What is the focus of Annex A 5.36?

Bottom Line Up Front: It ensures adherence to security policies and legal requirements through a documented review process. This process must reside within organizational tools like SharePoint. It requires regular evaluation of technical and procedural compliance.

How does an auditor verify compliance for 5.36?

Bottom Line Up Front: Auditors check for human-led review records and meeting minutes. They look at version histories in your document management system. Evidence must show that management takes ownership of deviations.

Why use internal tools instead of SaaS for 5.36?

Bottom Line Up Front: Internal tools like Jira and SharePoint keep security data within your daily operations. SaaS platforms often decouple evidence from actual business processes. This leads to gaps during external audits.

ISO 27001:2022 Annex A 5.36 Guide

What is Annex A 5.36 in ISO 27001?

ISO 27001 Annex A 5.36 requires a documented process to verify adherence to security policies and legal rules. It integrates directly into business-as-usual tools like SharePoint. This control ensures that internal management systems monitor compliance. It avoids external black-box software by focusing on manual records within organizational document repositories.

Auditor’s Eye: The Shortcut Trap

Reliance on automated SaaS platforms leads to surface-level compliance. These systems offer green ticks that lack human context. Auditors prefer seeing evidence within native systems like Jira or SharePoint. We look for management ownership of security risks. External dashboards often decouple security from your actual daily operations. This creates a risk during the certification audit. Internal document history proves genuine intent better than any software dashboard.

2013 Control Reference	2022 Control Reference	Requirement Summary
A.18.2.2 & A.18.2.3	5.36 Compliance with policies	Consolidates technical and procedural review requirements into one management process.

How to Implement Annex A 5.36 (Step-by-Step)

Implementation requires embedding compliance checks into existing business workflows. You must use SharePoint and Jira to track adherence. This ensures security is a cultural habit rather than a software installation. Start by defining the review intervals in your management system.

Establish the Register: Document all policies and standards in a SharePoint list.
Assign Owners: Use Jira to task specific managers with periodic compliance verification.
Review Procedures: Verify that technical configurations match the documented wiki standards.
Log Non-Conformities: Record any policy breaches as formal issues in Jira.
Management Review: Present compliance results during quarterly security steering meetings.

Annex A 5.36 Audit Evidence Checklist

Auditors focus on manual records and internal document versions. These prove human oversight and intent. Use these items to prepare for your audit.

A current compliance register hosted in SharePoint or a central wiki.
Jira workflow history showing active monitoring of policy adherence.
Signed meeting minutes discussing compliance status and remediation plans.
Internal audit reports covering technical and administrative controls.
Evidence of staff training on specific security rules and standards.

Relational Mapping

Clause 9.1: Monitoring, measurement, analysis, and evaluation.
Clause 9.2: Internal audit requirements.
Annex A 5.35: Independent review of information security.

Auditor Interview

Question: How do you ensure your technical teams follow security rules?

Answer: We use Jira tickets to track regular technical reviews. We compare system logs against our wiki standards.

Question: Where is the record of these checks?

Answer: All evidence is attached to the relevant Jira ticket. It is also stored in our secure SharePoint archive.

Common Non-Conformities

Failure Mode	Auditor Observation	Remediation
Automated Complacency	Management relies on a SaaS dashboard tick. No internal procedural evidence exists.	Move check logs into internal document repositories.
Lack of Oversight	Policy breaches occur without being logged as non-conformities.	Integrate breach reporting into your Jira service desk.
Outdated Register	The register does not reflect recent legal or policy changes.	Set quarterly review tasks for the compliance register.

Frequently Asked Questions

What is the difference between A 5.35 and A 5.36?

Bottom Line Up Front: 5.35 focuses on independent, objective reviews. 5.36 focuses on day-to-day management monitoring of policy adherence. Both require documented evidence within your internal management tools. Use SharePoint to store these distinct records for audit purposes.

How often should we review policy compliance?

Bottom Line Up Front: Frequency depends on the risk level of the policy. Critical security rules require monthly or quarterly checks. General administrative policies may be reviewed annually. Document your chosen frequency in your SharePoint compliance register.

Can we use an external auditor for 5.36?

Bottom Line Up Front: Yes, but the process must be managed internally. The organisation remains responsible for maintaining the records. Ensure all external reports are uploaded to your internal document repository. This proves ownership to the certification body.

LA CASA DE CERTIFICACIÓN