Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Failing to understand applicable laws and contracts is one of the most common and expensive compliance mistakes organizations make. GDPR fines, HIPAA penalties, state breach notification failures, and contract breaches can all follow from security gaps that were legal obligations, not just best practices. A clear inventory of your compliance obligations ensures that your security program covers the minimum required floor and that you can demonstrate compliance when auditors or regulators ask.
Implementation steps
- 1
Inventory all applicable legal, regulatory, and contractual requirements
Work with legal counsel to identify every applicable law (GDPR, HIPAA, CCPA, GLBA, etc.), regulation, industry standard (PCI DSS, SOC 2), and key contractual obligation. Document each requirement, its source, and what it mandates for the organization's security program.
confluencenotiongoogle-docsdratavanta - 2
Map requirements to existing controls and identify gaps
Compare each compliance requirement against your current security controls. For each gap, create a remediation task with an owner and target date. Use a compliance management platform to automate this mapping if you have multiple overlapping frameworks.
dratavantalaceworkjiragoogle-sheets - 3
Establish a process for tracking regulatory changes
Regulations evolve and new contracts may add obligations. Assign an owner to monitor relevant regulatory bodies, subscribe to legal update services, and review the compliance inventory at least annually or when entering new markets or signing major contracts.
confluencejiragoogle-docs
Evidence required
Compliance obligations register
A documented inventory of all legal, regulatory, and contractual cybersecurity requirements applicable to the organization, with sources and responsible owners identified.
- · Spreadsheet listing each regulation, requirement summary, applicability rationale, and control mapping
- · Compliance platform (Drata, Vanta) showing mapped frameworks and requirements
- · Legal memo from counsel identifying applicable cybersecurity laws
Gap analysis or control mapping evidence
Documentation showing that identified requirements have been evaluated against existing controls and that gaps are being tracked and remediated.
- · Compliance gap analysis report with remediation status
- · Jira epic tracking open compliance remediation tasks
- · Audit preparation checklist with controls mapped to requirements
Related controls
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Organizational Context
The organizational mission is understood and informs cybersecurity risk management
Organizational Context
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
Organizational Context
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Organizational Context