ISO 27001:2022 Annex A Control 5.36

Explaining Annex A Control 5.36 Compliance with policies, rules and standards for information security

ISO 27001 Control 5.36 "Compliance with policies, rules and standards for information security" instructs that organizations systematically review their compliance with information security policies, topic-specific policies, rules, and standards. This control ensures that security policies are consistently applied and remain effective in protecting information assets.

Iso 27001 Annex A Control 5.36

Control Type

  • Preventive

Information Security Properties

  • Confidentiality
  • Integrity
  • Availability

Cybersecurity Concepts

  • Identify
  • Protect

Operational Capabilities

  • Legal and Compliance
  • Information Security Assurance

Security Domains

  • Governance and Ecosystem

Objective of ISO 27001 Control 5.36

The primary objective of Control 5.36 is to ensure that security policies, rules, and standards are enforced and followed throughout the organization. Compliance reviews help organizations:

  • Detect deviations or non-compliance with security policies and standards.
  • Identify gaps in security implementation and governance.
  • Enforce corrective actions to mitigate risks and maintain policy adherence.
  • Ensure continuous improvement in security practices by monitoring and refining policies.
  • Reduce the risk of security incidents caused by policy failures.

Purpose of ISO 27001 Control 5.36

The purpose of Control 5.36 is to ensure that information security is implemented and operated effectively within an organization. By regularly reviewing compliance with security policies, organizations can:

  • Maintain policy effectiveness: Ensure security policies remain relevant and aligned with emerging threats.
  • Enforce accountability: Establish clear ownership for compliance, ensuring managers and security teams take necessary actions.
  • Prevent security breaches: Identify weaknesses before they lead to security incidents.
  • Meet legal and regulatory requirements: Ensure compliance with industry regulations and contractual obligations.
  • Improve risk management: Enhance security resilience by addressing compliance gaps.

Implementation Guidance for Control 5.36

To effectively implement Control 5.36, organizations should follow a structured methodology that includes clear procedures, designated responsibilities, and robust monitoring mechanisms.

1. Establish Compliance Review Procedures

  • Define the scope, frequency, and criteria for compliance reviews.
  • Develop structured review processes to assess security policy adherence.
  • Use automated compliance tools for efficient measurement and reporting.
  • Ensure that compliance reviews cover all departments, business units, and third-party interactions.

2. Assign Responsibilities for Compliance Reviews

  • Designate managers, service owners, and information security officers to oversee compliance in their respective areas.
  • Assign a compliance officer or internal auditor to coordinate compliance assessments.
  • Ensure that responsibilities for compliance reporting and corrective actions are well-defined.

3. Conduct Regular Compliance Reviews

  • Perform scheduled audits to assess adherence to security policies and standards.
  • Use security dashboards and reporting tools to monitor compliance levels.
  • Maintain comprehensive records of compliance findings, issues, and actions taken.

4. Identify and Address Non-Compliance Issues

If deviations from security policies are detected, take the following steps:

  • Root Cause Analysis: Identify the underlying causes of non-compliance.
  • Corrective Action Plan: Define actions to restore compliance, including technical or procedural changes.
  • Implementation of Fixes: Apply necessary security changes, whether through policy updates, system configurations, or employee training.
  • Effectiveness Review: Assess whether the corrective actions successfully resolved the issue and identify any remaining gaps.

Corrective actions must be tracked and completed promptly, with follow-ups conducted to confirm effectiveness of corrective action.

5. Maintain Compliance Records and Documentation

  • Document compliance review results, including findings, corrective actions, and improvements.
  • Store compliance records securely to ensure auditability and regulatory adherence.
  • Use standardized templates to ensure consistency in compliance reporting.

6. Report Compliance Findings to Stakeholders

  • Present compliance review results to management, auditors, and relevant teams.
  • Ensure that compliance gaps and corrective actions are clearly communicated.
  • Provide periodic compliance reports to senior leadership for strategic security planning.

7. Monitor and Improve Compliance Continuously

  • Conduct periodic risk assessments to identify new compliance challenges.
  • Update security policies and procedures in response to evolving threats.
  • Ensure employees receive regular security awareness training to reinforce compliance.

Challenges in Implementing Control 5.36

While implementing compliance reviews, organizations may encounter the following challenges:

1. Lack of Defined Compliance Metrics

Organizations may struggle to establish clear compliance benchmarks. Defining key performance indicators (KPIs) helps measure compliance levels accurately.

2. Resistance to Policy Enforcement

Employees and departments may resist compliance measures due to lack of awareness or perceived inconvenience. Ensuring security policies are practical and well-communicated can help improve adherence.

3. Manual Compliance Tracking

Organizations relying on manual compliance tracking may face inefficiencies. Implementing compliance automation tools enhances accuracy and scalability.

4. Insufficient Documentation

Failure to document compliance reviews properly can create gaps in auditability. Maintaining detailed compliance records ensures transparency and accountability.

Benefits of Regular Compliance Reviews

Implementing structured compliance reviews provides multiple advantages:

  • Risk Reduction: Identifies vulnerabilities and reduces the likelihood of security incidents.
  • Operational Efficiency: Ensures security processes are optimized for efficiency and effectiveness.
  • Regulatory Compliance: Helps meet legal, regulatory, and contractual obligations.
  • Continuous Improvement: Enhances security posture through iterative policy updates.

Related Controls and Their Relevance

Several ISO 27001 controls complement Control 5.36, helping organizations enforce security policy compliance effectively:

  • Control 5.35 Independent Review of Information Security: Ensures that security practices undergo independent evaluations for unbiased compliance validation.
  • Control 8.15 Logging: Enables monitoring of system activities to support compliance assessments.
  • Control 8.16 Monitoring Activities: Helps detect deviations from security policies through real-time security monitoring.
  • Control 8.17 Clock Synchronization: Ensures consistent timestamping of security logs for accurate compliance analysis.

Supporting Templates for Compliance with Control 5.36

Organizations can streamline compliance reviews by utilizing structured templates. Available templates on our website that support compliance management include:

  • Information Security Policy Template: A structured document for evaluating security policy adherence.
  • Corrective Action Plan Template: Helps document and track remediation actions for non-compliance issues.
  • Internal Audit Checklist: A comprehensive checklist to ensure all compliance aspects are assessed systematically.
  • Incident Response Plan Template: Ensures security incidents are handled in compliance with policies.
Control 5.35
ISO 27001 overview
Control 5.37