Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.35 — Independent Review of Information Security

Updated on 5 min Reviewed by: Cenedril Editorial
A.5.35 ISO 27001ISO 27002BSI ISMS.1BSI DER.3.1BSI DER.3.2

The CISO reports to management that all 93 Annex A controls are implemented and effective. An independent review three months later reveals that 12 controls exist only on paper, 8 are partially implemented and 3 are completely absent. A.5.35 exists because self-assessment has inherent blind spots. An independent perspective is essential for ensuring that the ISMS actually works as intended.

Security teams are naturally close to the systems they build and operate. This proximity makes it difficult to assess their own work objectively. Independent reviews provide the external perspective needed to identify gaps, challenge assumptions and verify that controls are effective in practice.

What does the standard require?

  • Review at planned intervals. The organisation’s approach to managing information security must be independently reviewed at defined intervals and when significant changes occur.
  • Ensure reviewer independence. Reviewers must be independent from the activities they review. They must possess the necessary competence to assess information security management.
  • Assess suitability, adequacy and effectiveness. The review evaluates whether the ISMS is still appropriate for the organisation’s context, whether controls are adequate for the identified risks and whether they are effective in practice.
  • Report to management. Review results are communicated to the management level with authority to act on the findings.
  • Implement corrective actions. When reviews identify deficiencies, the organisation must take corrective action and verify that the action was effective.

In practice

Establish an internal audit programme. Define which areas of the ISMS will be reviewed each year, who will conduct the reviews and what criteria will be used. The programme should cover all ISMS clauses and Annex A controls over a defined cycle (typically three years, aligned with the certification cycle).

Select qualified and independent reviewers. Internal auditors should have completed auditor training (e.g. ISO 27001 Lead Auditor). If internal resources are limited, engage external specialists for specific reviews. The crucial requirement is that reviewers do not assess their own work.

Use a structured audit approach. Define audit criteria, scope and methods before each review. Conduct the review systematically — document interviews, sample evidence and test controls. Distinguish between major nonconformities, minor nonconformities and observations.

Track findings to closure. Every finding receives a root-cause analysis, a corrective action, an owner and a deadline. The auditor verifies the effectiveness of the corrective action before closing the finding. This verification step is frequently missing and is a common audit finding in itself.

Typical audit evidence

Auditors typically expect the following evidence for A.5.35:

  • Internal audit programme — multi-year plan showing which areas are reviewed when
  • Auditor qualifications — evidence of competence and independence of reviewers
  • Audit reports — structured reports with scope, findings and recommendations
  • Corrective action tracker — evidence that findings were addressed, with root-cause analysis and effectiveness verification
  • Management communication — evidence that review results were reported to top management

KPI

Number of independent IS reviews conducted within the last 12 months

This KPI tracks review activity. The target depends on the size and complexity of the ISMS, but at minimum one full cycle of reviews per certification period is expected. Track also the number of findings and the percentage of findings closed within their deadline.

Supplementary KPIs:

  • Percentage of ISMS scope covered by independent reviews within the current audit cycle
  • Average time from finding identification to corrective action completion
  • Percentage of corrective actions verified as effective

BSI IT-Grundschutz

A.5.35 maps to the BSI requirements for auditing and review:

  • ISMS.1.A11 (Internal ISMS audits) — requires planned internal audits of the ISMS with qualified, independent auditors.
  • DER.3.1 (Audits and revisions) — general framework for conducting security audits and reviews.
  • DER.3.2 (Revisions for specific areas) — requirements for reviewing specific security domains in depth.
  • BSI-Standard 200-2, Chapter 10 — maintenance and continual improvement of the ISMS, including internal audits.
  • OPS.1.1.1.A22/A23 — operational security reviews and audits.

A.5.35 provides the verification mechanism for the entire ISMS:

Sources

Frequently asked questions

What makes a review independent?

The reviewers must be independent from the area being reviewed. They should have no direct responsibility for the controls they assess. This can be achieved through internal auditors from a different department, an internal audit function reporting to top management, or external auditors. The key criterion is objectivity.

How often should independent reviews take place?

ISO 27001 requires reviews at planned intervals. Most organisations conduct an annual internal audit programme that covers the full ISMS over a cycle. Additionally, reviews should be triggered by significant changes (reorganisation, new technology, major incident). The interval depends on the maturity and risk profile of the organisation.

Can the ISO 27001 certification audit serve as the independent review?

The certification audit is one form of independent review, but it should not be the only one. Certification audits follow a defined scope and sampling approach that may not cover all areas in depth. Internal independent reviews allow the organisation to examine specific areas of concern more thoroughly and to identify issues before the external auditor does.