In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.36 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.36 Compliance with Policies, Rules and Standards
ISO 27001 Annex A 5.36 mandates that organizations verify at regular intervals that their information security procedures are actually being followed. Unlike an independent audit, this control is often performed by internal managers to ensure their own teams are adhering to the established security rules, policies, and standards.
Core requirements for compliance include:
- Manager-Led Reviews: This control does not strictly require independence. It is acceptable (and encouraged) for line managers or system owners to review the compliance of their own specific areas (e.g., a Head of IT reviewing the IT team’s adherence to password policies).
- Operational Frequency: Reviews should happen regularly or when triggered by significant changes, such as new legislation, a change in business jurisdiction, or the launch of a new product.
- Evidence of Review: You must maintain records of these reviews. Auditors need proof that checks were conducted, not just that a policy says they should be.
- Corrective Action: If a review finds that staff are ignoring a rule, you must formally log this and implement a fix (e.g., retraining or updating the process).
Audit Focus: Auditors use this control to see if security is “alive” in the business. They will look for evidence that managers are proactively checking their teams (“Are my staff following the rules?”), rather than waiting for the annual internal audit to catch mistakes.
Difference from Internal Audit: It is critical not to confuse this with Clause 9.2 (Internal Audit). Annex A 5.36 is an operational check (often by managers), whereas Clause 9.2 is a formal, independent assessment of the entire system.
Table of contents
- What is ISO 27001 Annex A 5.36?
- Watch the ISO 27001 Annex A 5.36 Tutorial
- ISO 27001 Annex A 5.36 Podcast
- ISO 27001 Annex 5.36 Implementation Guidance
- How to implement ISO 27001 Annex 5.36
- Compliance vs. Audit
- ISO 27001 Annex A 5.36 Templates
- Applicability of ISO 27001 Annex A 5.36 across different business models.
- Fast Track ISO 27001 Annex A 5.36 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.36 FAQ
- Other applicable standards
- Further Reading
- ISO 27001 Controls and Attribute values
What is ISO 27001 Annex A 5.36?
ISO 27001 Annex A 5.36 compliance with policies, rules and standards for information security is an ISO 27001 control that wants you to ensure that you are compliant with the information security policy, topic specific policies, rules and standards that you have defined and that it is reviewed regularly.
What is the purpose of ISO 27001 Annex 5.36?
The purpose of ISO 27001 Annex A 5.36 Compliance with policies, rules and standards for information security is to ensure that what you are doing is still suitable, adequate and effective.
What is the definition of ISO 27001 Annex 5.36?
The ISO 27001 standard defines ISO 27001 Annex A 5.36 as:
Compliance with the organisations information security policy, topic-specific policies, rules and standards should be regularly reviewed.
ISO 27001:2022 Annex A 5.36 Compliance with policies, rules and standards for information security
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
For ISO 27001 Annex A 5.36 (Compliance with policies, rules and standards for information security), the requirement is to regularly review that your organisational security procedures are actually being followed. Unlike an independent audit (which looks at the whole system), this control is about operational checks, line managers ensuring their own teams aren’t ignoring the rules.
While SaaS compliance platforms often try to sell you “automated compliance monitoring” or “automated policy attestations,” they cannot actually see if a manager is having a real conversation with their team about password security or if a physical process is being bypassed on the office floor, those are human leadership and operational tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the operational review framework you need without a recurring subscription fee.
1. Ownership: You Own Your Compliance Reviews Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your manager-led review schedules and store your check-logs inside their proprietary system, you are essentially renting your own internal oversight records.
- The Toolkit Advantage: You receive the Review and Audit Toolkit and Corrective Action Log templates in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as specific monthly checklists for different departments), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Management
Annex A 5.36 is about managers managing. You don’t need a complex new software interface to manage what a simple monthly checklist and a regular team meeting already do perfectly.
- The Toolkit Advantage: Your line managers already lead their teams. What they need is the governance layer to prove to an auditor that they are proactively checking security compliance, not just waiting for the yearly audit. The Toolkit provides pre-written “Compliance Review Worksheets” that formalize your existing management into an auditor-ready framework, without forcing your managers to learn a new software platform just to confirm a rule is being followed.
3. Cost: A One-Off Fee vs. The “Compliance Monitor” Tax
Many compliance SaaS platforms charge more based on the number of “controls” or “active reviews” you monitor. For a control that should be part of the daily fabric of your management, these monthly costs can scale aggressively for very little added value.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you conduct 5 manager reviews a month or 50, the cost of your Compliance Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Management Strategy
SaaS tools often mandate specific ways to report on and monitor “policy compliance.” If their system doesn’t match your unique team structures or your specialized industry rules, the tool becomes a bottleneck to true oversight.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Review Procedures to match exactly how you operate, whether you use a hands-on manager check or automated reporting tools. You maintain total freedom to evolve your compliance strategy without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 5.36, the auditor wants to see evidence that managers are checking their own teams’ adherence to policies (e.g., records of operational checks and corrective actions). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
Watch the ISO 27001 Annex A 5.36 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.36 and how to pass the audit.
ISO 27001 Annex A 5.36 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security . The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex 5.36 Implementation Guidance
This control compliments ISO 27001 Annex A 5.35 Independent Review of Information Security.
Put in place policies and processes for reviews
You will have policy and process for reviews. Consider the guidance in ISO 27001 Clause 9.2 Internal audit.
For the process of review and audit you can learn the exact process by reading How to Conduct an Internal Audit.
Plan your reviews
You will plan your reviews on a periodic basis. There is no real guidance on periodic so plan to do one full audit of everything at least annually. You can implement an audit plan that includes both internal and external audits and reviews.
Who does the review
Independence is not required for 5.36 but it covered under ISO 27001 Annex A 5.35 Independent Review of Information Security.
It is acceptable for the reviews to be conducted by managers, service, product or information owners.
The use of automatic reporting and measuring tools is also acceptable. See the controls 8.15, 8.16 and 8.17.
The review can be conducted by:
- The manager of the area where the process is being operated
- The audit team
- The information security manager
- A third party consultant
Continual Improvement
Opportunities for continual improvement form part of the independent review. Based on the continual improvement policy and process this is an opportunity to identify any needs for change or enhancements.
Consider the guidance in ISO 27001 Clause 10.1 Continual Improvement.
Corrective Actions
Corrective actions may be required and should be implemented if the review finds things not working as intended. You would record it in the incident and corrective action log, potentially in the risk register if there is a risk identified and manage it as part of the corrective action process.
For further guidance refer to ISO 27001:2002 Clause 10.2 Corrective Action
Keep reports and records
It is important for evidence that is happened to maintain records and reports of the reviews.
When to conduct reviews
The reviews are done at least annually and if anything changes. Examples of things that change that would lead to a review include:
- Laws change
- Regulations change
- You start a new business venture
- You change business practice
- You enter a new jurisdiction
- Your security controls change
How to implement ISO 27001 Annex 5.36
Implementing ISO 27001 Annex A 5.36 requires a shift from passive policy management to active operational verification. By establishing a systematic review cycle, organisations ensure that technical configurations and human behaviours remain aligned with the documented requirements of the Information Security Management System (ISMS).
1. Formalise the Compliance Review Framework
Define the scope, frequency, and methodology for conducting regular compliance checks across all departments and technical systems.
- Identify all internal security policies, rules, and technical standards that require periodic verification.
- Assign formal responsibility for reviews to specific managers and system owners rather than the central security team.
- Document a standardised Review of Entrants (ROE) or compliance checklist to ensure consistency in reporting.
2. Provision Automated Configuration Monitoring
Utilise technical tools to monitor system compliance against established security baselines in real time.
- Deploy Endpoint Detection and Response (EDR) or Mobile Device Management (MDM) tools to verify encryption and patch status.
- Configure automated scans to check for unauthorised changes to IAM roles or administrative privileges.
- Generate weekly compliance reports to identify technical deviations from the secure baseline configuration.
3. Execute Manager Led Operational Reviews
Mandate that department heads perform routine checks to verify that their personnel are adhering to data handling and physical security rules.
- Perform “Clear Desk and Clear Screen” walkthroughs to ensure compliance with Annex A 7.7.
- Review department-specific access logs to verify that the principle of least privilege is being maintained.
- Audit physical asset registers to ensure all company hardware is accounted for and correctly labelled.
4. Formalise the Non-Compliance Remediation Process
Establish a clear workflow for documenting deviations and implementing corrective actions when policy breaches are identified.
- Log all instances of non-compliance in a central Remediation Tracker or the ISMS Incident Register.
- Conduct a root cause analysis to determine if the non-compliance was due to a technical failure, lack of awareness, or intentional bypass.
- Provision mandatory retraining or update technical controls (such as MFA enforcement) to prevent recurrence.
5. Institutionalise Management Reporting and Review
Consolidate compliance data to provide the management board with a clear view of the organisation’s security posture.
- Include compliance review findings as a standing item in the quarterly ISMS Management Review Meeting.
- Utilise compliance metrics to identify systemic weaknesses that may require budget allocation or policy revision.
- Maintain all review records as primary evidence for external ISO 27001 certification audits.
Compliance vs. Audit
| Strategic Feature | Annex A 5.36 (Compliance Review) | Clause 9.2 (Internal Audit) | ISO 27001:2022 Mapping |
|---|---|---|---|
| Primary Responsibility | Line Managers (e.g., Head of IT, Department Lead). | Independent Auditor (Internal or External Third-party). | 5.36 & 9.2 |
| Review Scope | Bespoke to their specific team, system, or department. | Comprehensive assessment of the entire ISMS. | 5.36 & 9.2 |
| Standard Frequency | Regular / Operational (e.g. Monthly or Quarterly). | Planned Intervals (e.g. Annually or Bi-annually). | 5.36 & 9.2 |
| Strategic Goal | Verification: “Are my staff following the rules daily?” | Assurance: “Is the management system effective?” | 5.36 & 9.2 |
ISO 27001 Annex A 5.36 Templates
The ISO 27001 Gap Analysis, Review and Audit Toolkit provides everything you need to conduct a review from the templates, reports, detailed step by step guides and audit work sheets.
Applicability of ISO 27001 Annex A 5.36 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on manager-led checks to ensure that the small team is actually following the basic security rules. The goal is to verify that security is “alive” in daily operations without the need for independent auditors. |
|
| Tech Startups | Critical for ensuring that fast-moving development and DevOps teams aren’t bypassing security standards for speed. Compliance involves regular operational reviews of technical workflows and access rights. |
|
| AI Companies | Vital for protecting specialized AI assets and high-sensitivity training data. Focus is on verifying compliance with data masking, model weight security, and research-specific protocols. |
|
Fast Track ISO 27001 Annex A 5.36 Compliance with the ISO 27001 Toolkit
When addressing ISO 27001:2022 Annex A Control 5.36 (Compliance with Policies, Rules, and Standards for Information Security), organizations often face a choice: subscribe to a complex GRC (Governance, Risk, and Compliance) SaaS platform or utilise a professional document toolkit.
| Compliance Factor | SaaS GRC Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Data Custody | Rents access to your evidence; canceling the subscription often leads to “data ransom” where you lose access to logs. | Total Ownership: Your policies, standards, and logs stay on your secure servers. You own the IP forever. | A localized “Compliance Review Log” stored on your internal SharePoint or secure drive. |
| Team Engagement | Requires managers to learn complex, proprietary interfaces, often leading to “software fatigue” and low adoption. | Radical Simplicity: Uses Word and Excel—tools your team already masters. No specialized training required. | A completed Managerial Review Checklist confirming a team’s adherence to clear desk and password rules. |
| Financial Impact | Perpetual “Per-User” or “Per-Month” fees create a compounding cost that drains your security budget annually. | One-Off Investment: Pay once for the professional framework and never receive another invoice. | Reallocating saved SaaS subscription fees toward actual security hardware or penetration testing. |
| Vendor Independence | Significant vendor lock-in; migrating data out of proprietary SaaS ecosystems is complex and time-consuming. | Zero Lock-In: Standardized document formats mean you can move, edit, or migrate your files at any time. | The ability to switch internal storage providers (e.g., moving from Box to Drive) without losing compliance history. |
The Bottom Line: Control 5.36 is about ensuring your organization follows its own rules. By using a Toolkit, you ensure those rules are accessible, affordable, and most importantly entirely within your control.
ISO 27001 Annex A 5.36 FAQ
What is ISO 27001 Annex A 5.36?
ISO 27001 Annex A 5.36 is an organisational control that mandates the regular review of information security practices to ensure they comply with the organisation’s established policies, rules, and standards.
- It ensures that security controls are not just “on paper” but are functioning in practice.
- It requires managers to verify that their teams are following internal security procedures.
- It bridges the gap between high-level policy and daily technical operations.
- It supports the “Continual Improvement” requirement of the ISMS.
Is a formal compliance review process mandatory?
Yes, a documented process for reviewing compliance is mandatory for ISO 27001 certification to prove that security rules are being consistently applied.
- Auditors will look for evidence that reviews are occurring at scheduled intervals.
- Lack of compliance reviews is a common cause of “Minor Non-Conformities” during audits.
- It provides management with the necessary assurance that information risks are mitigated.
Who is responsible for conducting compliance reviews?
Under Annex A 5.36, compliance reviews should be conducted by managers or system owners who are responsible for the specific business area or technical system being reviewed.
- Business managers verify that their staff are following data handling rules.
- System owners verify that technical configurations match security baselines.
- The CISO or Security Team provides the framework and oversight for these reviews.
- The Internal Auditor provides an independent check on the review process itself.
How often should compliance reviews be performed?
ISO 27001 requires compliance reviews to be performed at “regular intervals,” which typically means annually at a minimum, though high-risk areas should be reviewed more frequently.
- Annual reviews are the standard for non-critical internal policies.
- Quarterly reviews are recommended for high-risk technical systems or access rights.
- Reviews should also be triggered by significant changes, such as major system updates or new legislation.
What is the difference between an internal audit and a compliance review?
An internal audit is an independent, objective assessment of the entire ISMS, whereas a compliance review is a routine operational check performed by managers on their own specific areas.
- Internal Audit: Independent, high-level, and checks the “system.”
- Compliance Review: Direct, operational, and checks the “practice.”
- Reviews are part of daily management; audits are part of governance oversight.
What evidence do auditors look for regarding Annex A 5.36?
Auditors look for verifiable proof such as review logs, system configuration reports, meeting minutes, and records of corrective actions taken when non-compliance was found.
- Reports from automated configuration scanning tools.
- Signed-off checklists from department managers.
- Records in the Incident Register showing where policy breaches were identified.
- Evidence of disciplinary actions or retraining following non-compliance.
What happens if an employee is found to be non-compliant?
When non-compliance is identified, the organisation must document the deviation, determine the root cause, and initiate corrective actions or the formal disciplinary process.
- Initial steps usually involve additional security awareness training.
- Technical controls may be adjusted to “force” compliance (e.g., automated screen locks).
- Repeat or intentional violations should trigger the formal disciplinary process as per Annex A 6.4.
Other applicable standards
ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.
Further Reading
The complete guide to ISO 27001 risk assessment
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability Confidentiality Integrity | Identify Protect | Legal_and_compliance Information security assurance | Governance and ecosystem |
