In this ultimate how to implement guide to ISO 27001 Annex A 5.36 Compliance with Policies, Rules, and Standards, you will learn directly from an ISO 27001 Lead Auditor:
- The requirement of the control
- The required implementation steps
- The minimum requirement
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Define Managerial Responsibilities
- 2. Map Policies to Specific Roles
- 3. Execute Monthly ‘Spot Checks’
- 4. Automate Technical Standard Enforcement
- 5. Monitor Exception Requests
- 6. Enforce Consequence Management
- 7. Validate Training Effectiveness
- 8. Report Non-Compliance Upwards
- 9. Review Policy Feasibility
- 10. Conduct Cross-Departmental Peer Reviews
- ISO 27001 Annex A 5.36 SaaS / GRC Platform Implementation Failure Checklist
Implementing ISO 27001 Annex A 5.36 is a mandatory governance protocol requiring that managers actively verify their teams’ adherence to security policies through regular spot checks and technical enforcement. This control provides the business benefit of ensuring operational reality matches documented procedures, closing the gap between policy intent and actual behavior.
ISO 27001 Annex A Compliance with Policies, Rules and Standards Implementation Checklist
Use this implementation checklist to achieve compliance with ISO 27001 Annex A 5.36. This control places the burden of compliance squarely on managers, requiring them to regularly verify that their teams are actually adhering to information security procedures in daily operations, rather than assuming that signed policy documents equate to real-world security.
1. Define Managerial Responsibilities
Control Requirement: Managers must regularly review the information security compliance of their area of responsibility. Required Implementation Step: Update all management Job Descriptions (JDs) to explicitly include “Information Security Compliance Verification” as a core KPI. Managers cannot outsource this to the Security Team; they must personally verify that their staff (e.g., developers, HR admins) are following the specific protocols relevant to their function.
Minimum Requirement: Signed Job Descriptions for all Heads of Department acknowledging their liability for their team’s security compliance.
2. Map Policies to Specific Roles
Control Requirement: Ensure personnel know which specific rules apply to their function. Required Implementation Step: Create a “Compliance Matrix” that maps internal policies to specific roles. For example, the “Secure Coding Standard” applies to Developers but not Sales; the “Clear Desk Policy” applies to office staff. Distribute these role-specific mandates so managers know exactly what to check.
Minimum Requirement: A matrix document linking every job role to a specific subset of the ISMS policies.
3. Execute Monthly ‘Spot Checks’
Control Requirement: Regularly review compliance with information security processing. Required Implementation Step: Mandate that managers perform random, physical or digital spot checks. For an Engineering Lead, this means randomly reviewing a Pull Request to ensure the peer review process was followed. For an Office Manager, this means walking the floor at 17:30 to check for unlocked screens and sensitive papers.
Minimum Requirement: A monthly log from each department head recording the date and outcome of their random compliance spot check.
