top of page

What the Standards say about legal compliance

Whether your organisation is considering or holds certification to quality, environmental, health and safety or information security Standards, there is no escaping the requirement for legal compliance.

It should be no surprise to realise that the environmental and health and safety Standards require evidence of legal compliance:

Clause 6.1.3 'Compliance Obligations' of ISO 14001 states:

"The organisation shall:

  • determine and have access to the compliance obligations related to its environmental aspects

  • determine how these legal obligations apply to the organisation

  • take these compliance obligations into account when establishing, implementing, maintaining and continually improving its environmental managment system.

"The organisation shall maintain documented information of its compliance obligations"

Clause 6.1.3 of ISO 45001 may have a different title: "Determination of legal requirements and other requirements" but it says much the same thing from a health and safety perspective:

"The organisation shall establish, implement and maintain a process(es) to:

  • determine and have access to up-to-date legal requirements and other requirements that are applicable to its hazards, OH&S risks and OH&S management system;

  • determine how these legal requirements and other requirements apply to the organization and what needs to be communicated;

  • take these legal requirements and other requirements into account when establishing, implementing, maintaining and continually improving its OH&S management system.

"The organization shall maintain and retain documented information on its legal requirements and other requirements and shall ensure that it is updated to reflect any changes."

It may be more surprising to understand that throughout ISO 9001 legal compliance is mandated, right from the introduction and embedded into various clauses, including 5.1.2 for customer focus which requires "customer and applicable statutory and regultory requirements are determined, understood and met."

Similarly, Annex A of the information security Standard ISO 27001 includes the requirement for compliance with legal and contractual requirements in A.18.1


Essentially, all of the Standards listed here require organisations to:

  1. Identifity relevant legislation (and have systems to keep up to date with changes in legal requirements)

  2. Determine how it applies to that organisation.

  3. Document the findings. (This typically results in the production of a Legal or Compliance Register).

  4. Evaluate the organisation's compliance to the legal requirements.

  5. Take legal requirements (and the organisation's performance against them) into account when improving systems (which is typically discussed as part of the Management Review Meeting Process).


If you need copies of any of the Standards, you can purchase hard copies in our Standards Shop.

47 views0 comments

Recent Posts

See All


bottom of page