In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.35 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.35 Independent Review of Information Security
ISO 27001 Annex A 5.35 mandates that an organization’s approach to information security is assessed objectively. The goal is to prevent “marking your own homework” ensuring that security controls are evaluated by someone who has no direct influence over the operations being checked.
Core requirements for compliance include:
- True Independence: The reviewer must not be responsible for the implementation or management of the controls they are testing. For example, a CISO cannot independently review the ISMS they built.
- Planned Intervals: Reviews must happen on a scheduled basis (often annually) or when significant changes occur, such as a merger, new regulation, or major system overhaul.
- Qualified Reviewers: Independence isn’t enough; the reviewer must also be competent. This can be an internal audit team, a peer from another department (e.g., HR auditing IT, if trained), or an external consultant.
- Reporting: The results of the independent review must be reported directly to Top Management to ensure accountability and visibility.
Audit Focus: Auditors will scrutinize the org chart and contracts to verify independence. They will check:
- Objectivity: Is the reviewer free from conflict of interest?
- Competence: Does the reviewer actually understand what they are auditing?
- Action: Did management actually fix the issues raised in the independent report?
Internal vs. External Review: While “Independent Review” often implies an external consultant (which is the gold standard for objectivity), it is not strictly required. An internal audit team can fulfil this requirement, provided they report to a separate authority (like the Board) and not the IT or Security Manager.
Table of contents
- What is ISO 27001 Annex A 5.35?
- Watch the ISO 27001 Annex A 5.35 Tutorial
- ISO 27001 Annex A 5.35 Podcast
- ISO 27001 Annex A 5.35 Implementation Guidance
- How to implement ISO 27001 Annex A 5.35
- Independence Criteria
- ISO 27001 Annex A 5.35 Template
- Applicability of ISO 27001 Annex A 5.35 across different business models.
- Fast Track ISO 27001 Annex A 5.35 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.35 FAQ
- What other standards apply?
- Related ISO 27001 Controls
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 5.35?
ISO 27001 Annex A 5.35 Independent review of information security is an ISO 27001 control that wants you to get an independent review of your information security management and controls at planned intervals or when things change significantly.
What is the purpose of ISO 27001 Annex 5.35?
The purpose of ISO 27001 Annex A 5.35 Independent review of information security is to ensure that what you are doing is still suitable, adequate and effective.
It is independent so that you do not mark your own homework or become complacent in your operations.
What is the definition of ISO 27001 Annex 5.35?
The ISO 27001 standard defines ISO 27001 Annex A 5.35 as:
The organisations approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.
ISO 27001:2022 Annex A 5.35 Independent review of information security
Watch the ISO 27001 Annex A 5.35 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.35 and how to pass the audit.
ISO 27001 Annex A 5.35 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.35 Independent Review Of Information Security. The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex A 5.35 Implementation Guidance
Process of independent review
You will have policy and process for independent reviews. Consider the guidance in ISO 27001 Clause 9.2 Internal audit.
For the process of independent review and audit you can learn the exact process by reading How to Conduct an Internal Audit.
Plan your reviews
You will plan your reviews on a periodic basis. There is no real guidance on periodic so plan to do one full audit of everything at least annually. You can implement an audit plan that includes both internal and external audits and reviews.
Make sure the reviewer is independent
Independence can be achieved using internal or external persons as long as they are independent of the area being reviewed. The people should have the competence to do the review and not have authority over the area being reviewed.
Continual Improvement
Opportunities for continual improvement form part of the independent review. Based on the continual improvement policy and process this is an opportunity to identify any needs for change or enhancements.
Consider the guidance in ISO 27001 Clause 10.1 Continual Improvement.
Corrective Actions
Corrective actions may be required and should be implemented if the review finds things not working as intended. You would record it in the incident and corrective action log, potentially in the risk register if there is a risk identified and manage it as part of the corrective action process.
For further guidance refer to ISO 27001:2002 Clause 10.2 Corrective Action
Send reports to management
Independent reviews are reported to management and to top management as appropriate. Using the mechanism of the Management Review Team and the Management Review Team meeting is a great way to report out. Following the structured management review team agenda as defined by the standard.
When to conduct independent reviews
In addition to the planned periodic independent reviews there are other times that you would consider conducting independent reviews. They could be when
- Laws change
- Regulations change
- You start a new business venture
- You change business practice
- You enter a new jurisdiction
- Your security controls change
How to implement ISO 27001 Annex A 5.35
Implementation of ISO 27001 Annex A 5.35 is essential for maintaining the integrity and objectivity of the Information Security Management System (ISMS). This process involves a systematic evaluation by parties external to the day-to-day security operations, ensuring that controls are both suitable and effective in mitigating organisational risks. By following these technical steps, organisations can identify systemic weaknesses before they result in a breach or a non-conformity during a certification audit.
1. Formalise the Independent Review Schedule
Establish a documented audit programme that defines the scope, frequency, and methodology of reviews to ensure governance remains unbiased.
- Determine the specific business processes, technical systems, and physical locations to be included in the review scope.
- Set a recurring timeline for reviews, typically annually or following significant infrastructure changes.
- Define the criteria for “independence” to ensure reviewers are not auditing their own work or operational responsibilities.
2. Verify Reviewer Competency and Independence
Select internal auditors or external consultants with the necessary technical expertise to provide an objective assessment of the ISMS.
- Confirm the reviewer has a deep understanding of ISO 27001:2022 requirements and relevant technical controls.
- Provision access to necessary documentation and systems for reviewers while maintaining the principle of least privilege.
- Formalise a conflict of interest declaration to document the reviewer’s independence from the security implementation team.
3. Conduct Technical and Operational Assessments
Execute the review through evidence collection and technical verification of security controls and configuration baselines.
- Audit IAM roles and Multi-Factor Authentication (MFA) enforcement to ensure access controls are operating as intended.
- Review system logs, vulnerability scan results, and configuration management databases (CMDB) to verify technical compliance.
- Inspect physical security perimeters and environmental controls to confirm adherence to Annex A 7 requirements.
4. Document Findings in a Comprehensive Audit Report
Generate a formal record of the review results, including non-conformities and opportunities for improvement, to establish a compliance baseline.
- Categorise findings as Major Non-conformities, Minor Non-conformities, or Observations to assist in prioritisation.
- Include specific evidence, such as screenshots or log extracts, to support each identified gap.
- Distribute the final report to the CISO and relevant process owners for immediate review.
5. Execute Remediation and Corrective Actions
Implement a structured Corrective and Preventive Action (CAPA) workflow to resolve identified gaps and strengthen the security posture.
- Assign clear ownership and deadlines for the remediation of each identified non-conformity.
- Update the Risk Register and Statement of Applicability (SoA) based on findings to reflect the current security state.
- Verify the effectiveness of implemented fixes through a follow up review to ensure the risk has been mitigated.
6. Present Results to Management for ISMS Validation
Report the independent findings to the Management Review Board to drive continual improvement and strategic resource allocation.
- Synthesise audit findings into high-level metrics for executive visibility during Management Review Meetings.
- Formalise a management response that outlines the commitment to addressing critical security gaps.
- Maintain records of the review and management actions as mandatory evidence for external certification bodies.
Independence Criteria
| Proposed Reviewer | Eligibility Status | Strategic Condition | ISO 27001:2022 Mapping |
|---|---|---|---|
| CISO / Security Mgr | ❌ NO | Cannot “mark their own homework” as they hold operational ISMS responsibility. | 5.35 (Independent Review) |
| IT Manager | ❌ NO | Conflict of interest; cannot review the technical IT controls they manage. | 5.35 (Independent Review) |
| Internal Audit Team | ✅ YES | Provided they report directly to the Board or Audit Committee. | 5.35 & 9.2 (Internal Audit) |
| External Consultant | ✅ YES | The gold standard for achieving absolute independence and objectivity. | 5.35 (Independent Review) |
| Peer Review | ⚠️ Maybe | Permissible if cross-departmental (e.g. HR audits IT) and auditors are trained. | 5.35 (Independent Review) |
ISO 27001 Annex A 5.35 Template
The ISO 27001 Gap Analysis, Review and Audit Toolkit provides everything you need to conduct an independent review from the templates, reports, detailed step by step guides and audit work sheets.
Applicability of ISO 27001 Annex A 5.35 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on ensuring that basic security controls (backups, access rights) are reviewed by someone who didn’t implement them. The goal is to bring “fresh eyes” to the operation without the high cost of a dedicated audit department. |
|
| Tech Startups | Critical for validating cloud-native security and ensuring rapid growth hasn’t compromised the ISMS. Compliance involves ensuring that the people managing production environments are not auditing themselves. |
|
| AI Companies | Vital for protecting unique AI IP and ensuring ethical data handling. Focus is on independent verification of specialized data pipelines and model security protocols. |
|
Fast Track ISO 27001 Annex A 5.35 Compliance with the ISO 27001 Toolkit
For ISO 27001 Annex A 5.35 (Independent review of information security), the requirement is to review the organization’s approach to managing information security independently at planned intervals or when significant changes occur. This ensures you don’t “mark your own homework” and that your controls remain suitable, adequate, and effective.
| Compliance Factor | SaaS Compliance Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Evidence Ownership | Rents access to your audit trails; canceling the subscription often means losing your independent review history. | Permanent Assets: Fully editable Word/Excel Audit Policies and Templates you own and host yourself. | A localized “Internal Audit Policy” defining the criteria for reviewer independence and impartiality. |
| True Independence | Claims “automated” audits via dashboards that cannot provide the “fresh eyes” of an impartial human reviewer. | Governance-First: Provides the framework for external consultants or impartial internal teams to follow. | A completed “Independent Review Report” documenting an objective assessment of your ISMS controls. |
| Cost Efficiency | Charges an “Audit Module Tax” for advanced review features, creating an ongoing drain on your security budget. | One-Off Fee: A single payment covers your audit governance forever, regardless of review frequency. | Reallocating saved SaaS fees toward hiring specialized external security experts for technical deep-dives. |
| Verification Freedom | Mandates rigid reporting formats that may not align with specialized industry requirements or custom audit structures. | 100% Agnostic: Templates adapt to any reviewer—internal staff or third-party consultants—without limits. | An Audit Worksheet tailored specifically to your unique cloud architecture or niche industrial processes. |
Summary: For Annex A 5.35, the auditor wants to see a formal audit plan and evidence that reviews were conducted by someone independent of the area being audited. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
ISO 27001 Annex A 5.35 FAQ
What is ISO 27001 Annex A 5.35?
ISO 27001 Annex A 5.35 (formerly A.18.2.1) is a governance control that mandates an organisation’s approach to managing information security and its implementation be reviewed independently at planned intervals.
- It ensures that the Information Security Management System (ISMS) remains suitable, adequate, and effective.
- It provides high-level assurance to management and external stakeholders.
- It identifies gaps between theoretical policy and operational reality.
- It supports the “Continual Improvement” requirement of the ISO 27001 standard.
Is an independent review the same as an internal audit?
No, while both involve assessment, an independent review is a broader evaluation of the ISMS strategy and governance, whereas an internal audit (Clause 9.2) is a structured check against specific standard requirements.
- Independent reviews often focus on the suitability of the security approach for the business goals.
- Internal audits are typically more prescriptive and focus on compliance with the ISO 27001 clauses.
- Reviews may be performed by external consultants or internal staff who were not involved in the ISMS implementation.
- The results of both feed into the Management Review Meeting.
Who can perform an independent review for Annex A 5.35?
An independent review must be conducted by individuals who have the necessary technical competence and were not involved in developing the security controls being assessed.
- External third-party consultants or specialist security firms.
- Internal audit departments with no operational responsibility for the ISMS.
- Specialised management teams from different departments within the same group.
- The key requirement is “independence” from the day-to-day management of the security function.
How often should an independent review be conducted?
ISO 27001 requires reviews at “planned intervals” or whenever “significant changes” occur, which typically translates to an annual review for most organisations.
- Annual reviews are the industry standard for maintaining certification.
- Significant changes include major infrastructure migrations, mergers, or new regulatory requirements.
- High-risk environments may require more frequent, targeted reviews (e.g., bi-annually).
What are the typical triggers for an independent review?
The primary triggers for a review include scheduled audit cycles, major security incidents, or substantial shifts in the organisation’s technical or legal landscape.
- Planned periodic intervals as defined in the ISMS roadmap.
- Following a significant information security breach or system failure.
- Major changes to business processes, such as moving to a fully remote work model.
- New legislation or industry-specific security standards entering into force.
What evidence do auditors look for regarding Annex A 5.35?
Auditors require verifiable proof that a review was conducted by a competent, independent party and that the findings were reported to senior management.
- Formal independent review reports or third-party audit summaries.
- Management Review Meeting minutes showing the review was discussed.
- The “Continual Improvement” log or Corrective Action Plan addressing review findings.
- Records of the reviewer’s qualifications or proof of their independence from the ISMS.
What other standards apply?
ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.
Related ISO 27001 Controls
ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability Confidentiality Integrity | Identify Protect | Information protection | Governance and ecosystem |
