E012—Document regulatory compliance
>Control Description
Document applicable AI laws and standards, required data protections, and strategies for compliance
Application
Mandatory
Frequency
Every 6 monthsCapabilities
Universal
>Controls & Evidence (1)
Legal Policies
E012.1
Documentation: Regulatory compliance reviewsCore - This should include:
- Identifying relevant regulations. For example, data protection laws. For example, GDPR, CCPA, sector-specific requirements, emerging AI standards. For example, EU AI Act. - Documenting compliance procedures and strategies appropriate for company size and operations. - Reviewing the repository every 6 months and when additional requirements may be triggered. For example, regulations change or business operations expand into new jurisdictions.
Typical evidence: Compliance register, assessment memo or review tickets (e.g. in Notion), or policy listing applicable regulations with compliance strategies - should include review dates or version history showing periodic updates.
Location: Internal processes
>Cross-Framework Mappings
NIST AI RMF
Ask AI
Configure your API key to use AI features.