top of page

ISO 27001 Control 5.35: Independent Review of Information Security

Writer's picture: Alan ParkerAlan Parker

Purpose

To ensure the ongoing suitability, adequacy, and effectiveness of an organisation’s approach to managing information security, including its policies, processes, technologies, and personnel.


Control Overview

The organisation’s approach to managing information security and its implementation should be independently reviewed at planned intervals or when significant changes occur. Independent reviews are essential for identifying potential weaknesses, opportunities for improvement, and ensuring alignment with legal, regulatory, and business requirements.


Guidance


Planning and Initiating Independent Reviews

The organisation should establish processes to conduct independent reviews of its information security management system (ISMS). These reviews should:

  1. Be planned and initiated by management.

  2. Include assessments of the effectiveness and efficiency of information security policies, topic-specific policies, and implemented controls.

  3. Identify opportunities for improvement and areas requiring corrective actions.

  4. Evaluate the need for adjustments to the overall approach to information security.


Independence and Competence of Reviewers

Independent reviews should be conducted by individuals who:

  • Are not directly involved in the area being reviewed.

  • Possess the appropriate competence and expertise in information security and auditing practices.

  • Do not hold authority within the reviewed area to ensure objectivity.


Examples of suitable reviewers include:

  • Internal audit functions.

  • Independent managers from other areas.

  • External organisations specialising in information security assessments.


Conducting the Review

During the review process, the organisation should:

  1. Evaluate whether documented objectives and requirements are being met.

  2. Confirm compliance with the overarching information security policy and topic-specific policies.

  3. Assess the effectiveness of implemented controls in mitigating risks and meeting organisational objectives.


The review process should also:

  • Examine evidence such as documentation, system logs, and interviews.

  • Ensure that any identified issues or non-conformities are appropriately documented.


Reporting and Action

The results of independent reviews should:

  • Be reported to the management that initiated the review and, where appropriate, to top management.

  • Include detailed findings, recommendations for improvement, and any identified corrective actions.

  • Be formally documented and maintained as records.


Management should ensure that corrective actions are promptly initiated for any inadequacies or deficiencies highlighted by the review. These actions should address areas such as non-compliance with policies, outdated controls, or gaps in risk management processes.


Triggers for Additional Independent Reviews

In addition to periodic reviews, the organisation should conduct independent reviews when:

  1. Changes in Laws and Regulations: New or updated legislation impacts the organisation.

  2. Significant Incidents: Major security incidents highlight potential weaknesses in current practices.

  3. Business Changes: The organisation starts a new line of business or significantly alters its operations.

  4. New Products or Services: Implementation or modification of products or services introduces new security considerations.

  5. Control Changes: Major updates to information security controls and procedures are implemented.


Other Considerations


Records Maintenance

All findings, actions, and outcomes of the independent reviews should be maintained as formal records to support future audits, evaluations, and compliance requirements.


Additional Guidance

For detailed methodologies and best practices for independent reviews, organisations can refer to the following standards:

  • ISO/IEC 27007: Guidelines for information security management system audits.

  • ISO/IEC TS 27008: Guidelines for the assessment of information security controls.


Conclusion

Independent reviews are a critical component of a robust information security management framework. By conducting regular and objective assessments, organisations can ensure their ISMS remains aligned with business objectives, regulatory requirements, and the evolving threat landscape.

Komentar

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page