What Legal Documents Do I Need for ISO 27001 Compliance?

If you're working towards ISO 27001 certification, you already know that technical controls like firewalls, encryption and access restrictions are critical. However, without the right legal foundations, your information security management system (ISMS) could still fall short — putting your compliance, reputation and operations at risk.

Here’s what you need to know from a legal perspective.

What Is ISO 27001?

ISO 27001 is the international standard for information security management systems. It sets out a framework for managing sensitive information and reducing information security risks. Certification demonstrates that your business has the necessary policies, procedures and controls in place to safeguard both your own data and your clients’ data.

Why Legal Documents Matter for ISO 27001

While technical solutions form a core part of ISO 27001 compliance, the standard also requires strong organisational and legal measures.

Having the right legal documents in place helps you meet key Annex A controls, manage third-party relationships responsibly and demonstrate compliance with New Zealand’s privacy and data protection obligations under the Privacy Act 2020 and the Information Privacy Principles (IPPs). Without these documents, you risk audit failure, regulatory penalties and damage to your business’s credibility.

Key Legal Documents For ISO 27001

To support your ISO 27001 framework, you’ll need to ensure the following documents are in place and up to date:

• Privacy Policy
  A clear, transparent policy explaining how your business collects, uses, stores and discloses personal information. A compliant Privacy Policy helps meet Annex A.18.1.4 and satisfies Information Privacy Principle 1 (IPP 1).
• Cookie Policy
  If your website uses cookies or tracking technologies, a Cookie Policy should disclose what cookies are used, their purposes and how users can manage their preferences — helping demonstrate transparency and good data governance.
• Data Processing Agreement (DPA)
  When you engage external service providers (such as cloud hosts, software vendors or marketing platforms), a DPA sets out their obligations regarding security measures, subcontracting and breach notification — critical for ensuring third-party risk management under ISO 27001.
• Confidentiality Agreement (NDA)
  Protects your sensitive information when dealing with employees, contractors and external suppliers. Supports Annex A.13.2.1 by formalising confidentiality obligations across your operations.
• Data Retention Policy
  Defines how long you retain different categories of personal and business data and the methods for secure disposal. Supports Annex A.8.3.3 (media disposal) and helps demonstrate accountability under the Privacy Act 2020.
• Breach Notification Procedure
  Outlines internal reporting, assessment and external notification steps if a data breach occurs. Under New Zealand law, serious privacy breaches must be notified to the Privacy Commissioner and affected individuals as soon as practicable under the Privacy Act 2020.

How Sprintlaw Can Help

We offer tailored legal support to help businesses meet ISO 27001 requirements, including:

• Custom Privacy Policies and Cookie Policies drafted specifically for your operations and user base.
• Data Processing Agreements that protect your interests when using cloud services, SaaS platforms or third-party suppliers.
• Confidentiality and Non-Disclosure Agreements for employees, contractors and business partners.
• Data Retention and Breach Notification Procedures aligned with ISO 27001 and New Zealand privacy regulations.
• Review and Gap Analysis of your existing legal documentation, with practical recommendations.

Whether you’re building an ISMS from scratch or reviewing your current compliance measures, Sprintlaw’s team of experienced commercial lawyers will ensure your legal documentation is robust, practical and ISO 27001-ready.

Key Takeaways

To recap, here are the key points to keep in mind when preparing your legal documents for ISO 27001 compliance:

• ISO 27001 certification requires both technical controls and strong legal foundations to manage information security risks effectively.
• Legal documents help meet ISO 27001’s organisational requirements and demonstrate compliance with New Zealand’s Privacy Act 2020 and IPPs.
• A compliant Privacy Policy explains how your business collects, uses, stores and discloses personal information.
• A Cookie Policy is needed if your website uses trackers, to ensure transparency about data collection practices.
• Data Processing Agreements (DPAs) are essential when using third-party service providers, setting out their security and breach obligations.
• Confidentiality Agreements (NDAs), Data Retention Policies and Breach Notification Procedures are critical for protecting information and managing incidents.
• Sprintlaw can draft, review and update these legal documents to support your ISO 27001 certification journey and ensure your ISMS is fully compliant.

If you would like a consultation on the legal documents required for ISO 27001 compliance, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.