ISO 27001 Annex A 5.35 Audit Checklist

Auditing ISO 27001 Annex A 5.35 is the objective verification of an organization’s security management through impartial and technical assessments. The Primary Implementation Requirement is a scheduled, independent review of controls, which yields the Business Benefit of transparent risk reporting and verified adherence to global security standards.

1. Independent Review Schedule Formalisation Verified
2. Reviewer Objectivity and Independence Confirmed
3. Review Methodology and Criteria Standards Validated
4. Technical Security Testing Integration Verified
5. Management Reporting and Transparency Confirmed
6. Corrective Action Tracking Integrity Verified
7. Remediation Evidence and Closure Validation Confirmed
8. Professional Competence of Reviewers Validated
9. Continuous Improvement Loop Evidence Identified
10. Scope and Boundary Alignment Verified

1. Independent Review Schedule Formalisation Verified

Verification Criteria: A documented audit or review programme exists, specifying the frequency and scope of independent assessments for the ISMS and its technical controls.

Required Evidence: Approved Annual Audit Plan or Compliance Review Schedule with version history and management sign-off.

Pass/Fail Test: If the organisation lacks a planned schedule for independent reviews or relies solely on ad-hoc assessments, mark as Non-Compliant.

2. Reviewer Objectivity and Independence Confirmed

Verification Criteria: Personnel conducting the reviews are independent of the area being audited to ensure objectivity and avoid conflicts of interest.

Required Evidence: Auditor appointment records or external service contracts; verification that the internal auditor does not manage the controls they are testing.

Pass/Fail Test: If the IT Manager is found to be the sole person auditing the technical security configurations they implemented, mark as Non-Compliant.

3. Review Methodology and Criteria Standards Validated

Verification Criteria: The independent review is performed against a defined set of criteria (e.g. ISO 27001:2022 clauses) using a repeatable methodology.

Required Evidence: Internal Audit Procedure or Assessment Framework document detailing the sampling methods and evidence-gathering techniques.

Pass/Fail Test: If the review report lacks a defined set of audit criteria or fails to explain how conclusions were reached, mark as Non-Compliant.

4. Technical Security Testing Integration Verified

Verification Criteria: The independent review includes or references technical validation, such as penetration testing or vulnerability assessments, to verify control effectiveness.

Required Evidence: Recent Penetration Test reports or Vulnerability Scan results performed by an independent third party.

Pass/Fail Test: If the “Independent Review” is purely document-based and fails to verify that technical configurations are active and effective, mark as Non-Compliant.

5. Management Reporting and Transparency Confirmed

Verification Criteria: Results of the independent review, including identified non-conformities and risks, are formally reported to top management.

Required Evidence: Final Internal Audit Report or Executive Summary presented at a Management Review Meeting (MRM).

Pass/Fail Test: If audit findings are suppressed or only reported to mid-level management without reaching the designated ISMS owner, mark as Non-Compliant.

6. Corrective Action Tracking Integrity Verified

Verification Criteria: All non-conformities identified during the independent review are recorded in a tracked log with assigned owners and realistic remediation dates.

Required Evidence: Non-Conformity Report (NCR) log or a CAPA (Corrective and Preventive Action) tracker showing current status.

Pass/Fail Test: If the organisation cannot produce a list of open findings from the last independent review and their respective remediation status, mark as Non-Compliant.

7. Remediation Evidence and Closure Validation Confirmed

Verification Criteria: Evidence of remediation for previously identified findings is reviewed and validated by the independent reviewer before the finding is closed.

Required Evidence: Re-test logs, configuration screenshots, or “Follow-up Audit” reports confirming that the root cause was addressed.

Pass/Fail Test: If findings are marked as “Closed” in the tracker based on a verbal update without technical evidence of the fix, mark as Non-Compliant.

8. Professional Competence of Reviewers Validated

Verification Criteria: Personnel or third-party firms conducting the review possess the necessary certifications and technical expertise relevant to the scope.

Required Evidence: Training certificates (e.g. CISA, ISO 27001 Lead Auditor) or corporate capability statements for external consultancy firms.

Pass/Fail Test: If the review was conducted by personnel without formal audit training or a basic understanding of the ISO 27001 standard, mark as Non-Compliant.

9. Continuous Improvement Loop Evidence Identified

Verification Criteria: The outcomes of independent reviews are used to adjust the ISMS, policy frameworks, or technical standards to prevent recurrence of issues.

Required Evidence: Updated Policies or Technical Standards with changelogs citing “Internal Audit Finding” as the driver for the update.

Pass/Fail Test: If the same non-conformities appear across multiple audit cycles without any change to the underlying process, mark as Non-Compliant.

10. Scope and Boundary Alignment Verified

Verification Criteria: The independent review covers the entire defined scope of the ISMS, including all relevant technical assets and physical locations.

Required Evidence: The “Scope” section of the audit report cross-referenced against the organisation’s official Statement of Applicability (SoA).

Pass/Fail Test: If the independent review intentionally excluded high-risk areas of the business (e.g. offshore development sites) without justification, mark as Non-Compliant.

ISO 27001 Annex A 5.35 SaaS / GRC Platform Failure Checklist
Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Independent Review	GRC tool identifies that a “Self-Assessment” was completed by the CISO.	A self-assessment is not independent. Auditor must verify that a third party or separate department conducted the test.
Audit Scope	Tool records “ISO 27001 Audit” as complete.	Verify the SoA coverage. GRC tools often audit only the cloud tenant, ignoring physical security and local networking.
Competence	Platform marks “Reviewer” as a valid user role.	Check the reviewer’s CV or Lead Auditor certificate. The tool cannot judge if the person actually knows how to audit.
Technical Depth	GRC tool pulls in a list of “Policy Documents.”	The auditor must verify technical settings. Independent review must check if the policy matches the firewall reality.
Remediation	Tool logs a task as “Done” by the IT team.	Verify the Validation. An independent reviewer must sign off on the fix; IT cannot mark their own homework as finished.
RCA Integration	Platform provides a “Notes” section for findings.	Demand a Root Cause Analysis (RCA). If the tool doesn’t force an RCA, the organisation will just fix the symptom.
Reporting	Tool sends an automated “Status Report” to the CEO.	Verify the Management Review minutes. CEO awareness in a dashboard is not the same as a formalised review of non-conformities.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

Table of contents