The basics
ISO 27001 control A.5.35 Independent review of information security requires companies to ensure information security activities, personnel, and technologies are independently reviewed in order to assess the capacity of the organization to protect information.
Documentation
ISO 27001 control A.5.35 Independent review of information security can be documented by writing an Internal Audit Procedure and Internal Audit Report.
It is not mandatory to document this control but is recommended for all companies to have such documents.
Implementation
In order to comply with control A.5.35 Independent review of information security you might implement the following:
- Technology — the technology to enable independent review of information security in most cases will be already available in the company. Companies of all sizes will probably be able to independently review information security by using the same monitoring and audit tools used by system administrators.
- Organization/processes — you should set up a process for defining criteria to select auditors, audit objectives, and methods and to perform an independent review. You can document those processes through an Internal Audit Procedure.
- People — make employees aware of why the independent review is needed, and train managers on how to ensure independent reviews.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.5.35 Independent review of information security: if information security activities, personnel, and technologies are independently reviewed.
