ISO 27001 A.5.35: Independent review of information security
What This Control Requires
The organization's approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
In Plain Language
You cannot mark your own homework. Someone who was not involved in building and running your security controls needs to come in and check whether they actually work. That is what independent review is about - an objective assessment of whether your ISMS is adequate, effective, and compliant. The review should cover the full scope: people, processes, and technologies. Are controls implemented as intended? Are they actually mitigating the risks they are supposed to? Does the overall approach still align with your security objectives and external requirements? Beyond scheduled reviews, you also need to trigger one when something significant changes - a major restructuring, a big shift in your technology environment, new regulations, or a serious security incident. The ISMS has to stay relevant as your organisation evolves.
How to Implement
Set up an internal audit programme with regular independent reviews of the ISMS. Plan to cover all aspects of the ISMS over a defined cycle (typically 1-3 years), reviewing higher-risk areas more frequently. Define your methodology: interviews, document review, technical testing, and observation. Make sure auditors are independent. They must not review areas they are directly responsible for. Cross-functional audit teams work well - your IT auditor reviews physical security, your physical security lead reviews IT controls. External auditors add objectivity. Auditors need to be competent in both information security and audit techniques. ISO 19011 is a good reference for methodology. Scope reviews to cover ISMS governance, risk assessment and treatment, control implementation, security awareness effectiveness, incident management, supplier security, policy compliance, and regulatory alignment. Follow a structured approach. Prepare an audit plan, gather evidence through document review, interviews, observation, and technical testing. Assess findings against ISO 27001 requirements, your own policies, and the statement of applicability. Classify findings by severity: major nonconformity, minor nonconformity, observation, or opportunity for improvement. Report findings to management and track corrective actions through to completion. Define response timeframes based on severity. Verify that corrective actions actually fix the problem. Use findings to drive continuous improvement. Keep records of all audits, findings, and corrective actions - the certification body will want to see them.
Evidence Your Auditor Will Request
- Internal audit program and schedule covering the ISMS scope
- Auditor competence and independence records
- Completed audit reports with findings and recommendations
- Corrective action records showing response to audit findings
- Management review records demonstrating consideration of audit results
Common Mistakes
- Internal audits are not conducted at planned intervals or cover insufficient scope
- Auditors lack independence from the areas they are reviewing
- Audit findings are documented but corrective actions are not tracked to completion
- Reviews only cover documentation without assessing actual control effectiveness
- Management does not review or act upon audit findings
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC4.1 | Equivalent |
| GDPR | Art.32(1)(d) | Partial overlap |
| NIS2 | Art.21(2)(f) | Partial overlap |
Frequently Asked Questions
Can we use internal staff for independent reviews or must we use external auditors?
How does the independent review relate to ISO 27001 certification audits?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment