top of page

ISO 27001 Control 5.36: Compliance With Policies, Rules and Standards for Information Security

Writer's picture: Alan ParkerAlan Parker

Overview

Compliance with an organisation's information security policy, topic-specific policies, rules, and standards is essential for safeguarding information assets. This control ensures that security practices are implemented effectively and regularly reviewed to align with organisational requirements and adapt to evolving risks. The result is a robust framework that preserves confidentiality, integrity, and availability, while meeting legal and compliance obligations.


Purpose

The primary objective of this control is to ensure that the organisation’s information security measures are consistently applied and operationally effective. By doing so, it enhances governance and provides assurance to stakeholders regarding the organisation’s commitment to protecting its information assets.


Guidance


Regular Review

Managers, service owners, product owners, or information owners should oversee compliance by identifying suitable review mechanisms to assess adherence to:

  • The overarching information security policy

  • Topic-specific policies and rules

  • Standards and applicable regulations


Automation in Compliance Monitoring

Organisations should leverage automated measurement and reporting tools to streamline regular reviews. These tools can:

  • Detect policy violations in real time

  • Generate compliance reports

  • Highlight areas that require immediate attention


Handling Non-compliance

When reviews identify non-compliance, the following steps should be undertaken:

  1. Identify Causes: Determine the root causes of the non-compliance, such as gaps in training, outdated policies, or process inefficiencies.

  2. Evaluate Corrective Actions: Assess the measures necessary to address gaps and prevent recurrence.

  3. Implement Corrective Actions: Apply the identified measures, such as updating procedures, enhancing staff awareness, or deploying new tools.

  4. Review Effectiveness: Evaluate the effectiveness of corrective actions and identify any residual weaknesses.


Record-Keeping and Reporting

To ensure accountability and transparency, organisations must:

  • Document the results of reviews and corrective actions comprehensively

  • Maintain organised and accessible records

  • Report findings to independent reviewers (e.g., auditors or governance teams) during independent reviews


Timely Resolution

Corrective actions should be resolved promptly, proportional to the associated risk. If actions remain incomplete by the next scheduled review, progress should be tracked and addressed at that review.


Integration with Operational Monitoring

This control complements operational monitoring covered under controls 8.15, 8.16, and 8.17. Together, they form a cohesive framework enabling:

  • Proactive risk identification

  • Responsive actions to mitigate identified risks


Conclusion

Adherence to this control is foundational to the organisation’s broader security strategy. It fosters trust among stakeholders and ensures operations align with regulatory and business requirements. Regular reviews, supported by automation and diligent record-keeping, drive continuous improvement in the organisation’s information security posture.

Comentários


About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page