This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.36 Compliance with policies, rules and standards for information security
ISO 27001: 2022 Control Description
Compliance with the organisation’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Purpose
To ensure that information security is implemented and operated in accordance with the organisation’s information security policy, topic-specific policies, rules, and standards.
Guidance
Managers, service, product, or information owners should determine how to review whether the information security requirements defined in the information security policy, topic-specific policies, rules, standards, and other applicable regulations are being met. Automated measurement and reporting tools should be considered for efficient regular reviews.
If any non-compliance is identified during the review, managers should:
a) identify the causes of the non-compliance;
b) evaluate the need for corrective actions to achieve compliance;
c) implement appropriate corrective actions;
d) review the corrective actions taken to verify their effectiveness and identify any deficiencies or weaknesses.
The results of reviews and corrective actions carried out by managers, service, product, or information owners should be documented, and these records should be maintained. Managers should report the results to the individuals conducting independent reviews when such a review occurs in their area of responsibility.
Corrective actions should be completed in a timely manner, appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed during that review.