Implementing ISO 27001 Annex A 5.36 is a mandatory governance protocol requiring that managers actively verify their teams’ adherence to security policies through regular spot checks and technical enforcement. This control provides the business benefit of ensuring operational reality matches documented procedures, closing the gap between policy intent and actual behavior.
ISO 27001 Annex A Compliance with Policies, Rules and Standards Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.36. This control places the burden of compliance squarely on managers, requiring them to regularly verify that their teams are actually adhering to information security procedures in daily operations, rather than assuming that signed policy documents equate to real-world security.
1. Define Managerial Responsibilities
Control Requirement: Managers must regularly review the information security compliance of their area of responsibility. Required Implementation Step: Update all management Job Descriptions (JDs) to explicitly include “Information Security Compliance Verification” as a core KPI. Managers cannot outsource this to the Security Team; they must personally verify that their staff (e.g., developers, HR admins) are following the specific protocols relevant to their function.
Minimum Requirement: Signed Job Descriptions for all Heads of Department acknowledging their liability for their team’s security compliance.
2. Map Policies to Specific Roles
Control Requirement: Ensure personnel know which specific rules apply to their function. Required Implementation Step: Create a “Compliance Matrix” that maps internal policies to specific roles. For example, the “Secure Coding Standard” applies to Developers but not Sales; the “Clear Desk Policy” applies to office staff. Distribute these role-specific mandates so managers know exactly what to check.
Minimum Requirement: A matrix document linking every job role to a specific subset of the ISMS policies.
3. Execute Monthly ‘Spot Checks’
Control Requirement: Regularly review compliance with information security processing. Required Implementation Step: Mandate that managers perform random, physical or digital spot checks. For an Engineering Lead, this means randomly reviewing a Pull Request to ensure the peer review process was followed. For an Office Manager, this means walking the floor at 17:30 to check for unlocked screens and sensitive papers.
Minimum Requirement: A monthly log from each department head recording the date and outcome of their random compliance spot check.
4. Automate Technical Standard Enforcement
Control Requirement: Ensure technical standards are applied consistently. Required Implementation Step: Do not rely on humans to remember configuration rules. Implement “Policy as Code” (e.g., OPA, Terraform Sentinel) to block non-compliant infrastructure deployments. If a standard says “No Public S3 Buckets”, the CI/CD pipeline must physically reject any code that violates this, enforcing compliance at the compiler level.
Minimum Requirement: CI/CD pipelines configured to fail builds that violate defined security standards.
5. Monitor Exception Requests
Control Requirement: Manage deviations from established procedures. Required Implementation Step: Implement a formal waiver process where non-compliance is authorised only for a specific time and reason. Managers must review active waivers monthly. If a team consistently relies on waivers to do their job, the policy is broken and must be reviewed.
Minimum Requirement: A central register of all active policy exceptions, reviewed and re-approved quarterly.
6. Enforce Consequence Management
Control Requirement: Take action when non-compliance is identified. Required Implementation Step: Link the Disciplinary Policy directly to security violations. If a manager finds a staff member repeatedly bypassing MFA or sharing passwords, formal HR disciplinary proceedings must be triggered. Security rules without sanctions are merely suggestions.
Minimum Requirement: Evidence of disciplinary action taken (redacted) or retraining orders issued following security breaches.
7. Validate Training Effectiveness
Control Requirement: Ensure personnel understand the rules they are complying with. Required Implementation Step: Stop using “click-next” eLearning modules. Conduct practical phishing simulations and social engineering calls. Managers must debrief staff who fail these tests. Compliance is proven by behaviour during a test, not by a certificate.
Minimum Requirement: Reports showing remedial training actions for staff who failed practical security tests.
8. Report Non-Compliance Upwards
Control Requirement: Report results of reviews to proper management levels. Required Implementation Step: Department heads must submit a “Security Health” report to the Risk Committee quarterly. This must list technical debt, unpatched systems, and policy violations. “Green status” reporting should be challenged with evidence.
Minimum Requirement: Quarterly minutes from the Risk Committee reviewing departmental non-compliance statistics.
9. Review Policy Feasibility
Control Requirement: Ensure standards are practical and achievable. Required Implementation Step: If a specific policy has a 50% non-compliance rate (e.g., password complexity that is too high), the CISO must review the policy itself. Managers must provide feedback on whether security rules are obstructing business operations, leading to “Shadow IT” workarounds.
Minimum Requirement: Feedback logs from managers used as input for the annual ISMS policy review.
10. Conduct Cross-Departmental Peer Reviews
Control Requirement: enhance objectivity in compliance checking. Required Implementation Step: Have managers from different departments audit each other. For example, the Head of Sales checks the Marketing department’s clean desk compliance. This removes the “blind eye” bias where managers ignore their own team’s minor infractions.
Minimum Requirement: A schedule of cross-departmental compliance reviews executed annually.
ISO 27001 Annex A 5.36 SaaS / GRC Platform Implementation Failure Checklist
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Managerial Review | Managers clicking “I confirm my team is compliant” on a quarterly email. | Without evidence (logs, screenshots), this attestation is worthless. Managers often lie to avoid friction. |
| Policy Acknowledgement | 100% of staff signed the policy in the GRC portal. | Signing isn’t reading. Compliance is verified by watching actions, not collecting digital signatures. |
| Automated Enforcement | Uploading a PDF of the “Password Policy” to the portal. | A PDF cannot enforce complexity. Only Active Directory or Okta configuration settings actually enforce compliance. |
| Spot Checks | A recurring calendar invite that gets ignored. | If there is no written output (a finding, a pass note) from the spot check, it didn’t happen. |
| Exception Handling | Allowing permanent “temporary” exceptions in the risk register. | An exception that lasts 3 years is a policy failure. GRC tools often hide these in the “Risk Accepted” bucket forever. |
| Disciplinary Action | Zero records of security-related warnings. | Statistically impossible. If you have 100 staff and 0 disciplinary issues, your monitoring is broken, not your staff. |
| Policy Relevance | Using generic template policies provided by the GRC vendor. | Templates often reference technologies you don’t use or procedures you can’t follow, guaranteeing non-compliance. |
About the author
