Zum Hauptinhalt springen
CENEDRIL WIKI
DE
Annex A · Organisational Control

A.5.36 — Compliance with Policies, Rules and Standards

Updated on 4 min Reviewed by: Cenedril Editorial
A.5.36 ISO 27001ISO 27002BSI DER.3.1BSI DER.3.2

The organisation has a clear password policy: minimum 12 characters, complexity requirements, 90-day rotation. A compliance check reveals that 40% of service accounts use passwords that were last changed three years ago, and the legacy ERP system still accepts 6-character passwords. A.5.36 ensures that policies are verified in practice — because a policy that exists only on paper provides no security.

Writing policies is the first step. Verifying that they are followed is what makes them effective. A.5.36 closes the gap between documented rules and operational reality by requiring regular, systematic compliance checks.

What does the standard require?

  • Review compliance regularly. The organisation must regularly review whether information security is implemented and operated in accordance with its policies, topic-specific policies, rules and standards.
  • Assign management responsibility. Managers are responsible for ensuring compliance within their areas of authority.
  • Identify and address non-compliance. When non-compliance is detected, the organisation must determine the cause, implement corrective action and verify the effectiveness of the correction.
  • Record results. Compliance review results, non-conformities and corrective actions must be documented.
  • Use automated tools where appropriate. Automated compliance checking tools can support regular technical verification.

In practice

Create a compliance check schedule. Define which policies and standards are checked, how often, by whom and using what method. Distribute checks across the year to avoid concentration. High-risk areas warrant more frequent checks.

Empower department managers. Managers must understand the policies that apply to their area and have the tools and authority to verify compliance. Provide them with checklists and clear criteria for what constitutes compliance.

Implement technical compliance scanning. Use configuration management tools, vulnerability scanners and access review tools to automate the verification of technical standards. Compare scan results against the documented baseline and flag deviations.

Treat non-compliance as an improvement opportunity. When a compliance check reveals a gap, investigate whether the root cause is a training gap, a process failure, a tool limitation or an unrealistic policy requirement. Sometimes the policy needs updating — a finding can reveal that a policy is impractical and should be revised.

Typical audit evidence

Auditors typically expect the following evidence for A.5.36:

  • Compliance check schedule — annual plan showing which policies are reviewed, when and by whom
  • Compliance check reports — results of manual and automated reviews with findings and ratings
  • Non-compliance records — documented non-conformities with root-cause analysis
  • Corrective action records — evidence that non-conformities were addressed and effectiveness was verified
  • Automated scan reports — output from technical compliance scanning tools with trend data

KPI

% of IS policies and standards verified as compliant in latest audit

This KPI measures the overall compliance posture. For each policy and standard in scope, track whether the latest compliance check confirmed full compliance, partial compliance or non-compliance. Target: 100% full compliance, with intermediate targets based on maturity.

Supplementary KPIs:

  • Number of non-conformities identified per review cycle
  • Average time from non-conformity identification to corrective action completion
  • Percentage of corrective actions verified as effective within the defined timeframe

BSI IT-Grundschutz

A.5.36 maps to the BSI requirements for compliance verification:

  • BSI-Standard 200-2, Chapter 10 — continual improvement of the ISMS, including regular compliance reviews.
  • DER.3.1 (Audits and revisions) — framework for conducting compliance audits.
  • DER.3.2 (Revisions for specific areas) — detailed compliance verification for specific security domains.
  • ISMS.1.A11 (Internal ISMS audits) — internal audit requirements that support compliance verification.

A.5.36 verifies the operational effectiveness of policies:

Sources

Frequently asked questions

Who is responsible for compliance checking under A.5.36?

Department managers and process owners are responsible for ensuring that their areas comply with information security policies and standards. The CISO coordinates the overall compliance programme and may conduct or commission the actual checks. Internal auditors provide independent verification under A.5.35.

How does A.5.36 differ from A.5.35?

A.5.35 requires independent reviews of the ISMS by auditors who are structurally separate from the area being reviewed. A.5.36 is about ongoing operational compliance checking -- managers regularly verifying that their teams follow the established policies and standards. Think of A.5.36 as continuous self-monitoring and A.5.35 as periodic independent verification.

Can compliance checks be automated?

Partially. Technical compliance (password policies, patch levels, access controls, encryption standards) can often be verified through automated scanning tools. Organisational compliance (process adherence, awareness, documentation quality) requires manual review. A combination of automated and manual checks provides the most complete picture.