If your ISO27001 management system is going to be effective, you need to ensure there is an independent review of everything that you’re doing. That’s why this control is important.

But what is actually required and how can we evidence this review? Especially where your business is small?

What does the standard require?

The standard states that “The organisations approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.” (A5.35 – Independent review of Information Security).

There are several components within this control that we should extract and keep our eye upon, so that we meet the requirements head on.  In particular, note that the key word is independent. So you need to define what this means for you.  If you’re a small business, how do you keep that objective view of your management system?

This control also emphasises the need to carry out reviews at planned intervals, so having a plan is key. 

Finally, your approach needs to consider your approach to information security implementation in relation to people, process and technologies.  This is the classic ‘PPT’ of information security, and one which is always worth keeping in mind when approaching any aspect of security.

This ISO27001 control is seeking to understand how you’ve achieved this independently, and that’s what the auditor will look for.

Why is this required?

Have you ever come across the term “You can’t mark your own homework?” How confident would you feel if a chief presented food to you and stated, “Well, I’ve tasted it. And it tastes delicious.” Can you trust their opinion? Possibly.

What you need is an objective opinion, and to be objective, you need some level of independence. 

We worked with an organisation that was repeatedly suffering system and network outages. They also struggled to recover data from back-ups.  When speaking to their senior leadership team (SLT) we heard the IT Director repeatedly tell us it was because of a lack of investment in the technology.  “Our own IT manager has reviewed the set-up and everything is 100% fine with the tools available to us. The problem is budget”.

Following a more technical and independent audit, we found several issues with the network configuration and security set-up.  Not that the IT Manager wasn’t doing their job – they were just not aware of these features. They were also too busy to fully research the most important aspects of security settings.

Having an independent review of your security allows you to remain objective and gives your senior leadership team confidence that you’re doing everything you can to protect your business.

What the auditor is looking for

Note above that it states that you should plan independent reviews, so they will expect a review schedule from you that includes a list of reviews you will perform annually. 

The auditor will want to review the results of audits and reviews that have been carried out, and will want to know the responsible parties who conducted them.  This could include Vulnerability Assessments, Penetration Tests, Health and Safety reviews, maintenance reviews (e.g. HVAC), and of course audits of your information security management system.

These reports need to show that an independent individual or company carried out your audits and reviews.

What do you need to do?

Firstly, you need to develop an audit plan so that you can capture all the audits and reviews that you will conduct.  Developing an audit schedule is something we cover in our book, The Real Easy Guide to ISO27001.  Clause 9 Performance Evaluation, outlines the need for internal audits, and that you need to select auditors and conduct audits that ensure objectivity and impartiality.

Inter-departmental audits

For your internal audits, ask who will perform the reviews. If you are the person who developed your ISO27001 management system, then it should not be you performing the audit upon it.  This might be an opportunity to upskill a member of your team and ask them to audit you. Or it could be someone who works in a separate department. It’s important that they are trained in auditing and have the correct tools in order to perform the audit, but inter-departmental audits are a simple form of demonstrating objectivity and independence.

Our client maintains an Operations Team responsible for a variety of tasks at every office they operate in. We worked with them to help them develop skills in ISO27001 auditing, so that they could conduct onsite physical security audits and report back their findings to the management review team.

Other reviews

Speak to each area of your business and ask what other reviews and audits are undertaken, because it’s likely that some form of review or audits are carried out.  Your IT function will most likely have external Pen Tests carried out, or your finance function might have some form of annual external due diligence and risk review carried out.  Capture this information on your audit plan.

External audits

If you are struggling to build evidence of independence, then you this is where you need the services of Consultants Like Us who can not only help build your ISO27001 management system but can also offer evidence of independence via our network of associate consultants.

Q & A

Is it possible to get this wrong?

Yes, if you don’t have a plan and you don’t have some evidence of independence. If you’re struggling to evidence any level of objectivity, then you can point to your external ISO27001 audit, by your Certification Body (CB) as evidence that you have an annual assurance of independence. But this is a risky strategy and will almost certainly lead to an ‘Opportunity For Improvement’ (OFI) in your management system audit.

Do I have to audit all 93 Controls of Annex A, every year?

No, but some audits will claim that you do.  No where in the standard does it state that all 93 Annex A controls should be audited every year.  You should explain your audits are based on risk but aim to review all 93 controls over the 3-year lifecycle of your certificate.

By focusing your audits and reviews on risk you will get the benefit from the management system, because you’re assessing the controls which need more attention.  For example, why would you audit your physical premises, if in fact all your data is Cloud based, and your operations are in a managed building? If your critical services and products rely on the Cloud, you may choose to review your Cloud infrastructure and providers every six months, while conducting reviews of your physical controls every 2 years. However, if there is an incident in your office space you might decide to conduct a review.

Whichever way you decide to do it, make sure you have an objectivity and independence in the review process.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. This control isn't complicated, but careful consideration is required to ensure that you can evidence the independence that the control is looking for.  Speak to your business about the resources you need to show objectivity, and train people on the skill of auditing.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.