Auditing ISO 27001 Annex A 5.36 is the rigorous verification of managerial enforcement regarding information security directives across organizational departments. The Primary Implementation Requirement mandates active oversight and regular compliance reviews, delivering the Business Benefit of mitigated internal risks and sustained operational adherence to security standards.
This technical verification tool is designed for lead auditors to establish whether managers are actively enforcing security rules within their respective areas of responsibility. Use this checklist to validate compliance with ISO 27001 Annex A 5.36 (Compliance with policies, rules and standards for information security).
1. Managerial Accountability Framework Verified
Verification Criteria: Documentation exists defining how managers are held accountable for the security compliance of personnel and systems within their specific department or area of control.
Required Evidence: Managerial job descriptions or annual performance review templates containing specific information security compliance KPIs.
Pass/Fail Test: If there is no formalised record of managers being evaluated on the security compliance levels of their teams, mark as Non-Compliant.
2. Technical Standard Operating Procedure (SOP) Alignment Validated
Verification Criteria: Localised SOPs and work instructions are reviewed to ensure they do not contradict high-level organisational security policies or standards.
Required Evidence: A sample of three departmental SOPs (e.g. Finance, HR, IT Operations) cross-referenced against the Master Information Security Policy.
Pass/Fail Test: If a departmental SOP describes a workflow that bypasses a mandatory security control (e.g. sharing service passwords), mark as Non-Compliant.
3. Periodic Area-Specific Compliance Reviews Evidenced
Verification Criteria: Managers conduct or facilitate regular reviews to ensure that security procedures are being followed correctly within their domain.
Required Evidence: Meeting minutes, internal audit memos, or signed “Managerial Attestation” reports from the current audit cycle.
Pass/Fail Test: If a manager cannot produce evidence of a review performed in their department within the last 12 months, mark as Non-Compliant.
4. Disciplinary Process for Security Violations Confirmed
Verification Criteria: A formalised disciplinary process is active and has been utilised to address intentional or repeated breaches of security policies and standards.
Required Evidence: Redacted HR logs or disciplinary records showing actions taken following security policy non-compliance.
Pass/Fail Test: If the organisation has documented security breaches by staff but lacks any corresponding record of disciplinary or corrective HR action, mark as Non-Compliant.
5. Automated Configuration Drift Monitoring Logs Present
Verification Criteria: Technical systems are monitored for drift from the organisational “Gold Image” or security baseline standards.
Required Evidence: Reports from configuration management tools (e.g. Microsoft Endpoint Manager, Puppet, Ansible) showing compliance against a technical baseline.
Pass/Fail Test: If the organisation relies on “manual trust” for system configurations without automated alerting for non-compliant changes, mark as Non-Compliant.
6. Policy Exception Management Integrity Verified
Verification Criteria: Any deviation from security policies or standards is formally requested, risk-assessed, approved for a finite period, and recorded in a central register.
Required Evidence: Information Security Exception Register with valid, unexpired approvals and associated risk treatment plans.
Pass/Fail Test: If an active system is found in a non-compliant state without a corresponding entry in the approved Exception Register, mark as Non-Compliant.
7. Non-Compliance Escalation and Reporting Integrity Confirmed
Verification Criteria: There is a documented and functional pathway for managers to report identified non-compliance to the CISO or the security steering committee.
Required Evidence: Email trails or GRC platform notifications showing the reporting of a departmental security failure to the central security function.
Pass/Fail Test: If departmental managers are hiding non-compliance or resolving major security failures without central oversight/logging, mark as Non-Compliant.
8. Local Asset Owner Compliance Awareness Validated
Verification Criteria: Asset owners understand the specific security rules and standards applicable to the systems they manage and can demonstrate how they verify adherence.
Required Evidence: Interviews with two departmental asset owners and their personal logs of system access reviews or patch status checks.
Pass/Fail Test: If an asset owner is unaware of the specific security standard (e.g. data retention limit) applicable to their asset, mark as Non-Compliant.
9. Corrective Action for Policy Breaches Records Present
Verification Criteria: When non-compliance is identified, the organisation implements corrective actions to prevent recurrence, rather than just treating the symptom.
Required Evidence: Post-compliance-review reports showing “Root Cause Analysis” and subsequent changes to procedures or technical controls.
Pass/Fail Test: If the same policy breach is identified across multiple review cycles with no evidence of systemic change, mark as Non-Compliant.
10. Compliance Verification with Third-Party Standards Confirmed
Verification Criteria: Where the organisation is bound by external standards (e.g. PCI DSS, Cyber Essentials), managers ensure departmental adherence to these specific rules.
Required Evidence: Attestations of Compliance (AoC) or external audit certificates that cover the departmental scope.
Pass/Fail Test: If a department handles data subject to an external standard but cannot demonstrate adherence to that specific standard’s requirements, mark as Non-Compliant.
| Control Requirement | The ‘Checkbox Compliance’ Trap | The Reality Check |
|---|---|---|
| Managerial Oversight | GRC tool sends an automated “Do you comply?” email once a year; manager clicks “Yes”. | The auditor must demand minutes from departmental meetings where security drift was actually reviewed. |
| SOP Adherence | SaaS tool records that a “Policy PDF” was opened and scrolled by the user. | The auditor performs a physical or screen-share ‘walk-through’ to see if real-world steps match the policy. |
| Compliance Monitoring | Tool identifies “Logging is On” and marks the department as green. | Verify that the manager actually saw the logs. “Logging on” is not “Reviewing compliance.” |
| Exception Management | GRC tool allows indefinite “Exceptions” that never expire. | Check the register for “Permanent Exceptions”. A permanent exception is actually a failed control, not a managed risk. |
| Disciplinary Action | GRC tool provides a “Disciplinary Policy” template to download. | Auditor must see evidence of the policy being used. A policy with zero historical usage is a theoretical control. |
| Technical Drift | Tool verifies that antivirus is installed on all machines. | Antivirus is not configuration compliance. Auditor must see drift logs for registry settings, local admin groups, and ports. |
| Accountability | Managers are “Responsible” because it says so in the ISMS scope. | Inspect personal objectives. If security is not tied to their bonus or career progression, the accountability is superficial. |
About the author
