ISO 27001 Control 5.35: Independent Review of Information Security
Control 5.35 requires organizations to conduct independent reviews of their information security program at planned intervals and after significant changes. This critical oversight control ensures your security posture remains effective, compliant, and aligned with business objectives. Without documented independent assessments, auditors will flag gaps in your ISMS governance.
What this means
Your organization must establish a structured process for periodically evaluating how well your information security management system (ISMS) is functioning across people, processes, and technologies. These reviews must be conducted by independent parties—either internal auditors without direct security responsibilities or external third parties—and triggered both on a schedule (typically annually) and when material changes occur to your environment, compliance obligations, or threat landscape. The reviews should assess whether your security controls are operating as designed and delivering intended outcomes.
How to comply
- 1.Define review frequency (minimum annual) and establish a schedule in your information security policy
- 2.Document the scope of independent reviews, including people, processes, technology, and ISMS effectiveness
- 3.Identify and assign independent reviewers (internal audit, external auditors, or qualified consultants) with no direct security management duties
- 4.Create review procedures covering control testing, design evaluation, implementation verification, and compliance assessment
- 5.Establish criteria for triggering ad-hoc reviews (major system changes, security incidents, policy updates, regulatory changes)
- 6.Document review findings, including gaps, risks, and recommendations in formal reports
- 7.Implement a remediation tracking process with assigned owners and target completion dates
- 8.Report results to senior management and relevant stakeholders with evidence of review completion
- 9.Retain all review documentation for audit trail and demonstrating continuous improvement
Evidence auditors look for
- Annual internal audit plan and schedule documenting 5.35 review activities
- Independent security review reports with executive summaries and detailed findings
- Audit scope documents defining what aspects of ISMS will be evaluated
- External auditor reports or third-party security assessment results
- Change management logs showing when ad-hoc reviews were triggered
- Management review meeting minutes discussing security review outcomes
- Remediation action plans with due dates and responsible parties
- Risk registers updated based on review findings
- Evidence of management sign-off on review results and corrective actions
- Training records confirming independent reviewers have appropriate qualifications
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the scheduling, tracking, and documentation of independent security reviews, maintains an audit trail of all review activities and remediation actions, and generates compliance-ready reports for ISO 27001 audits—eliminating spreadsheets and ensuring consistent evidence collection.
See how GRCWatch handles this control automatically
Start free trial