Control 5.36 : Compliance with Policies, Rules and Standards for Information Security

Summary

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, rules, and standards.

Applicability

In-Scope: Essential for moving security from a paper exercise to daily operations. It ensures that managers are accountable for security compliance within their own teams.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Dashboarding: Use Microsoft Power BI to create compliance dashboards for department heads, showing metrics like MFA adoption or unpatched devices in their teams.
Automated Reminders: Use Microsoft Viva Insights or Teams notifications to remind managers to complete periodic access reviews or policy acknowledgments.
Endpoint Compliance: Configure Microsoft Intune Compliance Policies to automatically block devices from company resources if they fall out of compliance with security standards.

Evidence Checklist

Management Review Minutes: Records of meetings where managers discussed the security compliance status of their specific departments.
Compliance Reports: Periodic reports showing the status of technical controls (e.g., encryption status or training completion) broken down by department.
Disciplinary Actions: (If applicable) Evidence that failures to comply with security policies were addressed through formal HR processes.

Practical Audit Advice

Here are some questions the auditor might ask:

How do department managers verify that their staff are following the specific security procedures relevant to their roles?
What reporting tools do managers have access to that allow them to see the real-time security posture of their teams?
How often are these internal compliance reviews conducted, and how are the results documented?
What is the process for a manager to report a systemic compliance issue they have identified to the CISO?