You need to follow the policies, rules, and standards you have set for information security, as this is required by ISO 27001 Annex A 5.36. You must make sure that you are compliant with your information security policy, as well as any specific policies, rules, and standards you have created. You should also check these regularly.
Table of contents
What is ISO 27001 Annex A 5.36?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Compliance With Policies, Rules And Standards For Information Security”.
What is the ISO 27001 Annex A 5.36 control objective?
The formal definition and control objective in the standard is: “Compliance with the organisations information security policy, topic-specific policies, rules and standards should be regularly reviewed.“
What is the purpose of ISO 27001 Annex A 5.36?
The purpose of ISO 27001 Annex A 5.36 is “to ensure that what you are doing is still suitable, adequate and effective.“
Is ISO 27001 Annex A 5.36 Mandatory?
ISO 27001 Annex A control 5.36 (Compliance With Policies, Rules And Standards For Information Security in the 2022 standard) is not automatically mandatory in the same way the clauses in the main body of the standard (clauses 4 through 10) are.
The mandatory part of the standard requires you to consider ISO 27001 Annex A 5.36 and all other Annex A controls, but you have the flexibility to exclude it if it is not applicable to your organisation’s specific risks and context.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
Establish Your Review System
You should create clear rules and steps for conducting reviews. Think about the advice in the ISO 27001 standard’s section on internal audits.
You can learn the exact steps for review and audit by reading a guide on how to conduct an internal audit.
Schedule Your Reviews
You will schedule your reviews to happen regularly. Although there isn’t a specific timeframe suggested, you should plan to do a complete check of everything at least once a year. You can set up a review schedule that includes checks done by both people inside and outside your organization.
Correct Any Issues
If things are not right, this independent review helps you find chances to make continuous improvements. Following your policy and process for ongoing improvement, this is the time to find anything that needs changing or making better.
Look at the advice in the ISO 27001 standard’s section on continuous improvement.
If your review shows things are not working as planned, you might need to take steps to fix them. You would write this down in your log of problems and corrective steps, and possibly in your list of risks if a new risk is found. You will then handle it using your process for fixing issues.
For more help, see the ISO 27001 standard’s section on corrective action.
Store Reports and Records
It is important to keep copies and reports of the reviews. This serves as proof that the reviews actually took place.
