ISO 27001 Control 5.36: Compliance With Policies, Rules and Standards for Information Security

iso 27001 control 5.36

Overview

ISO 27001 Control 5.36 is about compliance with an organisation’s information security policy, topic-specific policies, rules, and standards is essential for safeguarding information assets. This control ensures that security practices are implemented effectively and regularly reviewed to align with organisational requirements and adapt to evolving risks.

The result is a robust framework that preserves confidentiality, integrity, and availability, while meeting legal and compliance obligations.

Return to Organisational Controls Overview
Get the ISO 27002 Official Guidance on Controls

Purpose

The primary objective of this control is to ensure that the organisation’s information security measures are consistently applied and operationally effective. By doing so, it enhances governance and provides assurance to stakeholders regarding the organisation’s commitment to protecting its information assets.

Guidance

Regular Review

Managers, service owners, product owners, or information owners should oversee compliance by identifying suitable review mechanisms to assess adherence to:

Automation in Compliance Monitoring

Organisations should leverage automated measurement and reporting tools to streamline regular reviews. These tools can:

  • Detect policy violations in real time
  • Generate compliance reports
  • Highlight areas that require immediate attention

Handling Non-compliance

When reviews identify non-compliance, the following steps should be undertaken:

  1. Identify Causes: Determine the root causes of the non-compliance, such as gaps in training, outdated policies, or process inefficiencies.
  2. Evaluate Corrective Actions: Assess the measures necessary to address gaps and prevent recurrence.
  3. Implement Corrective Actions: Apply the identified measures, such as updating procedures, enhancing staff awareness, or deploying new tools.
  4. Review Effectiveness: Evaluate the effectiveness of corrective actions and identify any residual weaknesses.

Record-Keeping and Reporting

To ensure accountability and transparency, organisations must:

  • Document the results of reviews and corrective actions comprehensively
  • Maintain organised and accessible records
  • Report findings to independent reviewers (e.g., auditors or governance teams) during independent reviews

Timely Resolution

Corrective actions should be resolved promptly, proportional to the associated risk. If actions remain incomplete by the next scheduled review, progress should be tracked and addressed at that review.

Integration with Operational Monitoring

This control complements operational monitoring covered under controls 8.15, 8.16, and 8.17. Together, they form a cohesive framework enabling:

  • Proactive risk identification
  • Responsive actions to mitigate identified risks

Conclusion

Adherence to this control is foundational to the organisation’s broader security strategy. It fosters trust among stakeholders and ensures operations align with regulatory and business requirements. Regular reviews, supported by automation and diligent record-keeping, drive continuous improvement in the organisation’s information security posture.

FAQs

What are the most effective ways to monitor compliance with security policies across a large organisation?

The most effective approach combines automated tools (e.g. SIEM, DLP, configuration management tools) with human oversight. Automated systems help detect policy breaches in real time, while managers and data owners should perform periodic reviews and risk assessments to identify systemic issues or behavioural trends.

How often should policy compliance be reviewed?

Review frequency should be risk-based. High-risk areas (e.g. privileged access, sensitive data handling) may require monthly or quarterly reviews. Lower-risk areas might be reviewed annually. Reviews should also follow significant changes—such as system upgrades, regulatory updates, or audit findings.

What should be done if someone consistently fails to follow security policies?

Start with identifying the root cause—whether it’s a lack of awareness, inadequate processes, or deliberate negligence. Then take proportionate corrective action. This may include retraining, adjusting workflows, updating policies, or escalating the issue to HR or management for formal action if non-compliance is wilful or repeated.

How do automated tools support compliance with this control?

Automation tools support compliance by detecting policy violations in real time (e.g. unauthorised access, unpatched systems), generating reports for auditing, and alerting managers to anomalies. They reduce manual workload and improve both accuracy and response time, especially in complex or high-volume environments.

Who is responsible for ensuring compliance with information security policies?

Responsibility typically lies with policy owners, managers, service and product owners, and information owners. However, all staff have a role in adhering to policies. Accountability frameworks like RACI charts can help clarify who is Responsible, Accountable, Consulted, and Informed for each policy area.

Previous post

ISO 27001 Control 5.35: Independent Review of Information Security

NEXT post

Control 5.37: Documented Operating Procedures

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG