What is independent review in ISO 27001?

An independent review evaluates your security approach. It checks if policies and controls meet requirements. Reviewers must be objective and impartial. They should not audit their own work. Document these reviews in internal business tools to prove compliance.

Who can perform an independent review?

Internal auditors or external consultants can perform the review. The key requirement is independence from the area being reviewed. Internal staff can review other departments. External specialists provide high objectivity. Record their qualifications and findings in SharePoint.

How often should reviews occur?

Reviews must occur at planned intervals. Significant changes to the security environment should also trigger a review. Most organisations conduct these annually. Use Jira to schedule and track the completion of these mandatory review cycles.

ISO 27001:2022 Annex A 5.35 Guide

What is ISO 27001 Annex A 5.35 in ISO 27001?

ISO 27001 Annex A 5.35 requires organisations to review their information security approach independently. You must assess the management of security and its implementation. This process must be documented within your organisational tools. It ensures policies and controls remain effective. Management must review the results regularly.

Auditor’s Eye: The Shortcut Trap

Many organisations use automated SaaS platforms to generate audit reports. These “Black Box” systems often produce generic checklists. They lack the depth of a manual, integrated review. Auditors prefer seeing evidence within your native document repositories. We look for SharePoint versioning on audit plans. We want to see Jira workflows for corrective actions. A “green tick” in a third-party portal is not objective evidence. It suggests a lack of management ownership.

2013 Control	2022 Control	Key Requirement
A.18.2.1 Independent review	5.35 Independent review	Mandates objectivity in evaluating security management and technical controls.

How to Implement ISO 27001 Annex A 5.35 (Step-by-Step)

Independent review is a documented management process, not a software feature. You must integrate it into your existing organizational tools. Use SharePoint to host your audit programme and results. This ensures that security remains connected to daily operations. Start with a clear schedule of all planned review activities.

Build the Audit Programme: Create a dedicated folder in SharePoint for the annual schedule.
Assign Tasks in Jira: Use Jira to track the progress of individual audit activities.
Conduct the Review: Document observations and evidence directly in a Confluence wiki page.
Verify Independence: Keep records of auditor assignments to prove they did not audit themselves.
Action the Findings: Convert all audit findings into Jira issues for tracking to completion.

ISO 27001 Annex A 5.35 Audit Evidence Checklist

Focus on manual records and internal document versions. These prove human oversight and intent within the ISMS.

Documented audit schedule with defined scope and frequency.
Audit reports stored in SharePoint with full version history.
Records of auditor competence and independence statements.
Jira logs showing the lifecycle of corrective actions.
Minutes from management review meetings detailing audit responses.

Relational Mapping

Clause 9.2: Internal audit requirements.
Clause 9.3: Management review obligations.
Annex A 5.36: Compliance with security policies.

Auditor Interview

Auditor: How do you ensure the person conducting the review is independent?

Manager: We assign staff from different departments using our Jira workflow. No person reviews their own department.

Auditor: Where do you store the outcomes of these reviews?

Manager: All reports reside in our secure SharePoint repository. We link them to our management review minutes.

Common Non-Conformities

Non-Conformity	Cause	Remediation
Lack of Independence	Security manager auditing their own policy implementation.	Appoint an impartial internal peer or external consultant.
Automated Complacency	Relying on platform dashboards without internal review logs.	Document the review process within SharePoint and Jira.
No Management Follow-up	Audit findings are not reviewed by senior leadership.	Include audit results in mandatory management review agendas.

Frequently Asked Questions

How does an independent review differ from an internal audit?

The goals are similar but the focus varies. Internal audits specifically check compliance against the ISO 27001 standard. Independent reviews often evaluate the overall effectiveness of the security approach. Both must be documented in your internal SharePoint systems to satisfy external auditors.

What should be included in an independent review report?

The report must include the scope and the date. It should list the objective evidence reviewed. Identify all non-conformities and opportunities for improvement. Store this in your organisational repository with clear version control to show management oversight.

Can we use an external consultant for this control?

Yes, external consultants provide high levels of independence. They are often used when internal staff lack the time or objectivity. Ensure you record their appointment and report in your business tools. This proves the review was conducted by a qualified professional.

LA CASA DE CERTIFICACIÓN