Table of Contents
Purpose
The purpose of ISO 27001 control 5.35 “Independent Review of Information Security” is to ensure the ongoing suitability, adequacy, and effectiveness of an organisation’s approach to managing information security, including its policies, processes, technologies, and personnel.
Control Overview
The organisation’s approach to managing information security and its implementation should be independently reviewed at planned intervals or when significant changes occur. Independent reviews are essential for identifying potential weaknesses, opportunities for improvement, and ensuring alignment with legal, regulatory, and business requirements.
Guidance
Planning and Initiating Independent Reviews
The organisation should establish processes to conduct independent reviews of its information security management system (ISMS). These reviews should:
- Be planned and initiated by management.
- Include assessments of the effectiveness and efficiency of information security policies, topic-specific policies, and implemented controls.
- Identify opportunities for improvement and areas requiring corrective actions.
- Evaluate the need for adjustments to the overall approach to information security.
Independence and Competence of Reviewers
Independent reviews should be conducted by individuals who:
- Are not directly involved in the area being reviewed.
- Possess the appropriate competence and expertise in information security and auditing practices.
- Do not hold authority within the reviewed area to ensure objectivity.
Examples of suitable reviewers include:
- Internal audit functions.
- Independent managers from other areas.
- External organisations specialising in information security assessments.
Conducting the Review
During the review process, the organisation should:
- Evaluate whether documented objectives and requirements are being met.
- Confirm compliance with the overarching information security policy and topic-specific policies.
- Assess the effectiveness of implemented controls in mitigating risks and meeting organisational objectives.
The review process should also:
- Examine evidence such as documentation, system logs, and interviews.
- Ensure that any identified issues or non-conformities are appropriately documented.
Reporting and Action
The results of independent reviews should:
- Be reported to the management that initiated the review and, where appropriate, to top management.
- Include detailed findings, recommendations for improvement, and any identified corrective actions.
- Be formally documented and maintained as records.
Management should ensure that corrective actions are promptly initiated for any inadequacies or deficiencies highlighted by the review. These actions should address areas such as non-compliance with policies, outdated controls, or gaps in risk management processes.
Triggers for Additional Independent Reviews
In addition to periodic reviews, the organisation should conduct independent reviews when:
- Changes in Laws and Regulations: New or updated legislation impacts the organisation.
- Significant Incidents: Major security incidents highlight potential weaknesses in current practices.
- Business Changes: The organisation starts a new line of business or significantly alters its operations.
- New Products or Services: Implementation or modification of products or services introduces new security considerations.
- Control Changes: Major updates to information security controls and procedures are implemented.
Other Considerations
Records Maintenance
All findings, actions, and outcomes of the independent reviews should be maintained as formal records to support future audits, evaluations, and compliance requirements.
Additional Guidance
For detailed methodologies and best practices for independent reviews, organisations can refer to the following standards:
- ISO/IEC 27007: Guidelines for information security management system audits.
- ISO/IEC TS 27008: Guidelines for the assessment of information security controls.
FAQs
What is the purpose of an independent review of information security?
The goal is to provide an objective assessment of whether the organisation’s information security controls are appropriate, effective, and aligned with internal policies and external requirements. It helps uncover blind spots, validate the ISMS’s effectiveness, and support continuous improvement.
Who should carry out the independent review?
The review should be conducted by individuals or teams that are not directly involved in the operation or management of the information security function. This can include internal audit teams with no conflict of interest, external consultants, or certified auditors.
How often should an independent review be performed?
The frequency should be based on organisational risk, regulatory requirements, and significant changes (e.g. system upgrades, incidents, mergers). Many organisations conduct independent reviews annually, though some may need them more frequently in high-risk or highly regulated environments.
What should be included in the scope of an independent review?
The review should evaluate:
– Alignment of security controls with policies and standards
– Compliance with legal, regulatory, and contractual obligations
– Effectiveness of risk treatment plans
– Incident response readiness
– Evidence of continuous improvement
The scope should be clearly defined and documented before the review begins.
What happens after an independent review is completed?
Findings should be documented in a formal report, shared with relevant stakeholders, and discussed in management review meetings. Identified gaps or weaknesses must be addressed through corrective actions, tracked, and re-assessed during follow-up reviews or audits.
Conclusion
Independent reviews are a critical component of a robust information security management framework. By conducting regular and objective assessments, organisations can ensure their ISMS remains aligned with business objectives, regulatory requirements, and the evolving threat landscape.
