A.5.36 ISO 27001

ISO 27001 A.5.36: Compliance with policies, rules and standards for information security

What This Control Requires

Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

In Plain Language

Writing security policies is only half the job. The other half is checking whether anyone actually follows them. This control is about systematically verifying that people and systems are complying with your policies, rules, and standards in practice.

There are two sides to this: personnel compliance (are people doing what the policies say?) and technical compliance (are systems configured to the standards you have set?). Both matter equally. A perfectly configured firewall does not help if someone is sharing credentials, and the best-trained team is exposed if servers are misconfigured.

When you find non-compliance, dig into the root cause. If the same area keeps failing, it might mean the policy is impractical, the training is not working, or nobody is enforcing consequences. Auditors pay close attention to whether you are actually verifying compliance, not just assuming it.

How to Implement

Build a compliance monitoring programme that systematically checks adherence to your security policies and standards across the organisation. Define what gets reviewed, how, by whom, and how often.

For personnel compliance, run regular checks: verify policy acknowledgments are signed, review security awareness assessment results, do clean desk checks, walk through physical security, observe security practices in action, review incident reports for policy violations, and sample user activity against acceptable use policies.

For technical compliance, automate as much as possible. Use SCAP scanners, CIS benchmark compliance checkers, cloud security posture management tools, and vulnerability scanners to monitor configurations against your defined baselines. Continuous monitoring beats periodic point-in-time snapshots every time.

Assign clear ownership. Managers monitor compliance within their teams. The security team runs organisation-wide assessments. Internal audit provides independent assurance. Bring in third-party specialists for areas needing specific expertise.

When you find non-compliance, document it properly: which policy or standard was violated, how severe it is, who or what is affected, and the evidence. Analyse root causes and implement corrective actions. For people issues, decide whether more training, process improvements, or disciplinary action is the right response. For technical issues, remediate and update your automation to prevent recurrence.

Report compliance status to management regularly with dashboards or reports showing trends, problem areas, and remediation progress. Use the data to inform risk assessments and prioritise security spending. Track improvement over time as a measure of how well your ISMS is working.

Evidence Your Auditor Will Request

Compliance monitoring program documentation with scope and schedule
Technical compliance scan results against defined security baselines
Personnel compliance check records such as clean desk audits and acknowledgment tracking
Non-compliance findings register with root cause analysis and corrective actions
Compliance status reports provided to management

Common Mistakes

No systematic compliance monitoring program exists beyond annual audits
Technical compliance is not monitored against defined baselines
Non-compliance findings are identified but not tracked through to remediation
Personnel compliance checks are not conducted regularly
Compliance reporting to management is insufficient to drive improvement

Related Controls Across Frameworks

Framework	Control ID	Relationship
SOC 2	CC4.1	Related
SOC 2	CC4.2	Related
NIS2	Art.21(2)(f)	Partial overlap

Frequently Asked Questions

How often should compliance reviews be conducted?

For technical compliance on critical systems, aim for continuous monitoring or at least weekly scans. Personnel checks like clean desk audits work well on a monthly or quarterly cycle. Policy acknowledgments should be verified annually and whenever someone joins. The general principle is risk-based frequency - higher-risk areas get reviewed more often. The worst approach is relying solely on an annual audit and hoping for the best in between.

What should we do about persistent non-compliance in a particular area?

Before blaming the people, question the policy. Is it actually practical to follow? Is the training clear enough? Do the tools support compliance or work against it? Are there real consequences for ignoring it? Persistent non-compliance usually points to a systemic problem rather than individual failings. Fix the root cause - revise impractical policies, improve training, provide better tooling, or establish clear consequences. Escalate to management if the issue keeps recurring despite your efforts.

Track ISO 27001 compliance in one place

AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.

Start Free Assessment