When ISO 27001 was updated from the 2013 version to the 2022 iteration, many people focused on the shiny new controls like threat intelligence or cloud security. However, some of the most critical changes happened to the “governance” controls, the ones that ensure your security actually works. Annex A 5.35, which covers the Independent Review of Information Security, is a perfect example of how the standard has matured to meet modern challenges.
Table of contents
The Shift from 18.2.1 to 5.35
In the 2013 version of the standard, the requirement for independent reviews was found under Control 18.2.1. It sat within the “Compliance” domain, a section of the standard that many organisations treated as a legal formality. The goal was simple: make sure someone who didn’t build the system checks the system once in a while.
In the 2022 update, this has been moved to Annex A 5.35 and reclassified as an Organisational Control. This is a significant structural shift. As the team at Hightable.io notes, moving this control into the organizational theme elevates it from a “check-box” compliance task to a core business process. It’s no longer just about satisfying an auditor; it’s about ensuring the ongoing suitability, adequacy, and effectiveness of your security posture in a rapidly changing world.
What Exactly Does Annex A 5.35 Require?
The core instruction remains consistent: the organisation’s approach to managing information security and its implementation (including people, processes, and technologies) must be reviewed independently at planned intervals or when significant changes occur.
However, the 2022 version provides much more clarity on what “independent” actually means. A review can be conducted by:
- Internal auditors who are not involved in the day-to-day security operations.
- Independent departmental managers who possess the necessary technical competence.
- Third-party organisations or specialist consultants.
The key is that the reviewer must not have a “vested interest” in the outcome. They need to be able to tell you the hard truths without fear of office politics or conflicting KPIs.
The New Focus on “Ad-Hoc” Reviews
Perhaps the biggest practical change between the 2013 and 2022 versions is the emphasis on situational triggers. While the 2013 version mentioned reviewing after “significant changes,” the 2022 guidance goes a step further by providing specific examples of when you shouldn’t wait for your next scheduled audit.
According to Hightable.io, Annex A 5.35 now specifically highlights that an independent review should be triggered by:
- The launch of a new product or service with significant security implications.
- Major transformations to the business model (such as moving to a fully remote workforce).
- Significant alterations to the organization’s bank of information security controls or processes.
- The occurrence of a major security incident or breach.
How to Implement 5.35 in the 2022 Framework
In the 2013 version, many companies survived with a single annual internal audit. Under ISO 27001:2022, the expectation is more dynamic. You need to demonstrate that your review process is risk-based. If you are making high-risk changes to your infrastructure, your review frequency or depth should reflect that risk.
The introduction of Attributes in the 2022 standard also helps. Control 5.35 is now tagged as a “Preventive” and “Corrective” control. This helps you map it more effectively to your Risk Treatment Plan. You aren’t just reviewing for the sake of it; you are reviewing to prevent future failures and correct current inefficiencies.
Why Does This Change Matter?
The transition from 18.2.1 to 5.35 reflects a move away from “static security.” In 2013, a yearly check-up was often enough. In 2026, the threat landscape and business technologies evolve so quickly that a “set it and forget it” mentality is dangerous.
By making the independent review an organizational control, ISO 27001:2022 ensures that leadership stays informed. The results of these reviews must be reported to the management who requested them, ensuring that security remains a board-level conversation rather than just a technical one.
Ready for Your Transition?
If you are currently moving from the 2013 to the 2022 version, don’t overlook 5.35. Review your existing internal audit schedule and ask yourself: “Does this account for major business changes, or is it just a calendar-based routine?”
As suggested by Hightable.io, the best way to tackle this is to update your Internal Audit Policy to include clear triggers for ad-hoc reviews. This simple step not only satisfies the new requirements of 5.35 but also builds a more resilient and responsive security culture within your company.