Why Are You Really Implementing That Annex A Control?

If you’re adding a legal register as part of your ISO 27001 implementation, have you stopped to ask yourself: Why? At first glance, a legal register sounds like a great idea. But does it actually protect the confidentiality, integrity, or availability of your information?

For most businesses, the answer is no.

Let’s Be Clear

A legal register can certainly help with compliance—it keeps track of laws, regulations, and obligations that apply to your business. And if compliance is your goal, that’s fine.

But here’s the thing: ISO 27001 isn’t about compliance. It’s about information security.

And let’s be honest—having a list of legal requirements in a spreadsheet:

❌ Won’t stop a ransomware attack

❌ Won’t mitigate insider threats

❌ Won’t reduce downtime after a system failure

It’s a “nice-to-have”, not a security measure.

So, Why Does This Matter?

Every Annex A control should have a clear and direct impact on your security posture. If it doesn’t, why are you spending valuable time and resources on it?

Yes, some controls are mandatory based on your business and legal requirements—but many aren’t.

When you blindly implement controls just because “Annex A says so”, you’re prioritising compliance over real security. And that’s a risky trade-off.

The Takeaway?

✅ Be critical.

✅ Be strategic.

✅ Ask yourself: Does this control actually protect my organisation’s data, or am I just ticking boxes?

I’d love to hear your thoughts—do you agree that some Annex A controls add little value?

Or do you see it differently? Get in touch or connect with me on LinkedIn

‍