ISO 27001:2022 Annex A Control 5.36: Compliance With Policies, Rules and Standards for Information Security
Annex A control 5.36 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 18.2.2 and ISO 27001:2013 Annex A 18.2.3
One of the most integral aspects of running an organisation with a robust set of information security practices is maintaining compliance with published procedures, rules and policies, and Information security is best tackled with a top-down approach, according to control 5.36 of ISO 27001:2022 Annex A.
The control calls for organisations to engage in a top-down perspective when it comes to policies, rules, and standards.
As a preventative and corrective control, 5.36 aims to reduce risk by promoting adherence to pre-existing procedures and policies under the umbrella of information security.
Understanding control 5.36
Information owners and managers, including service and product owners, should have access to an organisation’s information security policies, rules, and standards, in order to act within the status quo. Implementing business-specific reporting methods for information security compliance is a key role of managers.
It’s also important that periodic reviews are conducted to highlight any areas for improvement. These reviews should be documented, stored, and reported. If issues or instances of non-compliance are discovered, managers should take decisive action. Steps include:
- Outlining the underlying causes of non-compliance
- Determining how necessary it is to take decisive action
- Implementing corrective action if necessary to ensure compliance
- Assessing said actions for their effectiveness, noting any areas that still require attention
Corrective action to non-compliance must be taken in a timely manner, especially by the net review. Reviewers should be able to see that progress is being made to deal with any potential issues of non-compliance.
What’s changed since 2013?
There are two controls in ISO 27001:2013 that cover the same materials as 2022’s control 5.36. These are 18.2.2 and 18.2.3. The more recent version condenses the complex technical guidance of these earlier versions into a single control, making it more accessible and therefore easier for action to be taken.
2022’s control 5.36 contains the same guidance points as 2013’s 18.2.2 regarding what actions should be taken in the event of non-compliance being discovered during a review.
Ready to Take Control of Your Privacy Compliance?
See how Hicomply can accelerate your path to CAF compliance in a 15-minute demo.