ISO 27001 Independent Review of Information Security | Annex A 5.35 | The Lead Auditor’s Implementation and Audit Guide

/ By

ISO 27001 Annex A 5.35 Independent Review of Information Security is a security control that mandates the objective evaluation of an organisation’s security implementation by impartial parties at scheduled intervals. This ensures that governance remains effective, providing the business benefit of continuous compliance and reduced operational complacency.

In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.35 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways: ISO 27001 Annex A 5.35 Independent Review of Information Security

ISO 27001 Annex A 5.35 mandates that an organization’s approach to information security is assessed objectively. The goal is to prevent “marking your own homework” ensuring that security controls are evaluated by someone who has no direct influence over the operations being checked.

Core requirements for compliance include:

  • True Independence: The reviewer must not be responsible for the implementation or management of the controls they are testing. For example, a CISO cannot independently review the ISMS they built.
  • Planned Intervals: Reviews must happen on a scheduled basis (often annually) or when significant changes occur, such as a merger, new regulation, or major system overhaul.
  • Qualified Reviewers: Independence isn’t enough; the reviewer must also be competent. This can be an internal audit team, a peer from another department (e.g., HR auditing IT, if trained), or an external consultant.
  • Reporting: The results of the independent review must be reported directly to Top Management to ensure accountability and visibility.

Audit Focus: Auditors will scrutinize the org chart and contracts to verify independence. They will check:

  1. Objectivity: Is the reviewer free from conflict of interest?
  2. Competence: Does the reviewer actually understand what they are auditing?
  3. Action: Did management actually fix the issues raised in the independent report?

Internal vs. External Review: While “Independent Review” often implies an external consultant (which is the gold standard for objectivity), it is not strictly required. An internal audit team can fulfil this requirement, provided they report to a separate authority (like the Board) and not the IT or Security Manager.

Table of contents

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit
Fay Barker - High Table - ISO27001 Director

What is ISO 27001 Annex A 5.35?

ISO 27001 Annex A 5.35 Independent review of information security is an ISO 27001 control that wants you to get an independent review of your information security management and controls at planned intervals or when things change significantly.

What is the purpose of ISO 27001 Annex 5.35?

The purpose of ISO 27001 Annex A 5.35 Independent review of information security is to ensure that what you are doing is still suitable, adequate and effective.

It is independent so that you do not mark your own homework or become complacent in your operations.

What is the definition of ISO 27001 Annex 5.35?

The ISO 27001 standard defines ISO 27001 Annex A 5.35 as:

The organisations approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.

ISO 27001:2022 Annex A 5.35 Independent review of information security

Watch the ISO 27001 Annex A 5.35 Tutorial

In this video I show you how to implement ISO 27001 Annex A 5.35 and how to pass the audit.

ISO 27001 Annex A 5.35 Podcast

In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.35 Independent Review Of Information Security. The podcast explores what it is, why it is important and the path to compliance.

ISO 27001 Annex A 5.35 Implementation Guidance

Process of independent review

You will have policy and process for independent reviews. Consider the guidance in ISO 27001 Clause 9.2 Internal audit.

For the process of independent review and audit you can learn the exact process by reading How to Conduct an Internal Audit.

Plan your reviews

You will plan your reviews on a periodic basis. There is no real guidance on periodic so plan to do one full audit of everything at least annually. You can implement an audit plan that includes both internal and external audits and reviews.

Make sure the reviewer is independent

Independence can be achieved using internal or external persons as long as they are independent of the area being reviewed. The people should have the competence to do the review and not have authority over the area being reviewed.

Continual Improvement

Opportunities for continual improvement form part of the independent review. Based on the continual improvement policy and process this is an opportunity to identify any needs for change or enhancements.

Consider the guidance in ISO 27001 Clause 10.1 Continual Improvement.

Corrective Actions

Corrective actions may be required and should be implemented if the review finds things not working as intended. You would record it in the incident and corrective action log, potentially in the risk register if there is a risk identified and manage it as part of the corrective action process.

For further guidance refer to ISO 27001:2002 Clause 10.2 Corrective Action

Send reports to management

Independent reviews are reported to management and to top management as appropriate. Using the mechanism of the Management Review Team and the Management Review Team meeting is a great way to report out. Following the structured management review team agenda as defined by the standard.

When to conduct independent reviews

In addition to the planned periodic independent reviews there are other times that you would consider conducting independent reviews. They could be when

  • Laws change
  • Regulations change
  • You start a new business venture
  • You change business practice
  • You enter a new jurisdiction
  • Your security controls change

How to implement ISO 27001 Annex A 5.35

Implementation of ISO 27001 Annex A 5.35 is essential for maintaining the integrity and objectivity of the Information Security Management System (ISMS). This process involves a systematic evaluation by parties external to the day-to-day security operations, ensuring that controls are both suitable and effective in mitigating organisational risks. By following these technical steps, organisations can identify systemic weaknesses before they result in a breach or a non-conformity during a certification audit.

1. Formalise the Independent Review Schedule

Establish a documented audit programme that defines the scope, frequency, and methodology of reviews to ensure governance remains unbiased.

  • Determine the specific business processes, technical systems, and physical locations to be included in the review scope.
  • Set a recurring timeline for reviews, typically annually or following significant infrastructure changes.
  • Define the criteria for “independence” to ensure reviewers are not auditing their own work or operational responsibilities.

2. Verify Reviewer Competency and Independence

Select internal auditors or external consultants with the necessary technical expertise to provide an objective assessment of the ISMS.

  • Confirm the reviewer has a deep understanding of ISO 27001:2022 requirements and relevant technical controls.
  • Provision access to necessary documentation and systems for reviewers while maintaining the principle of least privilege.
  • Formalise a conflict of interest declaration to document the reviewer’s independence from the security implementation team.

3. Conduct Technical and Operational Assessments

Execute the review through evidence collection and technical verification of security controls and configuration baselines.

  • Audit IAM roles and Multi-Factor Authentication (MFA) enforcement to ensure access controls are operating as intended.
  • Review system logs, vulnerability scan results, and configuration management databases (CMDB) to verify technical compliance.
  • Inspect physical security perimeters and environmental controls to confirm adherence to Annex A 7 requirements.

4. Document Findings in a Comprehensive Audit Report

Generate a formal record of the review results, including non-conformities and opportunities for improvement, to establish a compliance baseline.

  • Categorise findings as Major Non-conformities, Minor Non-conformities, or Observations to assist in prioritisation.
  • Include specific evidence, such as screenshots or log extracts, to support each identified gap.
  • Distribute the final report to the CISO and relevant process owners for immediate review.

5. Execute Remediation and Corrective Actions

Implement a structured Corrective and Preventive Action (CAPA) workflow to resolve identified gaps and strengthen the security posture.

  • Assign clear ownership and deadlines for the remediation of each identified non-conformity.
  • Update the Risk Register and Statement of Applicability (SoA) based on findings to reflect the current security state.
  • Verify the effectiveness of implemented fixes through a follow up review to ensure the risk has been mitigated.

6. Present Results to Management for ISMS Validation

Report the independent findings to the Management Review Board to drive continual improvement and strategic resource allocation.

  • Synthesise audit findings into high-level metrics for executive visibility during Management Review Meetings.
  • Formalise a management response that outlines the commitment to addressing critical security gaps.
  • Maintain records of the review and management actions as mandatory evidence for external certification bodies.

I’ve sat in the Auditor’s chair for 30 years. Use the exact system and tools I use to guarantee a pass.

Learn More
Stuart Barker - High Table - ISO27001 Director

Independence Criteria

Proposed Reviewer Eligibility Status Strategic Condition ISO 27001:2022 Mapping
CISO / Security Mgr NO Cannot “mark their own homework” as they hold operational ISMS responsibility. 5.35 (Independent Review)
IT Manager NO Conflict of interest; cannot review the technical IT controls they manage. 5.35 (Independent Review)
Internal Audit Team YES Provided they report directly to the Board or Audit Committee. 5.35 & 9.2 (Internal Audit)
External Consultant YES The gold standard for achieving absolute independence and objectivity. 5.35 (Independent Review)
Peer Review ⚠️ Maybe Permissible if cross-departmental (e.g. HR audits IT) and auditors are trained. 5.35 (Independent Review)

How to Audit ISO 27001 Annex A 5.35

Auditing ISO 27001 Annex A 5.35 requires a technical deep dive into how your organisation validates the effectiveness of its security controls. As a Lead Auditor, I am looking for evidence that goes beyond a simple check-box exercise: I want to see truly independent oversight, rigorous reporting, and executive-level accountability for corrective actions. Use this 10 step technical roadmap to ensure your independent review process is robust enough to withstand a certification audit.

1. Audit the Internal Audit Programme and Policy

Audit the topic-specific policy for independent reviews to confirm it defines the frequency, scope, and methodology of the audit programme: result: establishes the legal and procedural baseline for the ISMS oversight.

  • Verify that the programme covers the entire scope of the ISMS and all applicable Annex A controls.
  • Check that the audit schedule is risk-based and takes into account previous audit results.
  • Confirm the policy is reviewed annually and carries senior management approval.

2. Validate Reviewer Independence and Objectivity

Validate the independence of the assigned reviewers by inspecting organisational reporting lines and conflict of interest declarations: result: ensures that reviewers are not auditing their own work or processes.

  • Verify that internal auditors report to a level of management that provides sufficient authority.
  • Check that external reviewers have been vetted for technical competence and impartiality.
  • Confirm that no member of the IT or Security team is reviewing their own configuration changes.

3. Provision Auditor Access via Restricted IAM Roles

Provision temporary Identity and Access Management (IAM) roles for the reviewer to allow for evidence collection: result: ensures the reviewer has necessary visibility without compromising the Principle of Least Privilege.

  • Apply read-only access to configuration files, log repositories, and security dashboards.
  • Mandate Multi-Factor Authentication (MFA) for the auditor’s temporary account access.
  • Audit the revocation of these access rights immediately upon completion of the review.

4. Formalise the Rules of Engagement for External Reviews

Formalise the Rules of Engagement (ROE) and Non-Disclosure Agreements (NDA) for any third-party reviewers: result: defines legal boundaries and protects organisational data during the audit process.

  • Document the technical limitations and “out-of-scope” assets for penetration testing or scans.
  • Review the data handling requirements for any evidence exported to the reviewer’s systems.
  • Verify the “Right to Audit” clauses in contracts with Managed Service Providers (MSPs).

5. Inspect the Review Scope and Technical Depth

Inspect the audit plan to verify that the review includes technical testing of infrastructure, not just a document review: result: provides assurance that security controls are effective in practice.

  • Verify that the review includes a sample of firewall rules, server hardening configurations, and cloud security groups.
  • Check for evidence of physical security walk-throughs and social engineering testing.
  • Confirm that the review addresses “Significant Changes” in infrastructure since the last audit.

6. Audit the Reporting and Documentation Process

Audit the final audit reports to confirm they are documented in a technical format that includes specific evidence and observations: result: provides a reliable audit trail for certification bodies.

  • Ensure each finding is mapped to a specific ISO 27001 control or organisational requirement.
  • Check that reports include both non-conformities and “Opportunities for Improvement” (OFI).
  • Verify that technical evidence, such as redacted screenshots or log extracts, is appended.

7. Review Management Feedback and Sign-off

Review the management review minutes to verify that independent review findings were presented to the executive board: result: confirms leadership accountability and resource allocation for security.

  • Check for documented management responses to high-risk findings.
  • Verify that the board has approved the remediation timelines proposed by the technical teams.
  • Confirm that systemic security issues are identified and addressed at the governance level.

8. Audit the Corrective Action and Remediation Logs

Audit the Corrective Action Log to track the progress of remediation for all identified security gaps: result: ensures that vulnerabilities are closed and risks are mitigated in a timely manner.

  • Verify that every finding has an assigned “Action Owner” and a realistic target date.
  • Check for evidence of “Root Cause Analysis” (RCA) for major non-conformities.
  • Inspect the progress updates to ensure remediation hasn’t stalled due to lack of resources.

9. Validate the Re-testing of Remediation Actions

Validate that all remediation actions were re-tested by an independent party before being marked as closed: result: prevents the “self-certification” of fixes and ensures vulnerabilities are genuinely resolved.

  • Inspect the testing logs to see that a fresh scan or configuration check was performed.
  • Verify that the reviewer has signed off on the closure of the finding.
  • Check that re-testing is documented with the same rigour as the original audit.

10. Inspect the Update of the Asset Register

Inspect the organisational Asset Register to ensure it has been updated with any new risks or assets discovered during the review: result: maintains the accuracy of the organisational risk landscape.

  • Verify that “Shadow IT” or undocumented legacy systems found during the audit are now formally recorded.
  • Check that risk owners have updated their departmental registers based on audit findings.
  • Confirm that the review results feed directly into the next ISMS risk assessment cycle.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.
Stuart and Fay High Table

ISO 27001 Annex A 5.35 Template

The ISO 27001 Gap Analysis, Review and Audit Toolkit provides everything you need to conduct an independent review from the templates, reports, detailed step by step guides and audit work sheets.

ISO 27001 Gap Analysis and Audit Toolkit - ISO 27001 Annex A 5.35 Template
Get the IS0 2701 Audit Toolkit

Applicability of ISO 27001 Annex A 5.35 across different business models.

Business Type Applicability Examples of Control Implementation
Small Businesses Focuses on ensuring that basic security controls (backups, access rights) are reviewed by someone who didn’t implement them. The goal is to bring “fresh eyes” to the operation without the high cost of a dedicated audit department.
  • Hiring an external ISO 27001 consultant to perform a “Pre-Audit” check once a year before the official certification audit.
  • Implementing a reciprocal “Peer Review” where the Office Manager audits the IT setup, and the IT Lead audits the HR/Payroll security processes.
  • Providing the findings from these reviews directly to the Business Owner to ensure accountability for any required fixes.
Tech Startups Critical for validating cloud-native security and ensuring rapid growth hasn’t compromised the ISMS. Compliance involves ensuring that the people managing production environments are not auditing themselves.
  • Engaging a third-party cybersecurity firm to conduct annual penetration testing and an independent review of AWS/Azure configurations.
  • Using an internal audit function that reports directly to the CTO or Board, rather than the DevOps Lead who manages the systems.
  • Performing an independent review of the Change Management process to ensure all code merges have been objectively authorized.
AI Companies Vital for protecting unique AI IP and ensuring ethical data handling. Focus is on independent verification of specialized data pipelines and model security protocols.
  • Commissioning an independent audit of Model Training Data pipelines to verify that PII is being anonymized according to policy.
  • Using external data privacy experts to review the organization’s compliance with emerging AI regulations and ethical standards.
  • Conducting an objective review of the security controls surrounding AI Model Weights, ensuring that only authorized personnel have access.

Fast Track ISO 27001 Annex A 5.35 Compliance with the ISO 27001 Toolkit

For ISO 27001 Annex A 5.35 (Independent review of information security), the requirement is to review the organization’s approach to managing information security independently at planned intervals or when significant changes occur. This ensures you don’t “mark your own homework” and that your controls remain suitable, adequate, and effective.

Compliance Factor SaaS Compliance Platforms High Table ISO 27001 Toolkit Audit Evidence Example
Evidence Ownership Rents access to your audit trails; canceling the subscription often means losing your independent review history. Permanent Assets: Fully editable Word/Excel Audit Policies and Templates you own and host yourself. A localized “Internal Audit Policy” defining the criteria for reviewer independence and impartiality.
True Independence Claims “automated” audits via dashboards that cannot provide the “fresh eyes” of an impartial human reviewer. Governance-First: Provides the framework for external consultants or impartial internal teams to follow. A completed “Independent Review Report” documenting an objective assessment of your ISMS controls.
Cost Efficiency Charges an “Audit Module Tax” for advanced review features, creating an ongoing drain on your security budget. One-Off Fee: A single payment covers your audit governance forever, regardless of review frequency. Reallocating saved SaaS fees toward hiring specialized external security experts for technical deep-dives.
Verification Freedom Mandates rigid reporting formats that may not align with specialized industry requirements or custom audit structures. 100% Agnostic: Templates adapt to any reviewer—internal staff or third-party consultants—without limits. An Audit Worksheet tailored specifically to your unique cloud architecture or niche industrial processes.

Summary: For Annex A 5.35, the auditor wants to see a formal audit plan and evidence that reviews were conducted by someone independent of the area being audited. The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.

Standard / Law Relevant Control / Article Mapping and Requirements
ISO/IEC 27001:2022 Annex A 5.35 The primary control requiring information security implementation to be reviewed independently at planned intervals or upon significant change.
NIST CSF v2.0 ID.GV-04, PR.IP-07 Governance and assessment requirements mandate that security programs are reviewed by internal or external parties to ensure compliance and effectiveness.
NIS2 Directive (EU) Article 21 (2) Entities must implement risk management measures. Independent review serves as the verification layer for “essential” and “important” entities to ensure these measures are effective.
DORA (EU) Articles 6, 24, 25 Financial entities must maintain an ICT Risk Management Framework subject to regular internal audit and perform Threat-Led Penetration Testing (TLPT).
SOC 2 (Trust Criteria) Common Criteria (CC4.1, CC4.2) Monitoring activities require the entity to perform ongoing and separate evaluations (audits) to ascertain whether components of internal control are present and functioning.
GDPR / UK GDPR Article 32 (1)(d) Mandates a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
UK Data (Use and Access) Act 2025 Compliance Assessment Clauses Requires high-security thresholds for “Smart Data” schemes, verified through regular independent audits of data-sharing intermediaries and controllers.
Cyber Security and Resilience Bill (UK) MSP Audit Obligations Expands mandatory reporting for Managed Service Providers (MSPs). Independent reviews are required to identify vulnerabilities that must be reported to regulators.
CIRCIA (USA) Vulnerability Assessment Standards Critical infrastructure sectors must maintain auditable records of cyber incidents and security posture, implying the need for independent validation of reporting accuracy.
EU AI Act Article 15, Article 43 High-risk AI systems must undergo “Conformity Assessments” by independent bodies to ensure security, transparency, and accuracy before market entry.
ISO/IEC 42001 (AI) Annex A.10 Requires independent assessment of the AI Management System (AIMS) to ensure the security and ethical use of machine learning models.
EU Product Liability Directive (PLD) Article 4 (Defectiveness) Software providers are strictly liable for security flaws. Independent reviews provide the legal “due diligence” evidence required to prove security-by-design and avoid liability.
ECCF (EU Cybersecurity Cert) Assurance Levels (Basic, Substantial, High) Requires independent evaluation of ICT products and services to achieve harmonised security labels for cross-border trade in the EU.
HIPAA (USA) § 164.308(a)(8) (Evaluation) Requires periodic technical and non-technical evaluations (audits) to verify that the security policies and procedures meet the HIPAA Security Rule requirements.
CCPA / CPRA (California) § 1798.185 (a)(15) Requires businesses whose processing of consumers’ personal information presents significant risk to perform annual cybersecurity audits and submit them to the Agency.

ISO 27001 Annex A 5.35 FAQ

What is ISO 27001 Annex A 5.35?

ISO 27001 Annex A 5.35 (formerly A.18.2.1) is a governance control that mandates an organisation’s approach to managing information security and its implementation be reviewed independently at planned intervals.

  • It ensures that the Information Security Management System (ISMS) remains suitable, adequate, and effective.
  • It provides high-level assurance to management and external stakeholders.
  • It identifies gaps between theoretical policy and operational reality.
  • It supports the “Continual Improvement” requirement of the ISO 27001 standard.

Is an independent review the same as an internal audit?

No, while both involve assessment, an independent review is a broader evaluation of the ISMS strategy and governance, whereas an internal audit (Clause 9.2) is a structured check against specific standard requirements.

  • Independent reviews often focus on the suitability of the security approach for the business goals.
  • Internal audits are typically more prescriptive and focus on compliance with the ISO 27001 clauses.
  • Reviews may be performed by external consultants or internal staff who were not involved in the ISMS implementation.
  • The results of both feed into the Management Review Meeting.

Who can perform an independent review for Annex A 5.35?

An independent review must be conducted by individuals who have the necessary technical competence and were not involved in developing the security controls being assessed.

  • External third-party consultants or specialist security firms.
  • Internal audit departments with no operational responsibility for the ISMS.
  • Specialised management teams from different departments within the same group.
  • The key requirement is “independence” from the day-to-day management of the security function.

How often should an independent review be conducted?

ISO 27001 requires reviews at “planned intervals” or whenever “significant changes” occur, which typically translates to an annual review for most organisations.

  • Annual reviews are the industry standard for maintaining certification.
  • Significant changes include major infrastructure migrations, mergers, or new regulatory requirements.
  • High-risk environments may require more frequent, targeted reviews (e.g., bi-annually).

What are the typical triggers for an independent review?

The primary triggers for a review include scheduled audit cycles, major security incidents, or substantial shifts in the organisation’s technical or legal landscape.

  • Planned periodic intervals as defined in the ISMS roadmap.
  • Following a significant information security breach or system failure.
  • Major changes to business processes, such as moving to a fully remote work model.
  • New legislation or industry-specific security standards entering into force.

What evidence do auditors look for regarding Annex A 5.35?

Auditors require verifiable proof that a review was conducted by a competent, independent party and that the findings were reported to senior management.

  • Formal independent review reports or third-party audit summaries.
  • Management Review Meeting minutes showing the review was discussed.
  • The “Continual Improvement” log or Corrective Action Plan addressing review findings.
  • Records of the reviewer’s qualifications or proof of their independence from the ISMS.

What qualifications must an independent reviewer have?

ISO 27001 does not mandate a specific certification, but the reviewer must be “competent.” As an auditor, I look for relevant experience, such as a background in IT auditing, or professional certifications like CISA (Certified Information Systems Auditor), CISSP, or an ISO 27001 Lead Auditor qualification.

Can our Managed Service Provider (MSP) conduct the independent review?

If your MSP is responsible for managing your firewalls, backups, or user access, they absolutely cannot perform the independent review. That is a direct conflict of interest. However, if your MSP has a completely separate, dedicated compliance consulting division that does not touch your operational IT, it may be permissible if strict segregation of duties is documented.

What other standards apply?

ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.

ISO 27001 Controls and Attribute values

Control typeInformation security propertiesCybersecurity conceptsOperational capabilitiesSecurity domains
PreventiveAvailability Confidentiality IntegrityIdentify ProtectInformation protectionGovernance and ecosystem
Control typeInformation
security properties		Cybersecurity
concepts		Operational
capabilities		Security domains
Preventive
Availability
Confidentiality
Integrity		Identify
Protect
Information protection
Governance and ecosystem

, , , , , , , ,

About the author

Stuart Barker
🎓 MSc Security 🛡️ Lead Auditor 30+ Years Exp 🏢 Ex-GE Leader

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Shopping Basket
Scroll to Top