All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Independent review of information security

Annex A control 5.35 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 18.2.1

Control 5.35 highlights the importance of conducting reviews to ensure that information security remains robust across an organisation. According to control 5.35, organisations should carry out independent reviews at planned intervals, as well as whenever major operational changes occur.

This not only helps ensure that information security management policies remain intact, but is also important for making sure that all adequate requirements are met, that objectives remain relevant, and that policies are functioning as designed.

The importance of information security management

Information security, or IS, is key to any organisation’s data management, helping to avoid potentially severe financial, reputational, and legal consequences. Effective information security management ensures that data is kept safe and secure, preventing potential issues.

As such, there is no room for complacency. Regular independent reviews must be conducted to assess the various management systems in place to keep IS at the necessary level. This is what control 5.35 encourages and supports.

Understanding control 5.35

Control 5.35 emphasises the importance of carrying out separate reviews for various information security practices, with reviews focusing on identifying areas for improvement across the organisation’s IS policy, policies tailored to specific topics, and associated controls.

Reviews should be conducted by someone outside of the organisation with no stake in its success, such as an independent departmental manager or third-party organisation.

Whoever carries out the review should also possess the necessary skills to make a valid judgement, and share their findings with the required staff. Review findings should be logged, retained, and reported meticulously, and reviewers should outline wither IS practices fall in line with the organisation’s IS policy objectives.

Further guidance on independent reviews can be found in ISO/IEC 27007 and ISO/IEC TS 27008.

When should reviews be carried out?

While reviews should be carried out periodically, there are also instances where an ad-hoc review might be required. These include:

  • When laws, guidelines or regulations impacting an organisation’s IS operations are amended in any way.
  • When significant IS events like data loss or intrusion occur.
  • When major transformations are made to the existing business model, like a new venture.
  • When the company takes on a new service or product that has IS implications.
  • When the organisation’s IS controls, regulations, and processes are significantly altered.

What’s changed since 2013?

Replacing ISO 27001:2013 Annex A Control 18.2.1, control 5.35 of the 2022 version of the standard offers the same general instructions but goes further in providing specific examples of when an organisation should carry out ad-hoc assessments alongside their regular schedule of periodic reviews.