ISO 27001 Control 5.36: Compliance with Policies, Rules and Standards for Information Security
Information security policies are only effective when consistently enforced and monitored. Control 5.36 requires organizations to regularly review compliance with their information security policies, rules, and standards, then report findings to management. This ongoing oversight ensures policies remain relevant and actually protect your organization.
What this means
Your organization must establish a systematic process to monitor whether employees, systems, and processes comply with your information security policies and related standards. These reviews must be conducted on a regular schedule and the results reported to management so leadership can identify gaps, trends, and needed policy updates. This creates accountability and ensures security controls remain effective.
How to comply
- 1.Define a review schedule for policy compliance audits (quarterly or annually minimum)
- 2.Establish clear metrics and procedures to measure compliance with each policy
- 3.Conduct regular audits or assessments to identify non-compliance instances
- 4.Document all findings, including violations, root causes, and remediation actions
- 5.Report results to management with trends, severity levels, and recommendations
- 6.Implement corrective actions for identified non-compliance areas
- 7.Track remediation progress and report status in subsequent reviews
Evidence auditors look for
- Documented policy compliance review schedule and audit procedures
- Compliance audit reports with specific findings and metrics
- Management meeting minutes showing policy compliance discussion and decisions
- Non-compliance incident logs with root cause analysis
- Remediation tracking records and closure evidence
- Policy acknowledgment records from employees
- System access logs or configuration reviews demonstrating control effectiveness
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates policy compliance tracking and generates management reports with audit findings and remediation status—eliminating manual review cycles and ensuring consistent ISO 27001 5.36 documentation.
See how GRCWatch handles this control automatically
Start free trial