Question: Does the organization maintain a master list of applicable legal, regulatory, and contractual requirements?
Why This Matters
Knowing every obligation—from licenses to data-protection laws—ensures proactive rather than reactive compliance.
Maturity
0 — Unaware
No catalog of applicable laws or standards.
No catalog of applicable laws or standards.
1 — Ad Hoc
Awareness depends on individual departments.
Awareness depends on individual departments.
2 — Defined
Compliance matrix lists laws and responsible functions.
Compliance matrix lists laws and responsible functions.
3 — Managed
Legal register reviewed semi-annually.
Legal register reviewed semi-annually.
4 — Integrated
Register linked to risk and policy framework.
Register linked to risk and policy framework.
5 — Optimized
Automated alerts for law changes and impact analysis.
Automated alerts for law changes and impact analysis.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Gather all laws and standards cited by departments. |
| 1 → 2 | Create central register with owners and review dates. |
| 2 → 3 | Schedule semi-annual legal review with external counsel. |
| 3 → 4 | Map each requirement to policy or control. |
| 4 → 5 | Enable subscription alerts and auto impact matrix. |
Enablers
- People: Legal Head, Compliance Officer, Risk Team
- Process: Identify → Map → Review
- Technology: GRC system or database register
Evidence
- Legal register
- Review records with sign-off
- Change impact log
KPIs
- Number of applicable laws tracked
- Percentage reviewed per cycle
- Average update time after change
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Register | Excel / Airtable | Law and owner fields |
| Monitoring | Google Alerts / Manupatra | Regulatory watch |
| Automation | n8n | Change notification workflow |
Common Pitfalls
- Register created once and forgotten
- No cross-functional ownership
- Missed law amendments
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | A.5.31 (Legal and Contractual Requirements) |
| DPDP Act 2023 | Sec 10 (Compliance obligation) |
| NIST CSF 2.0 | GV.OV-01 / GV.RM-02 |
| NIRMATA Mapping | CA-Q02 maintains visibility of all requirements. |