In information security, the gap between knowing the rules and actually following them is where risk thrives. ISO 27001 Annex A 5.36 Compliance with policies and standards for information security is the primary control designed to close this “knowing-doing gap.” It transforms security policies from static documents into living, breathing habits that protect an organisation daily. For fast-moving AI companies, where data is the lifeblood and innovation is constant, mastering this control is not a bureaucratic hurdle – it is an essential operational practice for building client trust, demonstrating resilience, and turning compliance into a competitive advantage. This guide provides a clear, practical roadmap for implementation.
Table of contents
What is Annex A 5.36?
Before we can tackle the specific compliance challenges facing the AI industry, it is crucial to understand the exact requirement of Annex A 5.36. This control is not about creating new rules, but about acting as the organisation’s internal quality check on its existing security framework. It ensures that the policies you have painstakingly developed are actually working as intended in the real world.
The ISO 27001 standard provides a clear and concise definition for this control:
“Compliance with the organisations information security policy, topic-specific policies, rules and standards should be regularly reviewed.”
The purpose of this control, as stated by the standard, is to ensure that all implemented security measures remain suitable, adequate, and effective. It is a continuous loop of verification that confirms your daily operations align with your documented intentions.
According to the ISO 27002:2022 framework, this control is unique in its dual nature. It is both a:
- Preventive control, designed to stop security incidents from happening by ensuring rules are followed consistently.
- Corrective control, designed to identify and resolve issues of non-compliance that have already occurred.
This straightforward requirement to “check your own work” seems simple on the surface. So, why does it present such unique and significant difficulties for companies working at the cutting edge of artificial intelligence?
The Unique Compliance Challenges for AI Companies
While the principle of Annex A 5.36 is universal, its application within an AI-driven environment creates distinct and high-stakes risks that demand special attention. The rapid pace of development, complex data workflows, and intense focus on innovation can inadvertently create dangerous gaps between policy and practice.
The Risk of Dormant Policies in a Fast-Paced Environment
The world of artificial intelligence evolves at an astonishing rate. New models, data processing techniques, and deployment methods can emerge in weeks, not years. This rapid evolution means security policies can quickly become obsolete, liabilities that gather dust instead of shaping daily action. For example, a research team might adopt a new, unvetted workflow for processing sensitive training datasets to accelerate model development. If the information security policy hasn’t been updated to govern this method, the organisation could unknowingly expose its most valuable intellectual property and data assets.
The Risk of Scattered Evidence Across Complex Workflows
Gathering compliance evidence from fragmented AI workflows – spanning data ingestion, model training, and inference – can feel impossible. When an audit looms, this lack of a clear evidence trail triggers “audit panic.” Teams are forced into a last-minute scramble, sifting through old folders, emails, and ad hoc logs to reconstruct proof of compliance. This disorganisation is more than an inconvenience; it is a significant liability that can mask critical vulnerabilities in the AI supply chain and lead to tough audit findings.
The Risk of Compliance Fatigue Hindering Innovation
For teams focused on groundbreaking R&D, compliance reviews can feel like a bureaucratic distraction. This perception leads to “compliance fatigue,” where security devolves into a “‘check the box’ mode.” The consequence is severe: established procedures are ignored, creating unnoticed security exposures that undermine the entire information security management system (ISMS). As one source notes, “Checkmarks lose meaning when teams disconnect,” rendering the entire compliance effort ineffective.
These challenges are significant, but they can be overcome with a structured and practical approach to embedding compliance into your operational rhythm.
Your Practical Steps to Compliance
Achieving compliance with Annex A 5.36 is not about creating more bureaucracy. It is about embedding a few key, repeatable routines into your operational rhythm to ensure policies remain relevant and effective. The following steps provide a clear path to successful implementation.
Establish a Formal Review Process
Document the procedures for how compliance reviews will be conducted. This should specify who is responsible for performing the reviews, how often they will occur, and what the scope of each review will be. A formal process creates clarity and ensures reviews are consistent and repeatable.
Assign Clear Ownership
Accountability is critical. Managers, such as the Chief Operating Officer (COO) or Chief Information Security Officer (CISO), must be formally assigned responsibility for ensuring their teams and departments conform to all relevant information security policies and rules. This top-down ownership ensures compliance is a management priority.
Plan and Conduct Regular Reviews
Reviews should be planned and conducted periodically – at least annually is a common best practice. However, reviews must also be triggered by significant changes. Key triggers include changes to laws or regulations, relocation to new physical premises, major expansions or reductions of the business, entry into a new business market, or critical changes to your information security measures.
Manage Non-Compliance Effectively
When a review uncovers an instance of non-compliance, it is essential to have a structured process for corrective action. This process should follow four key steps:
- Establish the underlying cause of the non-compliance.
- Decide whether corrective action is required to prevent recurrence.
- Plan and implement the corrective action in a timely manner.
- Review the action taken to confirm its effectiveness.
Keep Clear Records and Reports
Maintain documented records of all compliance reviews, their findings, and any subsequent corrective actions. These records are not just internal management tools; they are crucial evidence that demonstrates your commitment to continuous improvement to auditors, regulators, and clients.
While these steps provide the ‘what’ of compliance, the right tools can significantly simplify the ‘how’, making the entire process more efficient and less burdensome.
Bridging the AI Compliance Gap: A Toolkit-Based Approach
For AI companies, the gap between knowing the rules and proving they are consistently followed is often the hardest to close. The unique challenges of dormant policies, scattered evidence, and compliance fatigue require more than just good intentions – they require a robust, structured framework. The right toolkit can bridge this gap by translating compliance theory into daily operational practice.
Tackling AI’s Compliance Risks with the High Table Toolkit
The High Table ISO 27001 Templates Toolkit, available at https://hightable.io/product/iso-27001-templates-toolkit/, is specifically designed to address these challenges. It provides the essential governance structure, ready-made policies, review templates, and audit worksheets needed to satisfy the requirements of Annex A 5.36 directly. It gives your organisation a practical foundation for building a resilient and auditable compliance program.
The table below illustrates how this toolkit directly addresses the key risks faced by AI companies:
| AI Compliance Challenge | How the High Table Toolkit Provides the Solution |
|---|---|
| Dormant Policies | The toolkit’s ready-made policy templates and review guides provide a living framework that can be easily updated to keep pace with your evolving AI workflows, preventing rules from becoming obsolete. |
| Scattered Evidence | The toolkit’s structured reports and audit worksheets help you centralise and organise compliance evidence from different parts of your AI lifecycle, creating a single, audit-proof source of truth. |
| Compliance Fatigue | The step-by-step guides and pre-built templates reduce administrative friction, making it simpler for your busy technical teams to demonstrate compliance without slowing down innovation. |
Why a Toolkit Gives You More Control Than a SaaS Platform
For an AI company, where workflows and models are in constant flux, the ability to own and adapt governance documents is not just a preference; it is a strategic necessity. A template toolkit offers the ultimate adaptability to modify policies, procedures, and reports to fit your company’s unique and rapidly changing systems. This stands in stark contrast to the potential rigidity of a one-size-fits-all online platform. A toolkit is a resource you own and control completely, empowering you to build a compliance programme tailored to your specific operational reality, free from vendor lock-in and ongoing subscription fees.
Ultimately, a toolkit empowers you to build a compliance programme that truly fits your organisation.
Own Your ISMS, Don’t Rent It
Do it Yourself ISO 27001 with the Ultimate ISO 27001 Toolkit
Conclusion: Building a Culture of Continuous Improvement
Compliance with ISO 27001 Annex A 5.36 is far more than an administrative task required to pass an annual audit. It is a commitment to fostering a dynamic culture of review and continuous improvement that closes the gap between intention and action.
For an AI company, this commitment is a powerful commercial asset. Proactive compliance is a form of competitive differentiation that builds deep trust with enterprise clients. It allows you to fast-track deals by demonstrating mature governance and, ultimately, helps fuel business growth. By turning compliance into a proven, daily habit, you can innovate with the confidence that your most valuable assets are protected. The High Table ISO 27001 Templates Toolkit provides the practical foundation for achieving this, turning a complex requirement into a clear, manageable, and value-adding business process.