A legal compliance register is not optional if your organisation holds or is pursuing certification to ISO 9001, ISO 14001, or ISO 45001. It is a formal requirement — and one of the most common sources of non-conformances in certification audits globally.
Yet despite being mandatory, legal compliance registers are frequently maintained poorly — out of date, incomplete, or missing entirely. Auditors find this regularly. And it results in non-conformances that should never have been raised.
This guide gives you 7 powerful steps to build a legal compliance register that works for your organisation — and one that auditors will not find fault with.
⚠️ Key requirement: ISO 14001 Clause 6.1.3, ISO 45001 Clause 6.1.3, and ISO 9001 Clause 6.1.3 all require organisations to determine, have access to, and keep up-to-date the legal and other requirements applicable to their operations. A failure to maintain an adequate legal register is one of the most common non-conformances raised during ISO certification audits.
WHAT IS A LEGAL COMPLIANCE REGISTER?
A legal compliance register — also called a legal register, compliance obligations register, or regulatory register — is a documented record of all laws, regulations, codes of practice, and other requirements that apply to your organisation’s operations and management system.
It is not just a list of legislation. A powerful legal compliance register records:
✅ The specific legal requirement and its source
✅ How it applies to your organisation
✅ Your current compliance status
✅ Who is responsible for maintaining compliance
✅ When it was last reviewed
✅ What actions are required if you are not fully compliant
The legal compliance register is reviewed by auditors across ISO 9001 (quality), ISO 14001 (environment), and ISO 45001 (health and safety) — and increasingly forms part of ESG reporting frameworks as well.
WHY LEGAL COMPLIANCE REGISTERS FAIL AUDITS
Before walking through the 7 steps, it is worth understanding why legal compliance registers fail audits so commonly:
❌ They are created once for certification and never updated — legislation changes and the register does not
❌ They list legislation but not how it applies to your specific operations
❌ There is no review schedule — nobody is responsible for keeping it current
❌ Compliance status is not assessed — the register exists but nobody knows if you are actually compliant
❌ They cover one standard but not others — environmental register exists, OH&S register does not
7 POWERFUL STEPS TO BUILD A LEGAL COMPLIANCE REGISTER THAT SATISFIES AUDITORS
STEP 1 — IDENTIFY THE SCOPE OF YOUR LEGAL COMPLIANCE REGISTER
The first step is defining which standards and management systems your legal compliance register needs to cover.
Most organisations operating ISO management systems need a register that covers:
→ Environmental legislation — waste management, water discharge, air emissions, chemical controls
→ Health and safety legislation — duty of care, workplace safety regulations, reporting obligations
→ Quality and product legislation — consumer protection, product standards, labelling requirements
→ Employment legislation — working hours, contracts, discrimination law, modern slavery
→ Data protection — GDPR and data privacy requirements
A single integrated legal register covering all disciplines is more efficient than separate registers for each standard — and auditors prefer to see an integrated approach.
STEP 2 — IDENTIFY ALL APPLICABLE LEGAL REQUIREMENTS
This requires a systematic search across all the legal categories relevant to your operations. Consider:
✅ National legislation — laws enacted in the country or countries where you operate
✅ Regional and local regulations — requirements specific to your region, state, or municipality
✅ Industry-specific regulations — sector regulations applicable to your product or process
✅ International conventions — particularly relevant for global supply chains
✅ Voluntary codes and industry standards — codes of practice your organisation subscribes to
✅ Customer and contractual requirements — legal obligations flowing from contracts
For GCC-based organisations, this includes UAE Federal Laws, Emirate-level regulations (OSHAD-SF in Abu Dhabi, Dubai Municipality requirements, and so on), and GCC-level standards where applicable.
STEP 3 — ASSESS HOW EACH REQUIREMENT APPLIES TO YOUR ORGANISATION
This is the step most organisations skip — and the one auditors focus on most.
Listing a piece of legislation is not enough. Your legal compliance register must explain how each requirement applies to your specific operations. A vague entry that simply lists “Health and Safety at Work Act” without explaining which clauses apply, what they require from your organisation specifically, and how you are meeting them — is not compliant.
For each legal requirement, document:
→ Which operations, products, or activities it applies to
→ Specific obligations it places on your organisation
→ The controls and procedures you have in place to meet it
STEP 4 — ASSESS YOUR COMPLIANCE STATUS
This is the core function of the legal compliance register — evaluating whether you are actually compliant with each requirement.
For each legal requirement, your register must show one of the following statuses:
✅ Fully Compliant — you have evidence that all requirements are met
⚠️ Partially Compliant — some requirements are met but gaps exist with an action plan
❌ Non-Compliant — a requirement is not being met and urgent action is required
N/A — the requirement has been assessed as not applicable to your operations
If gaps are identified — raise a corrective action immediately. Do not allow the register to show non-compliance without a corresponding CAPA.
STEP 5 — ASSIGN RESPONSIBILITY AND REVIEW FREQUENCY
Your legal compliance register must have a named responsible person for each requirement — not a department or “management.” One named individual.
Review frequency must be defined:
→ Annual minimum for all requirements
→ Quarterly review for rapidly changing areas such as data protection and employment law
→ Immediate review whenever legislation changes or a new requirement is introduced
→ Review after any regulatory inspection, enforcement notice, or related incident
STEP 6 — ESTABLISH A MONITORING AND UPDATE PROCESS
The most powerful legal compliance registers are living documents — actively monitored and updated as legislation changes.
Set up at least these two processes:
→ Legislative monitoring — subscribe to regulatory updates from your national HSE authority, environmental agency, and sector bodies. In the UAE, this includes MOHRE, OSHAD, and local municipality updates.
→ Change notification — define how the organisation is notified when relevant legislation changes, and how quickly the register must be updated.
Document your monitoring process. Auditors will ask: how do you know when legislation changes?
STEP 7 — REVIEW AT MANAGEMENT REVIEW AND IN INTERNAL AUDIT
Your legal compliance register must be reviewed formally at management review and included in your internal audit programme.
At management review: present a summary of compliance status across all requirements — any non-compliances, changes to legislation, and actions taken.
In internal audit: at least one internal audit per year should specifically review the legal compliance register — checking that it is current, complete, that compliance status is evidenced, and that responsible persons are actively maintaining it.
This creates the audit trail that demonstrates to external auditors that your legal register is genuinely managed — not just a document created for certification and forgotten.
LEGAL COMPLIANCE REGISTER REQUIREMENTS BY STANDARD
ISO 14001:2026 — Clause 6.1.3: Determine and maintain compliance obligations related to environmental aspects. Review is part of management review requirement.
ISO 45001:2018 — Clause 6.1.3: Determine legal requirements for OH&S hazards and risks. Keep information current and communicated.
ISO 9001:2026 — Clause 6.1.3: Identify legal requirements applicable to products, services, and quality management system.
COMMON LEGAL COMPLIANCE REGISTER AUDIT FAILURES
❌ FAILURE 1 — Register exists but has not been reviewed in over 12 months
Fix: Set a calendar reminder for annual review — update the review date in the register
❌ FAILURE 2 — Compliance status column is blank for all entries
Fix: Conduct a compliance assessment against each entry — assign a status and evidence reference
❌ FAILURE 3 — No responsible person assigned for each requirement
Fix: Name one person per requirement — this person is accountable for monitoring compliance
❌ FAILURE 4 — Register covers environment but not OH&S or quality
Fix: Consolidate all disciplines into one integrated legal register
❌ FAILURE 5 — No evidence of how the organisation monitors legislation changes
Fix: Document your monitoring process — subscriptions, memberships, government notifications
THE BOTTOM LINE
A powerful legal compliance register is one of the most straightforward documents to get right — and one of the most damaging to get wrong. Auditors check it at every certification and surveillance audit. An out-of-date or incomplete register signals that your management system is not genuinely embedded.
Start with your ISO 14001 or ISO 45001 requirements. Build one integrated register. Assign responsibility. Set a review date. Assess your compliance status honestly. Those five actions alone will transform your legal register from a liability into a genuine asset.
👉 Download your free legal compliance register template at standardsunlimited.com/free
#LegalComplianceRegister #ISO14001 #ISO45001 #ISO9001 #Compliance #AuditReady #EHS #HSE #EnvironmentalManagement #RegulatoryCompliance #ISOAudit #LegalRegister