Control 5.35 : Independent Review of Information Security

Summary

The organization's approach to managing information security and its implementation (e.g., control objectives, controls, policies, processes, and procedures) should be reviewed independently at planned intervals or when significant changes occur.

Applicability

In-Scope: Mandatory for maintaining ISO 27001 certification. It provides an objective assessment of the effectiveness of the ISMS and identifies gaps that internal teams might miss.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Audit Access: Create a dedicated Auditor Role in Microsoft Purview with read-only access to configuration settings and audit logs for the duration of the review.

• Compliance Reporting: Use the Microsoft Purview Compliance Score to generate automated reports that show the current state of technical controls for the auditor.

• Evidence Collection: Utilize the Evidence Manager within Compliance Manager to organize and share configuration screenshots and logs with the independent reviewer.

Evidence Checklist

• Internal Audit Reports: Documentation of security reviews conducted by individuals not involved in the day-to-day management of the ISMS.

• External Audit Records: Formal reports from third-party auditors (e.g., Stage 1 or Stage 2 certification reports).

• Management Response: Evidence that management reviewed the audit findings and approved a plan to address any non-conformities.

Practical Audit Advice

Here are some questions the auditor might ask:

• How do you ensure that the person or firm conducting the security review is truly independent of the team they are auditing?

• What was the scope of your last independent review, and were all 93 Annex A controls considered?

• Can you provide evidence of a specific security improvement that was made as a direct result of an independent audit finding?

• How does management stay informed about the status of open findings from previous reviews?