The basics
ISO 27001 control A.5.36 Compliance with policies, rules, and standards for information security requires companies to regularly assess the compliance of activities with security policies, procedures, and standards.
Documentation
ISO 27001 control A.5.36 Compliance with policies, rules and standards for information security can be documented:
- For smaller and mid-size companies by defining in the Statement of Applicability who is responsible for compliance review (i.e., no specific document is needed).
- For larger companies by writing a Compliance Review Procedure.
The entry in the SoA and the procedure are not mandatory but are recommended.
Implementation
In order to comply with control A.5.36 Compliance with policies, rules and standards for information security you might implement the following:
- Technology — the technology to enable compliance with policies, rules and standards for information security in most cases will be already available in the company. Companies of all sizes will probably be able to assess compliance with policies, rules and standards for information security by using the same monitoring or reporting tools used by managers to perform management review of processes under their responsibility.
- Organization/processes — you should set up a process for defining how compliance review must be performed, by whom, how often, and how the results of the review must be handled. You can document those processes through a Compliance Review Procedure.
- People — make employees aware of why compliance review is needed, and train management staff on how to perform it.
Audit evidence
During the audit, the auditor might look for the following evidence regarding control A.5.36 Compliance with policies, rules and standards for information security: if compliance with security policies, procedures, and standards is regularly assessed.
