Practical Steps for Policy Compliance and ISMS Independent Review in Controls A.5.35 – A.5.37

A.5.35 Independent review of information security

The objective of this is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Basically, your organisation’s approach to managing information security and its implementation should be reviewed independently at planned intervals or when significant changes occur. The implementation of your ISMS will include control objectives, controls, policies, processes and procedures for information security.

Verifying technical compliance should also be performed and reviewed. for compliance with the organisation’s information security policies and standards. This can be done during Internal Audit, or through a certification audit. Audit results and reports should be reported to management in Management Review.

Another consideration, which frequently gets overlooked is that reviews of information security should also be conducted when there are significant changes. Significant changes can include:

• Laws and regulations affecting the organisation
• Significant incidents
• There are changes to the organisation’s business, a new business is started, new products or services are offered.

A.5.36 Compliance with policies, rules and standards for information security

The objective of this is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

Your managers need to regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

When determining how to measure compliance, you should seriously consider automated tools on reporting and measuring the outcomes to most efficiently review the compliance.

It is important to ensure that reviews are documented, and these records are maintained. These can then be reported as evidence in independent reviews and audits, as above.

Any non-compliance found should be investigated by managers to:

• Identify causes.
• Evaluate any corrective actions needed.
• Implement corrective actions which are appropriate.
• Review the corrective actions to verify its effectiveness.

A.5.37 Documented operating procedures

This control is pretty self-explanatory. It has the objective here to ensure you have the correct and secure operations of your information processing facilities.

You should consider creating documented procedures where:

• The activity is performed in the same way by multiple people. 
• Activities which are seldom performed, where the instructions on performing it are likely to be forgotten.
• Where an activity presents a risk if not performed correctly.

There will be some processes that do not require documentation, such as those which are automated, where a technical process is effectively self-documenting, and guides the user through the process, without the need for an external formal document.

Takeaways

Implementation of these controls is almost in the reverse order of which they are documented within the standard. These can be summed up in the below key takeaways:

• Document the operating procedures for information security actions performed in your organisation.
• Review the implementation of these procedures, and other policies, rules and standards within your organisation to maintain assurance that they are being followed.
• Have an independent assessment of your whole ISMS undertaken at regular intervals by someone independent of the process.
• Independent reviews should also be considered when there are major changes to your organisation.

• View the previous post in the series: Navigating Legal, IP and PII Requirements in ISO 27001 Controls A.5.31 - A.5.34.
• See the next post in the series: People Controls: Implementing Key Information Security Practices from Hiring to Offboarding