When ISO 27001 transitioned from the 2013 version to the 2022 update, many organisations felt a bit like they were learning a new language. While the “grammar” of the management system stayed the same, the “vocabulary” of the Annex A controls was completely rewritten. One of the most important consolidations in this new dictionary is Annex A 5.36: Compliance with policies, rules and standards for information security. If you are used to the 2013 version, this is where two familiar controls became one.
Table of contents
The Consolidation: From 18.2.2 and 18.2.3 to 5.36
In the ISO 27001:2013 version, checking for compliance was split across two separate requirements. You had Control 18.2.2, which focused on compliance with security policies and standards, and Control 18.2.3, which specifically looked at technical compliance reviews (like checking if a server was actually configured according to the policy).
In the 2022 update, these have been merged into a single, high-level organisational control: Annex A 5.36. According to insights from Hightable.io, this merger is designed to simplify the standard by removing the artificial wall between “policy compliance” and “technical compliance.” Now, the expectation is that you review both the paperwork and the technical reality under one unified umbrella.
Moving to “Organizational Controls”
One of the biggest shifts is structural. In 2013, these requirements sat in the “Compliance” domain. In 2022, they have moved into Theme 5: Organisational Controls. This is more than just a numbering change; it changes the “vibe” of the control. It signals that ensuring people follow the rules isn’t just a legal or IT task, it’s a core part of how the business is organised and governed.
Hightable.io notes that by moving this to the Organisational theme, the standard emphasises a “top-down” approach. It isn’t just about an IT guy running a scan; it’s about managers at all levels taking responsibility for ensuring their teams are following the specific rules and standards that apply to their department.
What Exactly is the Goal of Annex A 5.36?
The core objective hasn’t changed, but it has been refined. The purpose is to ensure that your information security policies, rules, and standards are regularly reviewed to confirm they are still suitable, adequate, and effective.
Under the 2022 framework, you aren’t just checking “Is it done?” but “Is it still working?” The standard now encourages a more dynamic approach to these reviews. Instead of a once-a-year audit that checks everything, you are encouraged to trigger reviews based on risks or significant changes. This might include:
- New business ventures or entering new jurisdictions.
- Changes in local or international laws and regulations.
- Significant updates to your internal security technologies or software.
Practical Implementation: Who Does the Checking?
A frequent question for those transitioning to the 2022 version is who exactly should be performing these 5.36 reviews. The updated guidance is flexible but clear on the need for objectivity. Ideally, reviews should be conducted by:
- The manager of the specific area or process being operated.
- An internal audit team (if they are independent of the process).
- A dedicated Information Security Manager.
- A qualified third-party consultant.
The addition of “Managers” as key players in the 2022 implementation guidance is a subtle hint. It suggests that compliance shouldn’t just be something the security team “does” to the rest of the company; it should be integrated into the management duties of every department head.
Why the Change Matters for Your Transition
If you are currently mapped to the 2013 version, the move to 5.36 is actually a blessing. It reduces the complexity of your Statement of Applicability (SoA) and allows you to create a more streamlined compliance reporting process. Instead of managing two separate streams of evidence, one for policy and one for technical checks, you can now group these into a single, cohesive compliance dashboard.
As suggested by Hightable.io, the best way to handle this transition is to update your internal audit or compliance policy to reflect this consolidated view. Ensure your “triggers” for a review are well-defined, and make sure you are documenting the results of these checks. Evidence of “compliance with compliance” is often a favourite topic for ISO auditors!
Final Thoughts
ISO 27001:2022 Annex A 5.36 reflects a modern, more integrated way of thinking about security. It moves us away from silos and toward a culture where following security rules is just “how we do things here.” By consolidating the technical and administrative aspects of compliance, the standard makes it easier for organisations to see where they stand and where they need to improve.