Legal and Regulatory Compliance Policy

CIAO ESSENTIAL — POLICY
C-AO/POL/CAO-810:2026 PUBLIC
Legal and Regulatory Compliance Policy
CAO-800 Regulatory Compliance sub-policy (CAO-810) — auto-drafted, pending panel review
Date Issued  22 June 2026
Review Date  22 June 2027
Cite as: CIAO Standard. (2026). Legal and Regulatory Compliance Policy. v1.1.3.7. C-AO/POL/CAO-810:2026. www.c-ao.com

1 · Purpose

This policy establishes the requirements for legal and regulatory compliance policy within the CAO-800 Regulatory Compliance. It gives effect, in a single harmonised instrument, to the control objectives upon which recognised standards converge for this area.

2 · Scope

This policy applies to all information, systems, services, personnel and third parties within the scope of the management system.

3 · Policy statements

3.x · CAO-810 Policy Controls

outlinesatisfies·solidpartial·greyinforms

The organisation shall establish, implement and maintain a coherent and effective approach to legal and regulatory compliance, giving effect to the organisational control objectives set out below.

COBIT 2019G20/OECD PrinciplesGDPRISO/IEC 27001ISO/IEC 27002ISO/IEC 27017King VNIS2NIST SP 800-53PAIASA Cybercrimes Act

3.1 · CAO-811 Legal and Regulatory Obligations

The organisation shall establish, implement and maintain effective Legal and Regulatory Obligations, giving effect to the organisational controls set out below.

COBIT 2019G20/OECD PrinciplesGDPRISO/IEC 27001ISO/IEC 27002ISO/IEC 27017King VNIST SP 800-53PAIASA Cybercrimes Act

3.1.x · CAO-811 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.2 · CAO-812 Cyber-Crime and Incident Reporting

The organisation shall establish, implement and maintain effective Cyber-Crime and Incident Reporting, giving effect to the organisational controls set out below.

NIS2SA Cybercrimes Act

3.2.x · CAO-812 Organisational Controls

Essential taster — a preview of the Professional depth for this high-density control area.

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

3.3 · CAO-813 Information Access Compliance

The organisation shall establish, implement and maintain effective Information Access Compliance, giving effect to the organisational controls set out below.

PAIA

3.3.x · CAO-813 Organisational Controls

Professional tier required. The organisational control objectives that decompose this area, and the technical controls beneath them, are revealed at Professional tier and above. Log in or view options ↗

4 · Roles & responsibilities

5 · Compliance, monitoring & review

Compliance with this policy is mandatory. This policy is reviewed at least annually, or upon significant change to the threat, regulatory or technological environment. Exceptions require documented risk acceptance by the accountable owner.

● LIVE CONTENT  ·  Verified 11 July 2026 at 17:38 UTC  ·  Version 1.1.3.7  ·  Always current at c-ao.com  ·  © CIAO Standard Secretariat 2026

Cite this page (APA)