All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact

Compliance with policies, rules and standards for information security

Annex A control 5.36 of the 2022 version of the ISO 27001 standard can be mapped to ISO 27001:2013 Annex A 18.2.2 and ISO 27001:2013 Annex A 18.2.3

One of the most integral aspects of running an organisation with a robust set of information security practices is maintaining compliance with published procedures, rules and policies, and Information security is best tackled with a top-down approach, according to control 5.36 of ISO 27001:2022 Annex A.

The control calls for organisations to engage in a top-down perspective when it comes to policies, rules, and standards.

As a preventative and corrective control, 5.36 aims to reduce risk by promoting adherence to pre-existing procedures and policies under the umbrella of information security.

Understanding control 5.36

Information owners and managers, including service and product owners, should have access to an organisation’s information security policies, rules, and standards, in order to act within the status quo. Implementing business-specific reporting methods for information security compliance is a key role of managers.

It’s also important that periodic reviews are conducted to highlight any areas for improvement. These reviews should be documented, stored, and reported. If issues or instances of non-compliance are discovered, managers should take decisive actions. Steps include:

  • Outlining the underlying causes of non-compliance
  • Determining how necessary it is to take decisive action
  • Implementing corrective action if necessary to ensure compliance
  • Assessing said actions for their effectiveness, noting any areas that still require attention

Corrective action to non-compliance must be taken in a timely manner, especially by the net review. Reviewers should be able to see that progress is being made to deal with any potential issues of non-compliance.

What’s changed since 2013?

There are two controls in ISO 27001:2013 that cover the same materials as 2022’s control 5.36. These are 18.2.2 and 18.2.3. The more recent version condenses the complex technical guidance of these earlier versions into a single control, making it more accessible and therefore easier for action to be taken.

2022’s control 5.36 contains the same guidance points as 2013’s 18.2.2 regarding what actions should be taken in the event of non-compliance being discovered during a review.