4. Disciplinary Process for Security Violations Confirmed

Verification Criteria: A formalised disciplinary process is active and has been utilised to address intentional or repeated breaches of security policies and standards. Required Evidence: Redacted HR logs or disciplinary records showing actions taken following security policy non-compliance. Pass/Fail Test: If the organisation has documented security breaches by staff but lacks any corresponding record of disciplinary or corrective HR action, mark as Non-Compliant.

5. Automated Configuration Drift Monitoring Logs Present

Verification Criteria: Technical systems are monitored for drift from the organisational "Gold Image" or security baseline standards. Required Evidence: Reports from configuration management tools (e.g. Microsoft Endpoint Manager, Puppet, Ansible) showing compliance against a technical baseline. Pass/Fail Test: If the organisation relies on "manual trust" for system configurations without automated alerting for non-compliant changes, mark as Non-Compliant.

6. Policy Exception Management Integrity Verified

Verification Criteria: Any deviation from security policies or standards is formally requested, risk-assessed, approved for a finite period, and recorded in a central register. Required Evidence: Information Security Exception Register with valid, unexpired approvals and associated risk treatment plans. Pass/Fail Test: If an active system is found in a non-compliant state without a corresponding entry in the approved Exception Register, mark as Non-Compliant.

7. Non-Compliance Escalation and Reporting Integrity Confirmed

Verification Criteria: There is a documented and functional pathway for managers to report identified non-compliance to the CISO or the security steering committee. Required Evidence: Email trails or GRC platform notifications showing the reporting of a departmental security failure to the central security function. Pass/Fail Test: If departmental managers are hiding non-compliance or resolving major security failures without central oversight/logging, mark as Non-Compliant.

8. Local Asset Owner Compliance Awareness Validated

Verification Criteria: Asset owners understand the specific security rules and standards applicable to the systems they manage and can demonstrate how they verify adherence. Required Evidence: Interviews with two departmental asset owners and their personal logs of system access reviews or patch status checks. Pass/Fail Test: If an asset owner is unaware of the specific security standard (e.g. data retention limit) applicable to their asset, mark as Non-Compliant.

9. Corrective Action for Policy Breaches Records Present

Verification Criteria: When non-compliance is identified, the organisation implements corrective actions to prevent recurrence, rather than just treating the symptom. Required Evidence: Post-compliance-review reports showing "Root Cause Analysis" and subsequent changes to procedures or technical controls. Pass/Fail Test: If the same policy breach is identified across multiple review cycles with no evidence of systemic change, mark as Non-Compliant.

10. Compliance Verification with Third-Party Standards Confirmed

Verification Criteria: Where the organisation is bound by external standards (e.g. PCI DSS, Cyber Essentials), managers ensure departmental adherence to these specific rules. Required Evidence: Attestations of Compliance (AoC) or external audit certificates that cover the departmental scope. Pass/Fail Test: If a department handles data subject to an external standard but cannot demonstrate adherence to that specific standard's requirements, mark as Non-Compliant.

ISO 27001 Annex A 5.36 Audit Checklist [+ Templates]

Q: 1. Managerial Accountability Framework Verified

Verification Criteria: Documentation exists defining how managers are held accountable for the security compliance of personnel and systems within their specific department or area of control. Required Evidence: Managerial job descriptions or annual performance review templates containing specific information security compliance KPIs. Pass/Fail Test: If there is no formalised record of managers being evaluated on the security compliance levels of their teams, mark as Non-Compliant.

Q: 2. Technical Standard Operating Procedure (SOP) Alignment Validated

Verification Criteria: Localised SOPs and work instructions are reviewed to ensure they do not contradict high-level organisational security policies or standards. Required Evidence: A sample of three departmental SOPs (e.g. Finance, HR, IT Operations) cross-referenced against the Master Information Security Policy. Pass/Fail Test: If a departmental SOP describes a workflow that bypasses a mandatory security control (e.g. sharing service passwords), mark as Non-Compliant.

Q: 3. Periodic Area-Specific Compliance Reviews Evidenced

Verification Criteria: Managers conduct or facilitate regular reviews to ensure that security procedures are being followed correctly within their domain. Required Evidence: Meeting minutes, internal audit memos, or signed "Managerial Attestation" reports from the current audit cycle. Pass/Fail Test: If a manager cannot produce evidence of a review performed in their department within the last 12 months, mark as Non-Compliant.

In this ultimate how to audit guide to ISO 27001 Annex A 5.36 Compliance with Policies, Rules, and Standards, you will learn directly from an ISO 27001 Lead Auditor:

10 Key Audit Steps
Verification Criteria
Required Evidence
The Pass / Fail Test

I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.

Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.

1. Managerial Accountability Framework Verified
2. Technical Standard Operating Procedure (SOP) Alignment Validated
3. Periodic Area-Specific Compliance Reviews Evidenced
4. Disciplinary Process for Security Violations Confirmed
5. Automated Configuration Drift Monitoring Logs Present
6. Policy Exception Management Integrity Verified
7. Non-Compliance Escalation and Reporting Integrity Confirmed
8. Local Asset Owner Compliance Awareness Validated
9. Corrective Action for Policy Breaches Records Present
10. Compliance Verification with Third-Party Standards Confirmed

1. Managerial Accountability Framework Verified

Auditing ISO 27001 Annex A 5.36 is the rigorous verification of managerial enforcement regarding information security directives across organisational departments. The Primary Implementation Requirement mandates active oversight and regular compliance reviews, delivering the Business Benefit of mitigated internal risks and sustained operational adherence to security standards.

Verification Criteria: Documentation exists defining how managers are held accountable for the security compliance of personnel and systems within their specific department or area of control.

Required Evidence: Managerial job descriptions or annual performance review templates containing specific information security compliance KPIs.

Pass/Fail Test: If there is no formalised record of managers being evaluated on the security compliance levels of their teams, mark as Non-Compliant.

2. Technical Standard Operating Procedure (SOP) Alignment Validated

Verification Criteria: Localised SOPs and work instructions are reviewed to ensure they do not contradict high-level organisational security policies or standards.

Required Evidence: A sample of three departmental SOPs (e.g. Finance, HR, IT Operations) cross-referenced against the Master Information Security Policy.

Pass/Fail Test: If a departmental SOP describes a workflow that bypasses a mandatory security control (e.g. sharing service passwords), mark as Non-Compliant.

3. Periodic Area-Specific Compliance Reviews Evidenced

Verification Criteria: Managers conduct or facilitate regular reviews to ensure that security procedures are being followed correctly within their domain.

Required Evidence: Meeting minutes, internal audit memos, or signed “Managerial Attestation” reports from the current audit cycle.

Pass/Fail Test: If a manager cannot produce evidence of a review performed in their department within the last 12 months, mark as Non-Compliant.

READ THE FULL ARTICLE

Access to Business and Consultant Toolkit Members Only.

Get the Toolkit

Members Login

Table of contents

1. Managerial Accountability Framework Verified

2. Technical Standard Operating Procedure (SOP) Alignment Validated

3. Periodic Area-Specific Compliance Reviews Evidenced