4. Technical Security Testing Integration Verified

The independent review includes or references technical validation, such as penetration testing or vulnerability assessments, to verify control effectiveness. Required Evidence: Recent Penetration Test reports or Vulnerability Scan results performed by an independent third party.

5. Management Reporting and Transparency Confirmed

Results of the independent review, including identified non-conformities and risks, are formally reported to top management. Required Evidence: Final Internal Audit Report or Executive Summary presented at a Management Review Meeting (MRM).

6. Corrective Action Tracking Integrity Verified

All non-conformities identified during the independent review are recorded in a tracked log with assigned owners and realistic remediation dates. Required Evidence: Non-Conformity Report (NCR) log or a CAPA (Corrective and Preventive Action) tracker showing current status.

7. Remediation Evidence and Closure Validation Confirmed

Evidence of remediation for previously identified findings is reviewed and validated by the independent reviewer before the finding is closed. Required Evidence: Re-test logs, configuration screenshots, or "Follow-up Audit" reports confirming that the root cause was addressed.

8. Professional Competence of Reviewers Validated

Personnel or third-party firms conducting the review possess the necessary certifications and technical expertise relevant to the scope. Required Evidence: Training certificates (e.g. CISA, ISO 27001 Lead Auditor) or corporate capability statements for external consultancy firms.

9. Continuous Improvement Loop Evidence Identified

The outcomes of independent reviews are used to adjust the ISMS, policy frameworks, or technical standards to prevent recurrence of issues. Required Evidence: Updated Policies or Technical Standards with changelogs citing "Internal Audit Finding" as the driver for the update.

10. Scope and Boundary Alignment Verified

The independent review covers the entire defined scope of the ISMS, including all relevant technical assets and physical locations. Required Evidence: The "Scope" section of the audit report cross-referenced against the organisation's official Statement of Applicability (SoA).

ISO 27001 Annex A 5.35 Audit Checklist [+ Templates]

In this ultimate how to audit guide to ISO 27001 Annex A 5.35 Independent Review of Information Security, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Independent Review Schedule Formalisation Verified
2. Reviewer Objectivity and Independence Confirmed
3. Review Methodology and Criteria Standards Validated
4. Technical Security Testing Integration Verified
5. Management Reporting and Transparency Confirmed
6. Corrective Action Tracking Integrity Verified
7. Remediation Evidence and Closure Validation Confirmed
8. Professional Competence of Reviewers Validated
9. Continuous Improvement Loop Evidence Identified
10. Scope and Boundary Alignment Verified

1. Independent Review Schedule Formalisation Verified

Auditing ISO 27001 Annex A 5.35 is the objective verification of an organization’s security management through impartial and technical assessments. The Primary Implementation Requirement is a scheduled, independent review of controls, which yields the Business Benefit of transparent risk reporting and verified adherence to global security standards.

Verification Criteria: A documented audit or review programme exists, specifying the frequency and scope of independent assessments for the ISMS and its technical controls.

Required Evidence: Approved Annual Audit Plan or Compliance Review Schedule with version history and management sign-off.

Pass/Fail Test: If the organisation lacks a planned schedule for independent reviews or relies solely on ad-hoc assessments, mark as Non-Compliant.

2. Reviewer Objectivity and Independence Confirmed

Verification Criteria: Personnel conducting the reviews are independent of the area being audited to ensure objectivity and avoid conflicts of interest.

Required Evidence: Auditor appointment records or external service contracts; verification that the internal auditor does not manage the controls they are testing.

Pass/Fail Test: If the IT Manager is found to be the sole person auditing the technical security configurations they implemented, mark as Non-Compliant.

3. Review Methodology and Criteria Standards Validated

Verification Criteria: The independent review is performed against a defined set of criteria (e.g. ISO 27001:2022 clauses) using a repeatable methodology.

Required Evidence: Internal Audit Procedure or Assessment Framework document detailing the sampling methods and evidence-gathering techniques.

Pass/Fail Test: If the review report lacks a defined set of audit criteria or fails to explain how conclusions were reached, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Independent Review Schedule Formalisation Verified

2. Reviewer Objectivity and Independence Confirmed

3. Review Methodology and Criteria Standards Validated