ISO 27001:2022 Annex A 5.35 Checklist Guide •

ISO 27001:2022 Annex A 5.35 Checklist Guide

See how ISMS.online can help your business

See it in action
By Max Edwards | Updated 15 August 2024

Using a checklist for A.5.35 Independent Review of Information Security ensures systematic compliance and enhances the ISMS's effectiveness through regular, unbiased assessments. This approach facilitates continuous improvement and robust risk mitigation, meeting regulatory requirements and safeguarding information assets.

Jump to topic

ISO 27001 A.5.35 Independent Review of Information Security Checklist

A.5.35 Independent Review of Information Security is a crucial aspect of the ISO 27001:2022 standard, which mandates that the information security management system (ISMS) undergoes regular and independent reviews. This ensures that the ISMS is effective, complies with established policies, and continuously improves. Here’s an exhaustive guide to understanding and implementing this control, including common challenges a Chief Information and Cyber Security Officer (CICSO) might face, how ISMS.online features can assist, and a detailed compliance checklist.

Scope of Annex A.5.35

The primary objective of an independent review is to provide an unbiased assessment of the ISMS. This process identifies areas for improvement, ensures compliance with established policies, and verifies that security controls are effectively protecting the organisation’s information assets.

Regular, independent reviews are vital for maintaining the integrity, effectiveness, and continuous improvement of an organisation’s information security posture.


Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

Why Should You Comply With Annex A.5.35? Key Aspects and Common Challenges

Regular Reviews

Challenges:

  • Establishing a consistent review schedule.
  • Ensuring comprehensive coverage.
  • Aligning reviews with organisational priorities.

Solutions:

  • Use ISMS.online’s Audit Plan feature to schedule and manage audits systematically.
  • Utilise Audit Templates to ensure comprehensive and consistent reviews.
  • Involve top management and stakeholders to align review schedules with organisational priorities.

Related ISO 27001 Clauses: 6.3, 9.2, 9.3.

Independence

Challenges:

  • Ensuring true independence of reviewers.
  • Managing potential conflicts of interest.
  • Maintaining objectivity.

Solutions:

  • Engage external auditors or use internal auditors without direct responsibility for the areas reviewed.
  • Document and ensure the independence of the audit process using ISMS.online’s Audit Management features.
  • Establish clear guidelines and policies to prevent conflicts of interest.

Related ISO 27001 Clauses: 5.1, 5.3, 9.2.

Comprehensive Scope

Challenges:

  • Defining a comprehensive review scope.
  • Covering all aspects of the ISMS.
  • Ensuring alignment with business objectives and risk appetite.

Solutions:

  • Define and document the scope of reviews using ISMS.online’s Risk Management and Compliance Management features.
  • Utilise the Regs Database and Dynamic Risk Map to ensure all relevant areas and risks are included.
  • Regularly update the scope based on changes in the business environment and risk landscape.

Related ISO 27001 Clauses: 4.1, 6.1.2, 4.3.

Documentation and Reporting

Challenges:

  • Thoroughly documenting findings.
  • Managing large volumes of data.
  • Providing clear, actionable reports to management.

Solutions:

  • Create structured, comprehensive documentation of review findings and recommendations using ISMS.online’s Doc Templates and Version Control features.
  • Generate clear, actionable reports with ISMS.online’s Reporting features.
  • Implement a centralised document management system to handle large volumes of data effectively.

Related ISO 27001 Clauses: 7.5, 9.1, 9.3.

Follow-up Actions

Challenges:

  • Developing and implementing effective action plans.
  • Tracking progress.
  • Ensuring timely resolution of identified issues.

Solutions:

  • Track and manage corrective actions arising from audit findings using ISMS.online’s Corrective Actions feature within Audit Management.
  • Ensure follow-up actions are effectively implemented and tracked with Risk Monitoring and Policy Management features.
  • Conduct regular reviews and updates on the progress of corrective actions.

Related ISO 27001 Clauses: 10.2, 9.1, 10.1.


Compliance doesn't have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISMS.online Features for Demonstrating Compliance with A.5.35

  • Audit Management:

    • Audit Templates: Utilise pre-built templates to ensure all relevant areas are reviewed comprehensively.
    • Audit Plan: Schedule and manage audits systematically, ensuring regular independent reviews.
    • Corrective Actions: Track and manage corrective actions arising from audit findings.
  • Compliance Management:

    • Regs Database: Access a comprehensive database of regulatory requirements to ensure all relevant standards are reviewed.
    • Alert System: Receive notifications about changes in regulations that might affect the ISMS.
    • Reporting: Generate compliance reports to demonstrate adherence to standards during independent reviews.
  • Incident Management:

    • Incident Tracker: Document and manage security incidents, ensuring they are reviewed during the independent assessment.
    • Workflow: Automate incident management processes to ensure thorough documentation and accountability.
    • Notifications: Set up alerts for key stakeholders when incidents are logged and reviewed.
  • Risk Management:

    • Risk Bank: Maintain a central repository of risks, ensuring all identified risks are assessed during reviews.
    • Dynamic Risk Map: Visualise and monitor risks, supporting the review of risk management effectiveness.
    • Risk Monitoring: Track the status of risk mitigation actions and their effectiveness.
  • Policy Management:

    • Policy Templates: Use standardised templates for creating and updating information security policies.
    • Policy Pack: Ensure all policies are easily accessible and up-to-date.
    • Version Control: Track changes to policies, ensuring they are reviewed and updated as necessary.
  • Documentation:

    • Doc Templates: Use structured templates for documenting findings and recommendations from independent reviews.
    • Version Control: Maintain a history of document changes to demonstrate the evolution of the ISMS.
    • Collaboration: Enable stakeholders to collaborate on documents and action plans resulting from reviews.

Detailed Annex A.5.35 Compliance Checklist

Regular Reviews

Establish a review schedule that aligns with organisational priorities.

Use ISMS.online’s Audit Plan to schedule regular reviews.

Ensure comprehensive coverage using Audit Templates.

Independence

Ensure reviewers are independent from the activities being reviewed.

Document the independence of auditors using ISMS.online’s Audit Management features.

Engage external auditors or separate internal audit teams.

Comprehensive Scope

Define the scope of the review covering all ISMS aspects.

Utilise ISMS.online’s Risk Management features to document the review scope.

Ensure alignment with business objectives and risk appetite.

Documentation and Reporting

Thoroughly document review findings using Doc Templates.

Utilise Version Control to manage document changes.

Generate clear, actionable reports with ISMS.online’s Reporting features.

Follow-up Actions

Develop and implement effective action plans based on review findings.

Track progress of corrective actions using Corrective Actions.

Ensure timely resolution of issues with Risk Monitoring and Policy Management.

Benefits of Compliance

  • Unbiased Assessment: Provides an impartial evaluation of the ISMS, enhancing credibility and trust.
  • Continuous Improvement: Identifies opportunities for improvement, ensuring that the ISMS evolves to meet emerging threats and changes in the business environment.
  • Regulatory Compliance: Helps ensure that the organisation meets regulatory and legal requirements, avoiding penalties and legal issues.
  • Risk Mitigation: Identifies potential security gaps and weaknesses, enabling proactive risk mitigation.

By leveraging the features of ISMS.online and following this detailed compliance checklist, organisations can efficiently manage and document independent reviews, ensuring robust compliance with “A.5.35 Independent Review of Information Security.” This integrated approach enhances the effectiveness of the ISMS and supports continuous improvement efforts.


Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo

Every Annex A Control Checklist Table

ISO 27001 Annex A.5 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.5.1Policies for Information Security Checklist
Annex A.5.2Information Security Roles and Responsibilities Checklist
Annex A.5.3Segregation of Duties Checklist
Annex A.5.4Management Responsibilities Checklist
Annex A.5.5Contact With Authorities Checklist
Annex A.5.6Contact With Special Interest Groups Checklist
Annex A.5.7Threat Intelligence Checklist
Annex A.5.8Information Security in Project Management Checklist
Annex A.5.9Inventory of Information and Other Associated Assets Checklist
Annex A.5.10Acceptable Use of Information and Other Associated Assets Checklist
Annex A.5.11Return of Assets Checklist
Annex A.5.12Classification of Information Checklist
Annex A.5.13Labelling of Information Checklist
Annex A.5.14Information Transfer Checklist
Annex A.5.15Access Control Checklist
Annex A.5.16Identity Management Checklist
Annex A.5.17Authentication Information Checklist
Annex A.5.18Access Rights Checklist
Annex A.5.19Information Security in Supplier Relationships Checklist
Annex A.5.20Addressing Information Security Within Supplier Agreements Checklist
Annex A.5.21Managing Information Security in the ICT Supply Chain Checklist
Annex A.5.22Monitoring, Review and Change Management of Supplier Services Checklist
Annex A.5.23Information Security for Use of Cloud Services Checklist
Annex A.5.24Information Security Incident Management Planning and Preparation Checklist
Annex A.5.25Assessment and Decision on Information Security Events Checklist
Annex A.5.26Response to Information Security Incidents Checklist
Annex A.5.27Learning From Information Security Incidents Checklist
Annex A.5.28Collection of Evidence Checklist
Annex A.5.29Information Security During Disruption Checklist
Annex A.5.30ICT Readiness for Business Continuity Checklist
Annex A.5.31Legal, Statutory, Regulatory and Contractual Requirements Checklist
Annex A.5.32Intellectual Property Rights Checklist
Annex A.5.33Protection of Records Checklist
Annex A.5.34Privacy and Protection of PII Checklist
Annex A.5.35Independent Review of Information Security Checklist
Annex A.5.36Compliance With Policies, Rules, and Standards for Information Security Checklist
Annex A.5.37Documented Operating Procedures Checklist


ISO 27001 Annex A.6 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.6.1Screening Checklist
Annex A.6.2Terms and Conditions of Employment Checklist
Annex A.6.3Information Security Awareness, Education and Training Checklist
Annex A.6.4Disciplinary Process Checklist
Annex A.6.5Responsibilities After Termination or Change of Employment Checklist
Annex A.6.6Confidentiality or Non-Disclosure Agreements Checklist
Annex A.6.7Remote Working Checklist
Annex A.6.8Information Security Event Reporting Checklist


ISO 27001 Annex A.7 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.7.1Physical Security Perimeters Checklist
Annex A.7.2Physical Entry Checklist
Annex A.7.3Securing Offices, Rooms, and Facilities Checklist
Annex A.7.4Physical Security Monitoring Checklist
Annex A.7.5Protecting Against Physical and Environmental Threats Checklist
Annex A.7.6Working in Secure Areas Checklist
Annex A.7.7Clear Desk and Clear Screen Checklist
Annex A.7.8Equipment Siting and Protection Checklist
Annex A.7.9Security of Assets Off-Premises Checklist
Annex A.7.10Storage Media Checklist
Annex A.7.11Supporting Utilities Checklist
Annex A.7.12Cabling Security Checklist
Annex A.7.13Equipment Maintenance Checklist
Annex A.7.14Secure Disposal or Re-Use of Equipment Checklist


ISO 27001 Annex A.8 Control Checklist Table

ISO 27001 Control NumberISO 27001 Control Checklist
Annex A.8.1User Endpoint Devices Checklist
Annex A.8.2Privileged Access Rights Checklist
Annex A.8.3Information Access Restriction Checklist
Annex A.8.4Access to Source Code Checklist
Annex A.8.5Secure Authentication Checklist
Annex A.8.6Capacity Management Checklist
Annex A.8.7Protection Against Malware Checklist
Annex A.8.8Management of Technical Vulnerabilities Checklist
Annex A.8.9Configuration Management Checklist
Annex A.8.10Information Deletion Checklist
Annex A.8.11Data Masking Checklist
Annex A.8.12Data Leakage Prevention Checklist
Annex A.8.13Information Backup Checklist
Annex A.8.14Redundancy of Information Processing Facilities Checklist
Annex A.8.15Logging Checklist
Annex A.8.16Monitoring Activities Checklist
Annex A.8.17Clock Synchronisation Checklist
Annex A.8.18Use of Privileged Utility Programs Checklist
Annex A.8.19Installation of Software on Operational Systems Checklist
Annex A.8.20Networks Security Checklist
Annex A.8.21Security of Network Services Checklist
Annex A.8.22Segregation of Networks Checklist
Annex A.8.23Web Filtering Checklist
Annex A.8.24Use of Cryptography Checklist
Annex A.8.25Secure Development Life Cycle Checklist
Annex A.8.26Application Security Requirements Checklist
Annex A.8.27Secure System Architecture and Engineering Principles Checklist
Annex A.8.28Secure Coding Checklist
Annex A.8.29Security Testing in Development and Acceptance Checklist
Annex A.8.30Outsourced Development Checklist
Annex A.8.31Separation of Development, Test and Production Environments Checklist
Annex A.8.32Change Management Checklist
Annex A.8.33Test Information Checklist
Annex A.8.34Protection of Information Systems During Audit Testing Checklist


How ISMS.online Help With A.5.35

Ready to take your information security management to the next level? Discover how ISMS.online can help you achieve robust compliance with ISO 27001:2022, including A.5.35 Independent Review of Information Security.

With comprehensive features designed to streamline your audit processes, enhance risk management, and ensure continuous improvement, ISMS.online is your partner in building a secure and resilient organisation.

Contact us today to learn more about how our platform can transform your ISMS. Book a demo with ISMS.online and see firsthand how our solutions can help you meet your compliance goals efficiently and effectively.

complete compliance solution

Want to explore?
Start your free trial.

Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer

Find out more

Explore ISMS.online's platform with a self-guided tour - Start Now