated when new obligations arise. Ownership of each requirement is assigned.
Rationale
Organizations cannot comply with obligations they have not identified. A maintained inventory ensures that compliance gaps are visible and ownership is clear for each requirement.
Framework Mappings (4)
| A&A-04 | Requirements Compliance | partial |
| GRC-07 | Information System Regulatory Mapping | full |
| 5.31 | Legal, statutory, regulatory and contractual requirements | full |
| PL-1 | Policy and Procedures | partial |
Evidence (2)
Compliance obligations inventory listing applicable legal, regulatory, and contractual information security requirements with assigned owners and last-reviewed dates.
Example: Compliance obligations register (Confluence / GRC platform / spreadsheet), with columns for: obligation name, source (e.g. GDPR Art.32, SOC 2 CC6), jurisdiction, owner (named individual or team), and last review date — reviewed within the last 12 months.
Test: Request the compliance obligations inventory. Verify: (1) each applicable regulation, law, and contractual requirement is listed, (2) each entry has a named owner, (3) the inventory has been reviewed within the last 12 months and the review date is recorded, (4) additions since the prior review reflect any new contracts or regulatory changes during that period.
Annual compliance review report showing the obligations inventory was reviewed, updated, and presented to management.
Example: Compliance review report or management meeting minutes (Google Drive) documenting the annual review of the obligations inventory, noting additions, removals, and no-change confirmations with named reviewer and date.
Test: Request the most recent compliance review report or meeting minutes. Verify: (1) the inventory review took place within the last 12 months, (2) a named reviewer is recorded, (3) the report was communicated to or acknowledged by a named manager.
Questions (2)
Does your organization maintain a current inventory of applicable legal, regulatory, and contractual information security obligations, with ownership assigned to each?
The inventory should cover obligations across all operating jurisdictions and be reviewed at least annually, with additions made when new contracts or regulations apply.
How frequently is the compliance obligations inventory reviewed and updated?
An annual review that produces a dated record with a named reviewer is the minimum. Updates should be visible whenever new obligations arise mid-year.