Most organizations have security policies. Far fewer check whether anyone follows them. That gap between what’s documented and what’s practiced is exactly where breaches take root. ISO 27001 Annex A Control 5.36 exists to close it — requiring organizations to actively verify that their security policies, rules, and standards are being followed, not just filed away.
What 5.36 Requires
ISO 27001 Annex A 5.36 requires organizations to regularly review whether their information security policies, topic-specific rules, and standards are actually being followed — by both systems and people. When non-compliance is found, corrective action must be initiated and tracked to resolution.
In practical terms, this means:
- Reviewing system configurations against documented security policies to verify they match what’s required
- Assessing personnel activities to confirm staff are following the rules they’ve been trained on
- Documenting findings with evidence of who reviewed what, when, and what they found
- Initiating corrective actions with defined owners, timelines, and closure criteria when gaps are identified
- Reporting results to management so leadership has visibility into the organization’s actual compliance posture
A critical distinction: 5.36 is not the same as the formal internal audit required under Clause 9.2. The Clause 9.2 audit evaluates whether the entire ISMS conforms to ISO/IEC 27001:2022 requirements and the organization’s own planned arrangements. Control 5.36 is operational oversight — manager-led, system-owner-driven compliance checks that happen as part of day-to-day governance.
Think of it this way: Clause 9.2 asks “Is our management system working?” Control 5.36 asks “Are people and systems actually following the policies we wrote?”
These reviews must happen on a defined schedule — typically an annual cycle covering all policy areas — but they also need to be triggered by significant changes. A new regulation, a major system deployment, an organizational restructuring, or a merger all warrant out-of-cycle compliance reviews. Waiting for the next scheduled review after a material change defeats the purpose.
Why 5.36 Matters
Consider a mid-sized technology company with a well-documented password policy: minimum 14 characters, mandatory MFA, 90-day rotation for privileged accounts. The policy exists, it’s been approved by leadership, and it was communicated during onboarding.
But nobody checks. No manager reviews whether privileged accounts actually rotate on schedule. No system owner verifies that MFA is enforced across all applications rather than just the SSO portal. Over eighteen months, several service accounts accumulate with default credentials. A developer who left the company six months ago still has an active account with admin access to a staging environment that mirrors production data.
An attacker compromises that orphaned account through credential stuffing. Because no one verified compliance with the access management policy, the account still works. Because no one checked logging standards, the lateral movement goes undetected for weeks.
This scenario isn’t hypothetical — it’s a composite of the most common patterns auditors encounter. Non-compliance with an organization’s own stated policies is consistently among the top findings in ISO 27001 certification and surveillance audits. According to industry surveys, only 29% of organizations report following all recommended cybersecurity best practices, despite having formal policies in place.
Without active verification, policies become shelf-ware: documents that satisfy a checkbox during initial certification but provide no ongoing protection. The irony is that organizations invest significant resources in writing comprehensive policies, only to undermine that investment by never verifying adherence.
What Attackers Exploit
When compliance verification is absent, attackers benefit from predictable failure modes:
- Policies that exist on paper but aren’t enforced in practice — documented controls that create a false sense of security
- Password and access policies ignored by teams without regular manager oversight, leading to weak credentials and excessive permissions
- Outdated or orphaned accounts that routine compliance reviews would catch and disable
- Unreviewed third-party access persisting months or years beyond contract termination
- Logging and monitoring standards not uniformly applied across all systems, creating blind spots in detection coverage
- Missing corrective action follow-through — organizations identify gaps but never close them, leaving known vulnerabilities unaddressed
The common thread is governance failure. Each of these gaps results not from a missing policy but from a missing verification process. Attackers don’t need to find organizations without security policies — they just need to find organizations that don’t enforce the ones they have. Control 5.36 addresses this directly.
How to Implement 5.36
For Your Organization (First-Party)
Implementing 5.36 requires building a structured compliance review program that operates independently from your formal ISMS audit cycle. Here’s how to approach it:
1. Define scope, frequency, and ownership. Assign specific managers or system owners as reviewers for each policy area. The person conducting the review should not be the same person who wrote the policy — separation of duties prevents blind spots and conflicts of interest.
2. Build a compliance review schedule. Map every topic-specific policy to a review cadence. Most organizations use an annual full cycle, with triggered reviews for significant changes (new regulations, system migrations, organizational restructuring). Document this schedule so it’s auditable.
3. Create standardized review checklists. Each topic-specific policy should have a corresponding checklist that translates policy statements into verifiable questions. For example, if your access control policy requires quarterly access reviews, the checklist should ask: “Were Q1-Q4 access reviews completed? Provide evidence.”
4. Execute reviews against actual configurations, not just documentation. Verify that system configurations match policy requirements. Interview personnel to confirm awareness. Sample evidence rather than accepting attestations at face value. A review that only checks whether a policy document exists misses the entire point of 5.36.
5. Document findings in a compliance review log. Record the reviewer identity, date, scope, findings, and status for every review. This log becomes primary audit evidence and feeds into management review.
6. Initiate corrective actions with defined timelines. Every non-compliance finding needs an owner, a root cause analysis, a remediation plan, and a target closure date. Track these in a corrective action log — findings without follow-through are worse than useless because they demonstrate awareness without accountability.
7. Report results to management. Feed compliance review outcomes into your management review process (Clause 10.1 continual improvement). Leadership needs visibility into where policy compliance is strong and where it’s breaking down.
8. Consider tooling to support continuous checks. GRC platforms can automate review scheduling and evidence collection. SIEM tools can run automated compliance checks against logging and monitoring policies. Identity providers can verify access policy compliance in near-real-time.
Common mistakes to avoid:
- Treating 5.36 as identical to the Clause 9.2 internal audit — they serve different purposes and require different approaches
- Reviewing policies on paper without checking actual system configurations
- Assigning compliance reviews to people who also wrote the policy
- Identifying non-compliance but never tracking corrective actions to closure
- Running reviews only on an annual schedule without triggering them for significant changes
For Your Vendors (Third-Party Assessment)
When assessing vendor compliance with 5.36, you need to look beyond self-attestation.
Key questions to ask:
- “How do you verify that personnel follow your security policies?” Look for answers that describe a structured process, not just “we train everyone.”
- “What is your compliance review cadence?” Vendors should be able to cite a defined schedule, not just “when needed.”
Evidence to request:
- Compliance review reports showing findings, scope, and reviewer identity
- Corrective action logs demonstrating that non-compliance is tracked and resolved
- Management review minutes showing leadership oversight of compliance results
A telling signal: Ask for sample findings from recent reviews. Vendors who report zero non-compliance findings in every review period are likely not looking hard enough. Mature programs always find something — the question is whether they act on it.
Red flags:
- No documented review process beyond the annual certification audit
- Reviews delegated entirely to external auditors with no internal ownership
- No corrective action records
- Compliance reviews only triggered by certification timelines, not by operational changes
Verify beyond self-attestation: Request the vendor’s ISO 27001 certificate along with their Statement of Applicability. Confirm that 5.36 is included in scope. Ask for the most recent surveillance audit results and whether any non-conformities were raised against compliance verification. A thorough vendor risk assessment process should include these checks as standard practice.
Audit Evidence for 5.36
When preparing for an ISO 27001 audit, you need concrete artifacts that demonstrate compliance reviews are planned, executed, and acted upon.
| Evidence Type | Example Artifact |
|---|---|
| Compliance Review Policy | Policy document defining review scope, frequency, roles, and escalation procedures |
| Compliance Review Schedule | Annual review calendar showing planned and completed reviews per policy area |
| Compliance Review Reports | Completed review records with findings, reviewer identity, date, and scope |
| Corrective Action Log | Tracked non-compliance findings with root cause, remediation plan, owner, and closure date |
| Management Review Minutes | Meeting records showing compliance review results were reported to leadership |
| Automated Monitoring Evidence | Dashboard exports or SIEM reports showing continuous policy compliance checks |
| Training and Awareness Records | Evidence that reviewers are competent and personnel are aware of policies being reviewed |
The key principle: auditors want to see a closed loop. Policies are defined, reviews are planned, reviews are executed, findings are documented, corrective actions are tracked, and results are reported to management. Any break in this chain is a finding.
Cross-Framework Mapping
Control 5.36 maps broadly across compliance frameworks because policy compliance verification is a universal governance requirement. If you’re managing multiple frameworks, understanding these overlaps reduces duplicate effort.
NIST 800-53 Mappings
The following NIST 800-53 controls map to ISO 27001 5.36, based on the official NIST OLIR crosswalk. Each represents a “-01” policy control within its respective family:
| NIST 800-53 Control | Control Family | Coverage |
|---|---|---|
| AC-01 | Access Control Policy | Full |
| AT-01 | Awareness and Training Policy | Full |
| AU-01 | Audit and Accountability Policy | Full |
| CA-01 | Assessment, Authorization, and Monitoring Policy | Full |
| CA-02 | Control Assessments | Full |
| CA-07 | Continuous Monitoring | Full |
| CM-01 | Configuration Management Policy | Full |
| CP-01 | Contingency Planning Policy | Full |
| IA-01 | Identification and Authentication Policy | Full |
| IR-01 | Incident Response Policy | Full |
| MP-01 | Media Protection Policy | Full |
| PE-01 | Physical and Environmental Protection Policy | Full |
| PL-01 | Planning Policy | Full |
| PM-01 | Program Management Policy | Full |
| PS-01 | Personnel Security Policy | Full |
| RA-01 | Risk Assessment Policy | Full |
| SA-01 | System and Services Acquisition Policy | Full |
| SC-01 | System and Communications Protection Policy | Full |
| SI-01 | System and Information Integrity Policy | Full |
| SR-01 | Supply Chain Risk Management Policy | Full |
Other Framework Mappings
| Framework | Equivalent Control(s) | Coverage |
|---|---|---|
| SOC 2 | CC1.1 (Control Environment), CC4.1 (Monitoring Activities) | Partial |
| CIS Controls v8.1 | Control 4.1 (Establish and Maintain a Secure Configuration Process) | Partial |
| NIST CSF 2.0 | GV.OC-03 (Legal, regulatory, and contractual requirements) | Partial |
| DORA (EU) | Article 5 (ICT risk management framework governance) | Partial |
The breadth of NIST mappings reflects 5.36’s scope: because it covers compliance verification across all policy domains, it touches every “-01” policy control in NIST 800-53. For organizations pursuing both ISO 27001 and FedRAMP (or other NIST-based frameworks), a well-implemented 5.36 program provides substantial evidence reuse. For more detail on how ISO 27002 implementation guidance supports these controls, see our dedicated guide.
Related ISO 27001 Controls
Control 5.36 doesn’t operate in isolation. It connects to several other Annex A controls that either feed into or depend on compliance verification:
| Control ID | Control Name | Relationship |
|---|---|---|
| 5.1 | Policies for information security | Defines the policies that 5.36 verifies compliance with |
| 5.2 | Information security roles and responsibilities | Assigns the roles responsible for conducting compliance reviews |
| 5.35 | Independent review of information security | Provides independent validation; 5.36 is operational and manager-led |
| 5.37 | Documented operating procedures | Procedures that compliance reviews verify are followed |
| 5.4 | Management responsibilities | Management accountability for ensuring staff follow policies |
| 5.24 | Information security incident management planning | Non-compliance findings may trigger incident response |
| 8.15 | Logging | Logs provide technical evidence for compliance reviews |
| 8.16 | Monitoring activities | Automated monitoring supports continuous compliance verification |
The most important relationship is between 5.36 and 5.35. Control 5.35 is the independent review — conducted by parties not involved in day-to-day operations. Control 5.36 is the operational check — conducted by managers and system owners as part of routine governance. Both are necessary; neither replaces the other.
Frequently Asked Questions
What is ISO 27001 5.36?
ISO 27001 5.36 requires organizations to regularly audit and review systems and personnel activities to verify compliance with internal information security policies, standards, and rules — and to initiate corrective action when non-compliance is found. Unlike the formal internal audit under Clause 9.2, 5.36 focuses on operational checks often led by managers and system owners.
What happens if 5.36 is not implemented?
Without active compliance verification, security policies become shelf-ware — documented but not enforced. This creates gaps that attackers exploit and auditors flag. Organizations face certification non-conformities, increased breach risk from policy drift, and loss of customer trust when self-declared controls turn out to be unenforced.
How do you audit 5.36?
Auditors look for evidence that compliance reviews are planned, executed, and acted upon. They examine review schedules, completed review reports with findings, corrective action logs showing resolution of non-compliance, and management review minutes demonstrating leadership oversight. The key distinction: auditors want proof that managers are actively checking — not just waiting for the annual audit.
How UpGuard Helps
UpGuard’s platform provides continuous compliance monitoring across your organization and your vendor ecosystem — turning the verification requirements of 5.36 from a periodic manual exercise into an always-on capability. Monitor your security posture against policy requirements, track vendor compliance evidence, and identify gaps before auditors do. See how UpGuard supports your compliance program →