ISO 27001:2022 Annex A Control 5.35

Explaining Annex A Control 5.35 Independent review of information security

ISO 27001 Control 5.35, "Independent Review of Information Security," mandates that organizations conduct regular, independent evaluations of their information security management systems (ISMS) to ensure their ongoing suitability, adequacy, and effectiveness. These reviews should occur at planned intervals or when significant changes take place, encompassing assessments of policies, procedures, and controls related to information security.

Control Type

Information Security Properties

Cybersecurity Concepts

Operational Capabilities

Security Domains

Objective of ISO 27001 Control 5.35

The primary objective of Control 5.35 is to establish a structured and unbiased mechanism for evaluating how well your organization’s information security controls function. These independent reviews help:

Ensure compliance with legal, regulatory, and contractual requirements related to information security.
Identify weaknesses, inefficiencies, or gaps in existing security controls that could lead to data breaches or compliance failures.
Provide recommendations for continuous improvement of the ISMS based on emerging risks, security incidents, and evolving business processes.
Offer an impartial assessment of whether documented security policies, procedures, and guidelines are being followed in practice.
Evaluate the effectiveness of incident response and risk management processes to ensure the organization is resilient against cyber threats.

Purpose of ISO 27001 Control 5.35

The purpose of an independent review of information security is to provide an objective assessment of how well your security measures protect your organization’s data, systems, and processes. Specifically, it aims to:

Verify Suitability – Confirm that the security framework aligns with your organization’s business objectives and operational needs.
Assess Adequacy – Determine if the implemented security controls adequately address identified risks.
Evaluate Effectiveness – Check whether security measures function as intended and adapt to emerging threats.
Enhance Continuous Improvement – Identify opportunities to strengthen security processes, policies, and technical controls.
Strengthen Governance and Compliance – Ensure that information security practices align with industry standards and regulatory frameworks.

Scope of the Independent Review

An independent review should be comprehensive and cover all critical elements of your organization’s ISMS. The review scope typically includes:

1. People

Assessment of roles and responsibilities related to information security.
Evaluation of employee security awareness training and its effectiveness.
Review of access controls and user privileges, ensuring that employees have the appropriate permissions.

2. Processes

Examination of information security policies, procedures, and governance frameworks to ensure they are up to date.
Analysis of incident response processes, including reporting and remediation procedures.
Review of change management procedures to assess how security risks are addressed during system updates or modifications.

3. Technologies

Validation of technical controls such as firewalls, encryption, intrusion detection systems, and endpoint security.
Assessment of data protection mechanisms, including backup procedures and disaster recovery plans.
Evaluation of cloud security measures if the organization relies on third-party cloud services.

Frequency and Triggers for Independent Reviews

While independent reviews should be scheduled at regular intervals, they must also be conducted when significant changes occur. Situations that may trigger an independent review include:

Regulatory changes – When new laws or compliance requirements affect information security practices.
Security incidents – After a major breach, cyberattack, or data loss event.
Business changes – When your organization launches a new business unit, product, or service that affects security risks.
Infrastructure updates – When your organization introduces new IT systems, adopts cloud-based services, or significantly modifies existing infrastructure.
Major policy updates – When significant revisions are made to security policies, procedures, or governance models.

Conducting the Independent Review

Step 1: Planning and Preparation

Define scope, objectives, and review criteria based on ISO 27001 requirements.
Identify independent reviewers (internal audit team, third-party consultants, or external auditors).
Develop an audit plan, including timelines, resources, and responsibilities.

Step 2: Information Gathering

Conduct interviews with key personnel responsible for security governance.
Review security policies, procedures, risk assessments, and compliance reports.
Examine logs, reports, and documentation related to security incidents and responses.

Step 3: Security Assessment

Evaluate whether security policies are being implemented consistently across departments.
Perform gap analysis to identify missing controls or ineffective security measures.
Assess incident response capabilities to determine how well the organization handles security breaches.

Step 4: Reporting and Recommendations

Summarize findings in a structured report, highlighting areas of concern and non-compliance.
Provide recommendations for improvement based on best practices and ISO 27001 standards.
Share results with senior management and security teams for review and action planning.

Step 5: Implementation and Follow-Up

Assign corrective actions and track progress in resolving identified security gaps.
Schedule a follow-up review to ensure that corrective actions are effective.
Integrate findings into future risk management and security planning processes.

Planning and Initiating Reviews

1. Establishing Review Schedules

Consistency is key to maintaining a resilient information security framework. Regularly scheduled reviews ensure your defenses remain relevant and effective over time. But how often should these reviews take place?

Frequency Considerations:
Annual Reviews: A common baseline for most organizations, providing a holistic overview of your security posture.
Quarterly or Biannual Reviews: For high-risk environments or organizations undergoing rapid change, more frequent reviews might be necessary.

Aligning with Other Activities
Schedule reviews to complement other audits, such as internal audits or certification assessments, to maximize efficiency.
Consider aligning them with fiscal years, major project deadlines, or regulatory reporting periods.

Document the Schedule
Create a formal review plan that includes dates, responsible parties, and the scope for each review. This ensures accountability and reduces the likelihood of overlooked assessments.

2. Identifying Triggers for Additional Reviews

While regular reviews are essential, sometimes the unexpected demands immediate action. Situational reviews provide the flexibility to respond to changes or events that could impact your security framework.

Changes in Laws and Regulations
- Regulatory updates, such as new data privacy laws or cybersecurity requirements, often necessitate a review.
- Example: The introduction of GDPR prompted many organizations to reassess their information security policies.

Occurrence of Significant Security Incidents
- A major breach, phishing attack, or ransomware incident is a wake-up call for an immediate review.
- Focus: Investigate what went wrong, assess current controls, and implement corrective actions to prevent recurrence.

Introduction of New Business Ventures or Services
- Expanding into new markets, launching a product, or adopting cloud-based services introduces fresh risks.
- Example: Moving sensitive operations to a cloud platform might require a review of access controls and encryption policies.

Major Modifications to Existing Information Security Controls
- Upgrades or changes to technology, processes, or team structures can create vulnerabilities if not properly managed.
- Example: Replacing an outdated firewall or implementing a new identity management system should trigger a targeted review.

3. Steps to Initiate a Review

Define Objectives and Scope
Start by revisiting the goals: suitability, adequacy, and effectiveness. Clearly outline what the review will assess.

Select Competent Reviewers
Whether internal (e.g., an audit team) or external (e.g., third-party consultants), ensure reviewers have the expertise and independence required for unbiased evaluations.

Communicate the Plan
Notify stakeholders about the review’s purpose, scope, and timeline. Transparent communication reduces resistance and fosters collaboration.

Gather Preliminary Data
Collect relevant documents, logs, and previous review reports to give reviewers a head start.

4. Planning in Action: A Case Study

Imagine your organization just launched a new service that collects sensitive customer data. A situational review triggered by this launch might focus on:

Evaluating the data handling process for compliance with privacy laws.
Assessing encryption methods used to protect sensitive information.
Ensuring employees involved in the service have received appropriate training.

Selection of Reviewers

The credibility and effectiveness of an independent review hinge on the individuals conducting it. Selecting the right reviewers ensures an unbiased, thorough, and actionable assessment.

1. Criteria for Independence

Independence is non-negotiable when it comes to an effective review. Reviewers must approach the assessment without bias or conflicts of interest to provide an honest evaluation.

No Vested Interest
Reviewers should not be involved in the day-to-day operations of the area under review.
Example: A department manager reviewing another department’s processes ensures impartiality.

Neutral Reporting Line
Reviewers should not report directly to the team or individuals being assessed. This avoids any undue influence on their findings.

External vs. Internal Reviewers
While internal teams can bring valuable insights, external reviewers often provide a fresh perspective and are free from internal politics.

Tip: If using internal resources, ensure they are rotated regularly to maintain independence over time.

2. Required Competencies

An independent review is only as good as the expertise behind it. Reviewers need a combination of technical knowledge, analytical skills, and familiarity with ISO 27001.

Technical Knowledge
Proficiency in information security principles, technologies, and threat landscapes.
Example: Understanding encryption protocols, intrusion detection systems, and risk management frameworks.

Familiarity with ISO 27001
Reviewers must have a solid understanding of ISO 27001 requirements and how they apply to your organization.

Analytical Skills
Ability to assess complex systems, identify weaknesses, and propose practical improvements.

Communication Skills
Reviewers should be able to clearly document their findings and present them to stakeholders in an understandable and actionable format.

3. Potential Reviewers

Now that you know what to look for, where do you find these qualified and independent individuals? Here are three reliable options:

Internal Audit Teams
Pros: Familiar with the organization’s operations and culture. Cost-effective option for routine reviews.
Cons: May lack independence if they work closely with the assessed areas.

Independent Departmental Managers
Pros: Offer an internal perspective while maintaining some independence.
Cons: Their focus may be narrower compared to dedicated audit professionals.

External Organizations Specializing in Information Security Reviews
Pros: Provide deep expertise, an outsider’s perspective, and the highest level of independence.
Cons: Can be expensive, especially for smaller organizations.

When to Choose External Reviewers:
For initial reviews when establishing an ISMS.
For high-stakes situations, such as preparing for certification audits.
When internal resources lack the required expertise.

Conducting the Review

1. Methodologies

The success of a review lies in its approach. Different methodologies can be applied based on the scope, objectives, and specific risks being evaluated. Here are three techniques to guide your process:

Interviews
Purpose: To gather qualitative insights from key stakeholders, such as IT staff, management, and end-users.
What to Ask:
Are current policies and procedures understood and followed?
Have there been any recent challenges or incidents that exposed vulnerabilities?
Tip: Prepare a structured questionnaire, but leave room for open-ended discussions to uncover issues that might not be on your radar.

Document Analysis
Purpose: To review the documentation supporting your information security management system (ISMS).
What to Analyze:
Information security policies, procedures, and training records.
Incident reports and risk assessments.
Audit logs and compliance reports.

System Testing
Purpose: To evaluate the technical controls protecting your organization’s assets.
What to Test:
Vulnerability scans and penetration tests.
Configuration settings for firewalls, IDS/IPS, and endpoint protection.
Access control mechanisms and user privilege levels
Tip: Combine manual testing with automated tools for maximum coverage.

2. Assessment Areas

An independent review is about understanding how well your ISMS is functioning and identifying opportunities for growth. Focus on these key areas:

Compliance with Information Security Policies
Objective: Ensure that organizational policies are being followed consistently.
How to Assess:
Compare operational practices with documented policies.
Identify deviations and understand their root causes.
Example: If employees bypass multi-factor authentication, is it due to lack of training or technical difficulties?

Effectiveness of Implemented Controls
Objective: Verify that controls are mitigating risks as intended.
How to Assess:
Review incident reports to evaluate how controls performed during past events.
Simulate potential attack scenarios to test control effectiveness.
Example: Test whether a recently deployed firewall correctly blocks unauthorized access attempts.

Opportunities for Improvement
Objective: Identify gaps and propose enhancements to strengthen your ISMS.
How to Assess:
Look for recurring issues in incident records.
Evaluate whether existing controls are scalable and adaptable to future needs.
Example: If phishing emails remain a consistent threat, consider additional user training or advanced email filtering tools.

3. Practical Tips for Conducting the Review

Maintain Transparency
Communicate the review process clearly to all stakeholders. This reduces resistance and fosters collaboration.

Stay Objective
Avoid jumping to conclusions. Let the data and findings guide your assessment.

Document Everything
Keep detailed records of your observations, evidence, and analysis. This not only supports your conclusions but also provides a valuable resource for future reviews.

Prioritize Issues
Not all findings are created equal. Focus on addressing critical vulnerabilities first, then work on secondary improvements.

4. The Review in Action

Imagine your organization recently implemented a new access control policy. During the review:

Interviews: IT staff reveal that the policy’s enforcement mechanism sometimes locks out legitimate users.
Document Analysis: Logs show that privileged access approvals are delayed, impacting productivity.
System Testing: Testing reveals a misconfigured setting in the access control software.

The result? Actionable insights to fine-tune the policy, update configurations, and retrain staff.

Reporting Findings

The culmination of an independent review lies in its findings. These findings should capture what’s working and what isn’t and also provide actionable recommendations to guide improvement. Reporting is the bridge between insights and action.

1. Documentation: Recording Observations, Conclusions, and Recommendations

Clear and comprehensive documentation is the foundation of a successful review report.

What to Document
Observations: Key issues, discrepancies, and areas of non-compliance identified during the review.
Conclusions: Summarize whether the reviewed processes, controls, and systems meet their objectives (suitability, adequacy, and effectiveness).
Recommendations: Actionable steps to address gaps, mitigate risks, and optimize controls.

Structuring the Report
Executive Summary: A high-level overview of the review’s purpose, scope, and key findings.
Detailed Findings: Organized by category (e.g., people, processes, technologies).
Action Plan: Prioritized list of recommendations with timelines and responsible parties.

2. Communication: Presenting Findings

The best report is one that inspires action. To achieve this, findings must be communicated effectively to the right audience.

Customize Your Presentation
Initiating Management: Focus on detailed operational insights relevant to their department or team.
Top Management: Provide a high-level summary emphasizing strategic implications and compliance.

Use Visuals
Include charts, graphs, and heatmaps to make complex data more digestible.
Example: A bar graph showing the frequency of incidents related to specific controls can highlight areas needing immediate attention.

Host Review Meetings
Schedule a formal meeting to discuss the findings. Encourage feedback and address concerns to ensure alignment on the next steps.

Tip: Frame recommendations as opportunities for improvement rather than criticisms. This creates a collaborative mindset.

3. Record Maintenance: Storing and Accessing Reports

Review reports are not just historical records; they are valuable tools for future assessments and audits. Proper record maintenance ensures they remain useful.

Storage Best Practices
Use a secure digital repository for storing reports. Ensure access is limited to authorized personnel.
Maintain backups to prevent data loss.

Retention Period
Retain reports for at least the duration of your ISO 27001 certification cycle (typically three years). Longer retention may be necessary for regulatory or contractual reasons.

Accessibility
Ensure reports are easy to retrieve for follow-up reviews, audits, or external inspections.

Tip: Keep a log of all reviews conducted, including their scope and results, to identify trends over time.

4. The Impact of Effective Reporting

Let’s say your review identified gaps in employee adherence to the company’s data classification policy. A well-documented report might include:

Observation: Employees aren’t consistently labeling emails with the correct data classification.
Conclusion: Training gaps and a lack of automated labeling tools are causing the issue.
Recommendation: Implement additional training and deploy an email plugin to enforce labeling automatically.

When presented to top management with visuals showing the frequency of misclassified emails, the recommendation gains urgency and is likely to be approved for immediate action.

Addressing Identified Issues

A thorough independent review is only valuable if the findings lead to meaningful action. Addressing identified issues is the phase where insights transform into improvements. This involves initiating corrective actions and ensuring their implementation is effective through continuous monitoring and follow-up

1. Initiating Corrective Actions

Corrective actions are the immediate steps taken to address gaps, vulnerabilities, or inadequacies highlighted in the review. Without these, the review’s efforts lose their impact.

Prioritizing Issues
Use a risk-based approach to rank findings. Focus on high-risk vulnerabilities and areas with significant business impact first.
Example: A misconfigured firewall rule that allows unauthorized access would demand urgent attention, while outdated training materials might be a lower priority.

Developing an Action Plan
Define Actions: Clearly outline what needs to be fixed and how.
Assign Responsibilities: Allocate tasks to specific individuals or teams, ensuring accountability.
Set Deadlines: Include realistic timelines for completion to maintain momentum.

Engaging Stakeholders
Communicate the plan to all involved parties, from IT staff implementing technical fixes to management overseeing strategic changes.
Example: If new training programs are required, HR and security teams must collaborate to design and deploy them effectively.

Resource Allocation
Ensure that adequate resources—both human and technological—are available to execute the corrective actions.

2. Monitoring and Follow-Up

The work doesn’t end once corrective actions are initiated. Ongoing monitoring and follow-up to ensure these measures are both implemented and effective.

Tracking Progress
Use project management tools or spreadsheets to track each corrective action, noting its status (e.g., pending, in progress, completed).
Include milestones to measure incremental progress, especially for complex issues.

Verification
Conduct tests or reviews to confirm that actions have resolved the identified issues.
Example: If the review found weaknesses in access control, verify that new access rules are functioning as intended and no unauthorized access occurs.

Measuring Effectiveness
Evaluate whether the corrective measures have reduced risks to an acceptable level.
Example: After deploying advanced phishing filters, track phishing incidents to see if they decrease.

Continuous Feedback Loop
Incorporate lessons learned from the corrective actions into future reviews and updates to policies, processes, and technologies.
Example: A discovered training gap could lead to a new annual refresher course on key security practices.

Reporting Progress to Management
Provide regular updates on the status of corrective actions to the management team. Use clear metrics to demonstrate progress and effectiveness.

3. Practical Example: Addressing a Major Finding

Finding: The review identified outdated antivirus software across multiple endpoints, leaving the network vulnerable to malware.

Corrective Action Plan:
Update all endpoints with the latest antivirus software version.
Train employees on recognizing malware warning signs.
Implement automated updates to ensure antivirus software stays current.

Monitoring:
IT tracks software updates, ensuring all systems are compliant within two weeks.
Follow-up testing confirms that the antivirus is functioning properly and logging threats accurately.

Outcome: The organization reduces its malware risk and gains better visibility into endpoint protection.

Relevant Controls & Standards Related to 5.35

Control 5.35 is closely related to other ISO 27001 controls that ensure continuous evaluation and improvement of information security:

Control 5.1 – Policies for Information Security: Ensures that security policies are well-defined and enforced.
Control 5.36 – Compliance with Policies, Rules, and Standards: Assesses adherence to security policies and industry regulations.
Control 5.37 – Documented Operating Procedures: Ensures that security practices are consistently documented and followed.
ISO/IEC 27007: Guidance on Managing Information Security Audits
ISO/IEC TS 27008: Security Techniques – Guidelines for Auditors on Information Security Controls

Templates to Assist with Control 5.35

To facilitate independent reviews, your organization can utilize structured templates such as:

Internal Audit Template – A comprehensive checklist for evaluating ISMS effectiveness.
Internal Audit Plan Template – A structured plan for scheduling and conducting independent reviews.
Corrective Action Plan Template – A standardized format for tracking and implementing corrective actions.
ISO 27001 GAP Analysis Template – For the assessment of GAPS in your ISMS