ISO 27001:2022 Annex A Control 5.35: Independent Review of Information Security

Control 5.35 highlights the importance of conducting reviews to ensure that information security remains robust across an organisation. According to control 5.35, organisations should carry out independent reviews at planned intervals, as well as whenever major operational changes occur.

This not only helps ensure that information security management policies remain intact, but is also important for making sure that all adequate requirements are met, that objectives remain relevant, and that policies are functioning as designed.

The importance of information security management

Information security, or IS, is key to any organisation’s data management, helping to avoid potentially severe financial, reputational, and legal consequences. Effective information security management ensures that data is kept safe and secure, preventing potential issues.

As such, there is no room for complacency. Regular independent reviews must be conducted to assess the various management systems in place to keep IS at the necessary level. This is what control 5.35 encourages and supports.

Understanding control 5.35

Control 5.35 emphasises the importance of carrying out separate reviews for various information security practices, with reviews focusing on identifying areas for improvement across the organisation’s IS policy, policies tailored to specific topics, and associated controls.

Reviews should be conducted by someone outside of the organisation with no stake in its success, such as an independent departmental manager or a third-party organisation.

Whoever carries out the review should also possess the necessary skills to make a valid judgement, and share their findings with the required staff. Review findings should be logged, retained, and reported meticulously, and reviewers should outline whether IS practices fall in line with the organisation’s IS policy objectives.

Further guidance on independent reviews can be found in ISO/IEC 27007 and ISO/IEC TS 27008.

When should reviews be carried out?

While reviews should be carried out periodically, there are also instances where an ad-hoc review might be required. These include:

• When laws, guidelines or regulations impacting an organisation’s IS operations are amended in any way.

• When significant IS events like data loss or intrusion occur.

• When major transformations are made to the existing business model, like a new venture.

• When the company takes on a new service or product that has IS implications.

• When the organisation’s IS controls, regulations, and processes are significantly altered.

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A Control 18.2.1, control 5.35 of the 2022 version of the standard offers the same general instructions but goes further in providing specific examples of when an organisation should carry out ad-hoc assessments alongside their regular schedule of periodic reviews.