This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.35 Independent review of information security.
ISO 27001: 2022 Control Description
The organisation’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
Purpose
To ensure the continuing suitability, adequacy, and effectiveness of the organisation’s approach to managing information security.
Guidance on implementation
The organisation should establish processes to conduct independent reviews of the ISMS.
Management should plan periodic independent reviews that include assessing opportunities for improvement and the need for changes to the approach to information security, including the information security policy, topic-specific policies, and other controls.
These reviews should be carried out by competent individuals who are independent of the area under review to ensure impartiality e.g. an internal audit function, an independent manager, or an external party organisation specialising in such reviews).
The results of the independent reviews should be reported to the management who initiated the reviews and, if appropriate, to top management. These records should be maintained.
If the independent reviews identify that the organisation’s approach and implementation of managing information security is inadequate (e.g. documented objectives and requirements are not met or are not compliant with the direction for information security as stated in the information security policy and topic-specific policies), management should initiate corrective actions.
In addition to the periodic independent reviews, the organisation should consider conducting independent reviews when:
a) laws and regulations affecting the organisation change;
b) significant incidents occur;
c) the organisation starts a new business or changes an existing one;
d) the organisation starts using a new product or service, or changes the use of an existing product or service;
e) the organisation makes significant changes to information security controls and procedures.