Framework - ISO 27001 (Cyber)

No organization can claim true assurance simply by marking its own homework. Controls A.5.35 and A.5.36 exist to ensure that the Information Security Management System not only operates effectively but is also verified through independent, evidence-based evaluation. A.5.35 establishes the need for independent review—an impartial examination of the ISMS’s design, implementation, and performance, free from the biases of daily operations. A.5.36 complements it by ensuring that everyone inside and outside the organization adheres to the rules, policies, and standards that the ISMS depends on. Together, they build a system of accountability that prevents complacency, detects drift, and validates that what the organization claims about security and compliance actually holds true in practice. These controls turn internal confidence into external credibility.

The scope of A.5.35 focuses on ensuring that the ISMS is not simply active but effective. Periodic evaluations must be conducted by individuals or entities not directly responsible for operating the controls they assess. These reviews confirm that the ISMS continues to address current risks, meets its objectives, and adapts appropriately to new challenges. Independence ensures objectivity, providing a check against groupthink or habitual assumptions. The reviews should look beyond box-ticking to assess whether security practices are delivering measurable results and aligning with organizational priorities. The ultimate aim is continual improvement, using insights from independent reviewers to refine strategy, enhance efficiency, and elevate the maturity of the entire system.

Independence can take several forms, depending on the organization’s size and structure. External certification bodies and third-party consultants offer the most visible objectivity, especially for ISO 27001 certification or surveillance audits. Large enterprises may maintain internal audit or compliance divisions structurally separate from security operations, providing in-house independence while maintaining contextual understanding. Peer reviews across different divisions or subsidiaries within the same corporate group can also add perspective while remaining efficient. At the governance level, board committees or risk oversight panels provide strategic independence, ensuring that management’s assurances are supported by evidence, not assumption. Each approach contributes a unique perspective; the key is that reviewers have the authority, expertise, and freedom from conflict of interest to speak candidly about findings.

Independent reviews may occur on a scheduled basis or be triggered by specific conditions. Regular reviews follow the organization’s ISMS calendar, aligning with annual management reviews or certification cycles. However, extraordinary reviews are equally important. Major organizational changes—such as mergers, acquisitions, or significant scope expansions—warrant immediate reevaluation of risks and controls. Reviews should also follow major security incidents, regulatory findings, or shifts in threat landscape. Pre-certification readiness checks offer an additional assurance layer before formal audits. These triggers ensure that independence is not a formality but a responsive mechanism that adapts to the organization’s operational reality and evolving risk context.

The focus areas of independent review extend far beyond basic compliance. Reviewers assess whether risk assessment methodologies remain relevant, whether the Statement of Applicability (SoA) accurately represents controls in place, and whether those controls still address real-world threats. They examine whether management demonstrates ongoing commitment, allocating sufficient resources and fostering a security culture across the organization. They look for gaps between written procedures and actual practice, testing how well policies translate into behavior. These reviews often reveal blind spots invisible to those immersed in day-to-day operations. The most valuable insights typically come from outside perspectives that challenge assumptions, driving systemic improvement rather than superficial correction.

Evidence and documentation serve as the backbone of A.5.35. Every review must result in a report summarizing findings, conclusions, and recommendations. Each recommendation should include a justification tied to business risk or compliance requirements, along with a suggested priority level. Management must formally acknowledge these findings, recording decisions to accept, mitigate, or reject recommendations with clear rationale. Follow-up actions must be tracked through to completion, forming a closed loop between discovery and resolution. This documentation not only supports internal accountability but also provides regulators and certification bodies with tangible proof that the organization manages security as a living, auditable process rather than a static framework.

The benefits of independence extend well beyond audit reports. External reviewers bring fresh insight, benchmarking the organization’s performance against industry peers and best practices. They identify inefficiencies, redundant efforts, or outdated assumptions that internal teams may overlook. Independent validation reassures regulators, customers, and partners that the organization’s claims of compliance and resilience are substantiated by unbiased experts. These reviews also validate investment decisions—demonstrating that funds directed toward security controls produce measurable risk reduction. The result is credibility that cannot be achieved through self-assessment alone, enhancing both transparency and stakeholder confidence.

Applying A.5.35 does present challenges. External reviews can be costly and time-consuming, especially for large, complex environments. Reviewers unfamiliar with specific business models may misinterpret context or underestimate nuance. Internal teams may resist scrutiny, fearing exposure or resource disruption. Leadership must therefore treat independent review not as a threat but as an opportunity for growth. Balancing depth with timeliness ensures that findings remain relevant and actionable rather than theoretical. Organizations that embrace review as a core management function—not merely an audit requirement—consistently achieve higher maturity and stronger security performance over time.

For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.

Control A.5.36 ensures that the rules, policies, and standards defined within the ISMS are not just documented—they are lived. While A.5.35 provides independent assurance that the system works as intended, A.5.36 enforces the day-to-day discipline that keeps it functioning. This control ensures that employees, contractors, and external partners consistently follow the security and compliance requirements set by the organization and by applicable laws. It moves the organization from “policy on paper” to “policy in practice,” preventing the silent drift that often occurs between what is expected and what actually happens. Compliance here is not limited to security procedures—it encompasses all internal policies, external regulations, and agreed standards that influence how people handle information. The goal is to maintain a culture of alignment where accountability is shared and traceable across every layer of the enterprise.

The scope of A.5.36 extends across the entire ecosystem of the organization. It applies to internal teams implementing security measures, suppliers delivering managed services, and end users interacting with systems under the organization’s control. Compliance must cover everything from access management and data handling to software patching, incident reporting, and privacy obligations. Adherence cannot be assumed; it must be verified through systematic checks that compare actual behavior to policy expectations. In doing so, the organization prevents compliance decay—the gradual erosion of control rigor that occurs when rules are ignored, misunderstood, or inconsistently applied. A.5.36 ensures that the principles codified in the ISMS remain visible and enforceable in daily operations.

Several mechanisms enable consistent compliance verification. Departmental self-assessments provide the first line of assurance, allowing teams to evaluate how well they are meeting specific policy and control requirements. Supervisors and governance functions conduct periodic spot checks, verifying that procedures such as access reviews, encryption usage, or change approvals are being executed properly. Technical enforcement mechanisms—such as Group Policy Objects (GPOs), Mobile Device Management (MDM) systems, and configuration baselines—translate written rules into automated enforcement. Monitoring tools and exception reports flag deviations for review, providing a balance between human oversight and system-based control. These layers combine to ensure compliance is not just measured periodically but sustained continuously.

Evidence of compliance under A.5.36 takes many forms, reflecting both human and technical proof. Training completion records confirm that employees understand relevant policies. Configuration and patch compliance reports demonstrate that systems adhere to security standards. Supplier attestations and third-party certifications provide external assurance that partners follow required controls. Records of corrective actions from non-compliance incidents show that the organization identifies issues and addresses them systematically. Each piece of evidence contributes to a narrative of accountability—demonstrating that policies are not just published but actively governing behavior. This traceability transforms compliance from abstract assurance into verifiable operational reality.

The impact of non-compliance extends far beyond individual errors or omissions. Operationally, it increases the likelihood of security incidents, as unpatched systems, weak passwords, or unauthorized access undermine the ISMS. Externally, it erodes trust with regulators and customers, who may view repeated violations as signs of systemic weakness. Culturally, it fosters complacency, encouraging employees to see policies as suggestions rather than obligations. Financially and legally, it exposes the organization to penalties, fines, and contract disputes. A.5.36 serves as a corrective measure against these risks by establishing continuous feedback loops between governance, enforcement, and awareness—ensuring that compliance lapses are detected early and resolved before they escalate.

Examples bring this control to life. An enterprise using mobile device encryption policies enforced by MDM verifies compliance automatically through scan reports. User access reviews conducted quarterly confirm that account privileges align with job roles, closing gaps in separation of duties. Supplier compliance is validated through SOC 2 reports or equivalent attestations, showing that contractual obligations are fulfilled. Regulatory frameworks—like PCI DSS in payment environments or HIPAA in healthcare—are supported by audit deliverables proving that security and privacy requirements are met. Each example illustrates compliance as an active, measurable practice—not a static checkbox, but a living expression of operational discipline.

Maintaining compliance over time requires vigilance and adaptability. Standards and policies must evolve as new threats, technologies, and regulations emerge. Regular refresh cycles ensure that documents remain current and reflect real-world conditions. Communication plays a crucial role: policy updates should be explained, not just announced, so that employees understand the rationale behind changes. Continuous monitoring systems must evolve alongside risk, integrating machine learning and analytics to detect anomalies and flag emerging compliance gaps. Lessons from incidents and audits should feed back into policy revisions, reinforcing the ISO principle of continual improvement. Through this dynamic cycle, compliance becomes an evolving strength rather than a static obligation.

Controls A.5.35 and A.5.36 operate in tandem, creating a holistic assurance model. Independent reviews validate whether compliance mechanisms are effective, while compliance monitoring provides input data that reviewers evaluate. Together, they prevent blind spots and false assurance—the tendency to believe a system is sound because it appears orderly. Independent insight confirms the robustness of compliance, while consistent adherence ensures that policies hold up under real-world pressure. When combined, they elevate the ISMS from procedural compliance to strategic assurance, demonstrating to stakeholders that governance, ethics, and operational performance are aligned.

A.5.35 and A.5.36 thus represent the closing loop of accountability: one validates the system, the other enforces its standards. A.5.35 delivers impartial insight into ISMS effectiveness, and A.5.36 ensures rules are followed consistently by every participant. Their combined application fosters credibility, transparency, and lasting trust—within the organization, with partners, and across regulatory ecosystems. They form the bridge between governance and execution, preparing the ISMS for its next stage: the documentation and procedural discipline embedded in A.5.37 and beyond, where structured process control turns assurance into sustained organizational excellence.