ISO 27001 Annex A 5.36 Compliance with Policies, Rules and Standards is a security control that mandates regular managerial reviews of operational procedures to ensure ongoing adherence to security requirements, providing the business benefit of identifying systemic deviations before they result in critical data breaches or audit failures.
In this guide, I will show you exactly how to implement ISO 27001 Annex A 5.36 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.
I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.
Key Takeaways: ISO 27001 Annex A 5.36 Compliance with Policies, Rules and Standards
ISO 27001 Annex A 5.36 mandates that organizations verify at regular intervals that their information security procedures are actually being followed. Unlike an independent audit, this control is often performed by internal managers to ensure their own teams are adhering to the established security rules, policies, and standards.
Core requirements for compliance include:
- Manager-Led Reviews: This control does not strictly require independence. It is acceptable (and encouraged) for line managers or system owners to review the compliance of their own specific areas (e.g., a Head of IT reviewing the IT team’s adherence to password policies).
- Operational Frequency: Reviews should happen regularly or when triggered by significant changes, such as new legislation, a change in business jurisdiction, or the launch of a new product.
- Evidence of Review: You must maintain records of these reviews. Auditors need proof that checks were conducted, not just that a policy says they should be.
- Corrective Action: If a review finds that staff are ignoring a rule, you must formally log this and implement a fix (e.g., retraining or updating the process).
Audit Focus: Auditors use this control to see if security is “alive” in the business. They will look for evidence that managers are proactively checking their teams (“Are my staff following the rules?”), rather than waiting for the annual internal audit to catch mistakes.
- Objectivity: Is the reviewer free from conflict of interest?
- Competence: Does the reviewer actually understand what they are auditing?
- Action: Did management actually fix the issues raised in the independent report?
Difference from Internal Audit: It is critical not to confuse this with Clause 9.2 (Internal Audit). Annex A 5.36 is an operational check (often by managers), whereas Clause 9.2 is a formal, independent assessment of the entire system.
Table of contents
- What is ISO 27001 Annex A 5.36?
- Watch the ISO 27001 Annex A 5.36 Tutorial
- ISO 27001 Annex A 5.36 Podcast
- ISO 27001 Annex 5.36 Implementation Guidance
- How to implement ISO 27001 Annex 5.36
- Compliance vs. Audit
- How to Audit ISO 27001 Annex A 5.36
- ISO 27001 Annex A 5.36 Templates
- Applicability of ISO 27001 Annex A 5.36 across different business models.
- Fast Track ISO 27001 Annex A 5.36 Compliance with the ISO 27001 Toolkit
- ISO 27001 Annex A 5.36 Applicable Laws and Related Standards
- ISO 27001 Annex A 5.36 FAQ
- Other applicable standards
- Further Reading
- ISO 27001 Controls and Attribute values
Do it Yourself ISO 27001
Our Lead-Auditor verified templates with expert support have a 100% success rate.
What is ISO 27001 Annex A 5.36?
ISO 27001 Annex A 5.36 compliance with policies, rules and standards for information security is an ISO 27001 control that wants you to ensure that you are compliant with the information security policy, topic specific policies, rules and standards that you have defined and that it is reviewed regularly.
What is the purpose of ISO 27001 Annex 5.36?
The purpose of ISO 27001 Annex A 5.36 Compliance with policies, rules and standards for information security is to ensure that what you are doing is still suitable, adequate and effective.
What is the definition of ISO 27001 Annex 5.36?
The ISO 27001 standard defines ISO 27001 Annex A 5.36 as:
Compliance with the organisations information security policy, topic-specific policies, rules and standards should be regularly reviewed.
ISO 27001:2022 Annex A 5.36 Compliance with policies, rules and standards for information security
For ISO 27001 Annex A 5.36 (Compliance with policies, rules and standards for information security), the requirement is to regularly review that your organisational security procedures are actually being followed. Unlike an independent audit (which looks at the whole system), this control is about operational checks, line managers ensuring their own teams aren’t ignoring the rules.
While SaaS compliance platforms often try to sell you “automated compliance monitoring” or “automated policy attestations,” they cannot actually see if a manager is having a real conversation with their team about password security or if a physical process is being bypassed on the office floor, those are human leadership and operational tasks. The High Table ISO 27001 Toolkit is the logical choice because it provides the operational review framework you need without a recurring subscription fee.
1. Ownership: You Own Your Compliance Reviews Forever
SaaS platforms act as a middleman for your compliance evidence. If you define your manager-led review schedules and store your check-logs inside their proprietary system, you are essentially renting your own internal oversight records.
- The Toolkit Advantage: You receive the Review and Audit Toolkit and Corrective Action Log templates in fully editable Word/Excel formats. These files are yours forever. You maintain permanent ownership of your standards (such as specific monthly checklists for different departments), ensuring you are always ready for an audit without an ongoing “rental” fee.
2. Simplicity: Governance for Real-World Management
Annex A 5.36 is about managers managing. You don’t need a complex new software interface to manage what a simple monthly checklist and a regular team meeting already do perfectly.
- The Toolkit Advantage: Your line managers already lead their teams. What they need is the governance layer to prove to an auditor that they are proactively checking security compliance, not just waiting for the yearly audit. The Toolkit provides pre-written “Compliance Review Worksheets” that formalize your existing management into an auditor-ready framework, without forcing your managers to learn a new software platform just to confirm a rule is being followed.
3. Cost: A One-Off Fee vs. The “Compliance Monitor” Tax
Many compliance SaaS platforms charge more based on the number of “controls” or “active reviews” you monitor. For a control that should be part of the daily fabric of your management, these monthly costs can scale aggressively for very little added value.
- The Toolkit Advantage: You pay a single, one-off fee for the entire toolkit. Whether you conduct 5 manager reviews a month or 50, the cost of your Compliance Documentation remains the same. You save your budget for actual security improvements rather than an expensive compliance dashboard.
4. Freedom: No Vendor Lock-In for Your Management Strategy
SaaS tools often mandate specific ways to report on and monitor “policy compliance.” If their system doesn’t match your unique team structures or your specialized industry rules, the tool becomes a bottleneck to true oversight.
- The Toolkit Advantage: The High Table Toolkit is 100% technology-agnostic. You can tailor the Review Procedures to match exactly how you operate, whether you use a hands-on manager check or automated reporting tools. You maintain total freedom to evolve your compliance strategy without being constrained by the technical limitations of a rented SaaS platform.
Summary: For Annex A 5.36, the auditor wants to see evidence that managers are checking their own teams’ adherence to policies (e.g., records of operational checks and corrective actions). The High Table ISO 27001 Toolkit provides the governance framework to satisfy this requirement immediately. It is the most direct, cost-effective way to achieve compliance using permanent documentation that you own and control.
Watch the ISO 27001 Annex A 5.36 Tutorial
In this video I show you how to implement ISO 27001 Annex A 5.36 and how to pass the audit.
ISO 27001 Annex A 5.36 Podcast
In this episode: Lead Auditor Stuart Barker and team do a deep dive into the ISO 27001 Annex A 5.36 Compliance With Policies, Rules And Standards For Information Security . The podcast explores what it is, why it is important and the path to compliance.
ISO 27001 Annex 5.36 Implementation Guidance
This control compliments ISO 27001 Annex A 5.35 Independent Review of Information Security.
Put in place policies and processes for reviews
You will have policy and process for reviews. Consider the guidance in ISO 27001 Clause 9.2 Internal audit.
For the process of review and audit you can learn the exact process by reading How to Conduct an Internal Audit.
Plan your reviews
You will plan your reviews on a periodic basis. There is no real guidance on periodic so plan to do one full audit of everything at least annually. You can implement an audit plan that includes both internal and external audits and reviews.
Who does the review
Independence is not required for 5.36 but it covered under ISO 27001 Annex A 5.35 Independent Review of Information Security.
It is acceptable for the reviews to be conducted by managers, service, product or information owners.
The use of automatic reporting and measuring tools is also acceptable. See the controls 8.15, 8.16 and 8.17.
The review can be conducted by:
- The manager of the area where the process is being operated
- The audit team
- The information security manager
- A third party consultant
Continual Improvement
Opportunities for continual improvement form part of the independent review. Based on the continual improvement policy and process this is an opportunity to identify any needs for change or enhancements.
Consider the guidance in ISO 27001 Clause 10.1 Continual Improvement.
Corrective Actions
Corrective actions may be required and should be implemented if the review finds things not working as intended. You would record it in the incident and corrective action log, potentially in the risk register if there is a risk identified and manage it as part of the corrective action process.
For further guidance refer to ISO 27001:2002 Clause 10.2 Corrective Action
Keep reports and records
It is important for evidence that is happened to maintain records and reports of the reviews.
When to conduct reviews
The reviews are done at least annually and if anything changes. Examples of things that change that would lead to a review include:
- Laws change
- Regulations change
- You start a new business venture
- You change business practice
- You enter a new jurisdiction
- Your security controls change
How to implement ISO 27001 Annex 5.36
Implementation of ISO 27001 Annex A 5.36 ensures that your organisation’s information security practices align with internal policies, external standards, and legal requirements. As an ISO 27001 Lead Auditor, I expect to see more than just a policy on a shelf: I look for evidence of active monitoring, technical verification, and executive accountability. Follow these ten technical steps to formalise your compliance framework and satisfy rigorous audit requirements.
1. Formalise the Information Security Compliance Framework
Formalise a comprehensive framework that identifies all relevant legal, regulatory, and contractual obligations: result: establishes the legal and procedural baseline for all organisational security activities.
- Identify specific regional laws, such as the UK GDPR or Data Protection Act 2018, and list them in your Legal Register.
- Document all industry-specific standards, such as PCI DSS or SOC2, that apply to your technical operations.
- Define clear ownership for the maintenance of this framework within the Information Security Management System (ISMS).
2. Provision Compliance Monitoring and Technical Verification Tools
Provision automated tools to monitor system configurations against established security baselines: result: provides real-time visibility into technical policy violations.
- Deploy vulnerability scanners to identify unpatched software or non-compliant service configurations.
- Implement Security Information and Event Management (SIEM) systems to alert on unauthorised configuration changes.
- Utilise Data Loss Prevention (DLP) tools to monitor for the unauthorised movement of sensitive records.
3. Implement IAM Roles and MFA Enforcement
Implement strict Identity and Access Management (IAM) roles and mandate Multi-Factor Authentication (MFA) across all administrative interfaces: result: ensures that only authorised personnel can modify security-critical settings.
- Apply the principle of least privilege to ensure staff only access resources necessary for their specific roles.
- Enforce MFA for all remote access and cloud-based management consoles to mitigate credential theft.
- Regularly audit account permissions to identify and revoke “privilege creep” or orphaned accounts.
4. Establish Technical Rules of Engagement (ROE) for Reviews
Establish a formal Rules of Engagement (ROE) document for all internal and external security reviews: result: prevents operational disruption and defines the legal boundaries for security testing.
- Define the specific technical scope, including IP addresses and domains, that are subject to active testing.
- Specify the time windows for technical reviews to avoid impacting critical business processes.
- Document the escalation procedures for any critical vulnerabilities discovered during the testing process.
5. Provision the Asset Register for Compliance Mapping
Provision the Asset Register to map every technical asset to its relevant security policy and compliance requirement: result: ensures 100 per cent coverage of the technical estate during compliance audits.
- Assign an “Asset Owner” to every hardware and software entity recorded in the register.
- Identify the data classification level for information stored on or processed by each asset.
- Link assets to specific Annex A controls to simplify the generation of a Statement of Applicability (SoA).
6. Conduct Periodic Technical Compliance Reviews
Conduct regular technical reviews of system hardening and configuration standards: result: verifies that security implementations match the theoretical policy requirements.
- Compare current server configurations against industry-standard hardening guides, such as CIS Benchmarks.
- Review firewall rule sets quarterly to ensure they remain relevant and do not contain overly permissive entries.
- Perform annual penetration testing of public-facing infrastructure to validate the effectiveness of security controls.
7. Formalise Policy Acknowledgment and Awareness Training
Formalise a mandatory policy acknowledgment process and security awareness training programme: result: ensures that the human element of the organisation is informed of the rules and standards.
- Capture digital signatures or timestamps to prove that 100 per cent of staff have read and accepted the security policy.
- Deploy role-based training modules that address the specific compliance risks associated with different departments.
- Conduct regular phishing simulations to test the practical application of the organisation’s security rules.
8. Audit Non-Conformance and Corrective Action (CAPA) Processes
Audit the log of security non-conformities and track the completion of corrective actions: result: ensures that identified gaps are closed and risks are mitigated in a timely manner.
- Implement a formal process for performing Root Cause Analysis (RCA) on all major compliance failures.
- Assign clear deadlines and remediation owners for every non-conformity discovered during reviews.
- Maintain a permanent audit trail of all remediation activities for certification body inspection.
9. Review Third-Party and Supplier Compliance
Review the security posture of third-party suppliers to ensure they meet your organisational compliance standards: result: mitigates supply chain risks and ensures data remains protected when processed by external partners.
- Audit the “Right to Audit” clauses in existing supplier contracts to ensure technical verification is possible.
- Request and review annual security certifications, such as ISO 27001 or SOC 2 reports, from key vendors.
- Establish technical integration standards for suppliers accessing organisational networks or data lakes.
10. Present Compliance Status Reports to Management
Present detailed compliance status reports to the Management Review Team at planned intervals: result: ensures executive-level visibility and secures the necessary resources for ISMS maintenance.
- Synthesise technical scan results and audit findings into high-level Key Performance Indicators (KPIs).
- Document management’s approval of remediation plans and their acceptance of residual risks.
- Review the effectiveness of the compliance programme annually to drive continuous improvement.
I’ve sat in the Auditor’s chair for 20 years. These are the exact tools I use to guarantee a pass.
Compliance vs. Audit
| Strategic Feature | Annex A 5.36 (Compliance Review) | Clause 9.2 (Internal Audit) | ISO 27001:2022 Mapping |
|---|---|---|---|
| Primary Responsibility | Line Managers (e.g., Head of IT, Department Lead). | Independent Auditor (Internal or External Third-party). | 5.36 & 9.2 |
| Review Scope | Bespoke to their specific team, system, or department. | Comprehensive assessment of the entire ISMS. | 5.36 & 9.2 |
| Standard Frequency | Regular / Operational (e.g. Monthly or Quarterly). | Planned Intervals (e.g. Annually or Bi-annually). | 5.36 & 9.2 |
| Strategic Goal | Verification: “Are my staff following the rules daily?” | Assurance: “Is the management system effective?” | 5.36 & 9.2 |
How to Audit ISO 27001 Annex A 5.36
Auditing ISO 27001 Annex A 5.36 requires a technical deep dive into how your organisation validates its adherence to internal policies and external standards. As a Lead Auditor, I am looking for evidence that goes beyond a simple document review: I want to see technical asset mapping, automated scanning logs, and executive-level accountability for non-conformities. Use this 10 step technical roadmap to ensure your compliance review process is robust enough to withstand a rigorous certification audit.
1. Audit the information security compliance framework
Audit the documented schedule for compliance reviews to ensure that all business processes are regularly checked against policy: result: establishes the legal and procedural baseline for the audit programme.
- Verify that the review frequency is determined by the level of risk associated with each business unit.
- Check that the framework includes checks against both internal rules and external regulatory requirements.
- Confirm the compliance framework is reviewed annually and carries senior management approval.
2. Inspect technical vulnerability management configurations
Inspect the results of the latest vulnerability scans to verify that technical assets remain compliant with hardening standards: result: ensures technical risks are identified and remediated in a timely manner.
- Review the scan logs to confirm that all technical assets in scope are being scanned.
- Verify that identified vulnerabilities are mapped to the organisational corrective action process.
- Check for evidence of “clean” scans following the remediation of high-risk findings.
3. Provision restricted Identity and Access Management (IAM) roles for the auditor
Provision temporary, read-only access for the audit team to review security configurations while maintaining the principle of least privilege: result: provides the visibility required for evidence collection without compromising security.
- Apply Multi-Factor Authentication (MFA) to the auditor’s temporary account access points.
- Record the specific roles assigned to the auditor within the Identity and Access Management (IAM) system.
- Audit the revocation of these access rights immediately upon the conclusion of the audit activity.
4. Formalise the rules of engagement (ROE) for technical reviews
Formalise a written agreement defining the technical boundaries and limitations of the compliance audit: result: prevents operational disruption and defines legal accountability during testing.
- Document the specific time windows for testing to avoid impact on critical business processes.
- List any technical assets that are excluded from the scope of active testing for stability reasons.
- Verify that all parties have signed the Rules of Engagement (ROE) document before testing begins.
5. Audit the information security policy acknowledgment records
Audit the records of staff signatures or digital acceptances of the security policy: result: confirms that employees have been informed of the rules they are expected to follow.
- Check for 100 per cent completion of policy acknowledgments for all new starters.
- Verify that acknowledgments are refreshed whenever a significant change is made to the policy.
- Review the awareness training logs to ensure the policy content has been effectively communicated.
6. Inspect the non-conformity and corrective action log
Inspect the log of previous compliance failures to verify that root cause analysis was performed: result: ensures that historical failures drive continuous improvement within the ISMS.
- Verify that every entry has an assigned “Action Owner” and a realistic remediation date.
- Check for evidence that management has allocated the necessary resources to fix the non-conformity.
- Confirm that remediation actions are tested for effectiveness before the issue is closed.
7. Audit the effectiveness of automated monitoring systems
Audit the alerts and reports generated by SIEM or DLP tools to verify that policy breaches are detected automatically: result: reduces reliance on manual checks and provides high-density security telemetry.
- Inspect the configuration of automated alerts to ensure they trigger based on policy violations.
- Review a sample of alerts to verify that the security team responded according to the incident plan.
- Check for evidence of regular tuning of the monitoring tools to reduce false positives.
8. Review management oversight and meeting minutes
Review the minutes from Management Review Team meetings to verify that compliance status is reported to top management: result: ensures executive accountability for security investments and remediation.
- Check that compliance reporting is a standing agenda item for the Management Review Team.
- Verify that the board has documented their decision-making process for high-risk findings.
- Confirm that compliance trends are tracked over time to identify systemic weaknesses.
9. Inspect physical security compliance through site walkthroughs
Inspect physical entry points and server rooms to verify that physical security rules are enforced in practice: result: identifies real-world gaps that may not be captured in digital logs.
- Verify that the “Clean Desk” policy is being followed in high-sensitivity areas.
- Check that physical access logs match the authorised personnel list in the Asset Register.
- Inspect the integrity of physical perimeters, such as locks, cameras, and alarms.
10. Validate the integration of compliance with the asset register
Validate that every asset in the register is mapped to a specific compliance check or review cycle: result: ensures 100 per cent coverage of the technical estate during audit activities.
- Compare the technical scan reports against the inventory in the Asset Register to find “Shadow IT.”
- Verify that new assets are automatically included in the compliance review process upon deployment.
- Check that decommissioned assets are formally removed from the compliance scope and the register.
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
ISO 27001 Annex A 5.36 Templates
The ISO 27001 Gap Analysis, Review and Audit Toolkit provides everything you need to conduct a review from the templates, reports, detailed step by step guides and audit work sheets.
Applicability of ISO 27001 Annex A 5.36 across different business models.
| Business Type | Applicability | Examples of Control Implementation |
|---|---|---|
| Small Businesses | Focuses on manager-led checks to ensure that the small team is actually following the basic security rules. The goal is to verify that security is “alive” in daily operations without the need for independent auditors. |
|
| Tech Startups | Critical for ensuring that fast-moving development and DevOps teams aren’t bypassing security standards for speed. Compliance involves regular operational reviews of technical workflows and access rights. |
|
| AI Companies | Vital for protecting specialized AI assets and high-sensitivity training data. Focus is on verifying compliance with data masking, model weight security, and research-specific protocols. |
|
Fast Track ISO 27001 Annex A 5.36 Compliance with the ISO 27001 Toolkit
| Compliance Factor | SaaS GRC Platforms | High Table ISO 27001 Toolkit | Audit Evidence Example |
|---|---|---|---|
| Data Custody | Rents access to your evidence; canceling the subscription often leads to “data ransom” where you lose access to logs. | Total Ownership: Your policies, standards, and logs stay on your secure servers. You own the IP forever. | A localized “Compliance Review Log” stored on your internal SharePoint or secure drive. |
| Team Engagement | Requires managers to learn complex, proprietary interfaces, often leading to “software fatigue” and low adoption. | Radical Simplicity: Uses Word and Excel—tools your team already masters. No specialized training required. | A completed Managerial Review Checklist confirming a team’s adherence to clear desk and password rules. |
| Financial Impact | Perpetual “Per-User” or “Per-Month” fees create a compounding cost that drains your security budget annually. | One-Off Investment: Pay once for the professional framework and never receive another invoice. | Reallocating saved SaaS subscription fees toward actual security hardware or penetration testing. |
| Vendor Independence | Significant vendor lock-in; migrating data out of proprietary SaaS ecosystems is complex and time-consuming. | Zero Lock-In: Standardized document formats mean you can move, edit, or migrate your files at any time. | The ability to switch internal storage providers (e.g., moving from Box to Drive) without losing compliance history. |
ISO 27001 Annex A 5.36 Applicable Laws and Related Standards
| Standard / Law | Relevant Control / Article | Mapping and Requirements |
|---|---|---|
| ISO/IEC 27001:2022 | Annex A 5.36 | The primary requirement to regularly review compliance with information security policies, rules, and standards. |
| NIST CSF v2.0 | GV.PO-02, ID.GV-04 | Governance requirements mandate that policies are not only established but that compliance with them is monitored and assessed for effectiveness. |
| NIS2 Directive (EU) | Article 21 (2) | Essential and important entities must implement risk management measures that include policies on information security and the regular assessment of those policies. |
| DORA (EU) | Article 6 (ICT Risk Management) | Financial entities must maintain an ICT risk management framework that is subject to regular internal audit and independent review to ensure policy adherence. |
| SOC 2 (Trust Criteria) | Common Criteria (CC4.1, CC4.2) | Monitoring activities require the entity to evaluate whether the components of internal control are present and functioning as intended by policy. |
| GDPR / UK GDPR | Article 32 (1)(d) | Mandates a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing. |
| UK Data (Use and Access) Act 2025 | Compliance Assessment Clauses | Maintains high security thresholds for “Smart Data” schemes, requiring data controllers to prove adherence to technical standards during data-sharing events. |
| Cyber Security and Resilience Bill (UK) | MSP Audit Obligations | Expands mandatory compliance reporting for Managed Service Providers (MSPs), requiring independent verification that security standards are being met across client environments. |
| CIRCIA (USA) | Vulnerability Assessment Standards | Critical infrastructure sectors must maintain records of compliance with security standards to validate the accuracy of 72-hour incident reports submitted to CISA. |
| EU AI Act | Article 17 (Quality Management) | Providers of high-risk AI systems must establish a system to monitor and ensure compliance with the Act’s security and transparency requirements throughout the lifecycle. |
| ISO/IEC 42001 (AI) | Annex A.10 (Evaluation) | Requires the regular monitoring, measurement, and evaluation of the AI Management System to ensure compliance with AI-specific security policies. |
| EU Product Liability Directive (PLD) | Article 4 (Defectiveness) | Extends strict liability to software providers; documented evidence of A 5.36 compliance reviews serves as a primary legal defence against claims of “product defects.” |
| ECCF (EU Cert Framework) | Assurance Level Requirements | Achieving harmonised security labels (Basic, Substantial, High) requires verified compliance with specific ICT security standards and independent reviews. |
| HIPAA (USA) | 164.308(a)(8) (Evaluation) | Requires periodic technical and non-technical evaluations (audits) to verify that security policies and procedures meet the requirements of the HIPAA Security Rule. |
| CCPA / CPRA (California) | § 1798.185 (a)(15) | Requires businesses whose processing of personal information presents a significant risk to perform annual cybersecurity audits and submit compliance results to the Agency. |
| PCI DSS v4.0 | Requirement 12.1 | Mandates that an information security policy is established, published, maintained, and disseminated to all relevant personnel, with regular compliance checks. |
ISO 27001 Annex A 5.36 FAQ
What is ISO 27001 Annex A 5.36?
ISO 27001 Annex A 5.36 is an organisational control that mandates the regular review of information security practices to ensure they comply with established policies, rules, and standards.
Is a formal compliance review process mandatory?
Yes, a documented process for reviewing compliance is mandatory for ISO 27001 certification to prove that security rules are being consistently applied across the organisation.
Who is responsible for conducting compliance reviews?
Compliance reviews should be conducted by managers or system owners responsible for the specific business area or technical system, with oversight from the CISO.
How often should compliance reviews be performed?
Reviews must be performed at regular intervals, typically at least annually for policies and quarterly for high-risk technical systems.
What is the difference between an internal audit and a compliance review?
Internal audits are independent governance assessments of the whole ISMS, while compliance reviews are routine operational checks performed by managers on their own domains.
What evidence do auditors look for regarding Annex A 5.36?
Auditors require review logs, configuration reports, meeting minutes, and records showing that corrective actions were taken when gaps were identified.
What happens if an employee is found to be non-compliant?
The organisation must document the deviation, determine the root cause, and apply corrective actions, which may include retraining or formal disciplinary measures.
Other applicable standards
ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews.
Further Reading
- ISO 27001 Compliance With Policies, Rules And Standards For Information Security: Your Complete FAQ Guide
- The complete guide to ISO 27001 risk assessment
ISO 27001 Controls and Attribute values
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| Preventive | Availability Confidentiality Integrity | Identify Protect | Legal_and_compliance Information security assurance | Governance and ecosystem |
About the author
