ISO 27001 Annex A 5.35 is about how a company should independently review its information security management system to ensure it is effective, meeting it’s objectives and operating as intended.
Table of contents
What is ISO 27001 Annex A 5.35?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Independent Review Of Information Security”.
What is the ISO 27001 Annex A 5.35 control objective?
The formal definition and control objective in the standard is: “The organisations approach to managing information security and its implementation including people, processes and technologies should be reviewed independently at planned intervals, or when significant changes occur.“
What is the purpose of ISO 27001 Annex A 5.35?
The purpose of ISO 27001 Annex A 5.35 is “to ensure that what you are doing is still suitable, adequate and effective.“
Is ISO 27001 Annex A 5.35 Mandatory?
ISO 27001 Annex A control 5.35 (Independent Review Of Information Security in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.35 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Set Up Policies and Processes for Reviews
You should have a policy and process for running checks that are done by people not involved in the work. Think about the advice given in the guide ISO 27001 Clause 9.2 Internal audit when you do this.
To learn exactly how to do an independent check and inspection, you can read the steps in How to Conduct an Internal Audit.
Plan Your Checks
You will plan to do your checks regularly. Since there are no strict rules about how often, plan to do a complete check of everything at least once each year. You can set up a plan for checks that includes both checks done by your own staff and checks done by outside experts.
Fix Problems When They Happen
The independent check includes finding chances to keep making things better. Following the policy and process for continuous improvement, this is when you look for things that need to be changed or improved.
Look at the advice in ISO 27001 Clause 10.1 Continual Improvement.
If the check finds that things are not working as planned, you might need to take action to correct the problems, and you should do so. You would write down the issue in the record of problems and fixes, perhaps also in the list of risks if a risk is found, and then handle it as part of the process for taking corrective action.
For more help, look at ISO 27001:2002 Clause 10.2 Corrective Action.
Ensure the Reviewer Is Not Biased
You can make sure the reviewer is independent by using people from inside or outside the company, as long as they are not responsible for the area they are checking. These people should be skilled enough to do the check and should not be in charge of the area being reviewed.
Send the Report to Managers
The results of independent checks are given to managers and senior leaders as needed. A good way to report the findings is by using the Management Review Team and their regular meeting. Simply follow the meeting plan set out in the guide.
