Exam focus
A.5.35 is independent assurance, A.5.36 is regular compliance checking, and A.5.37 is controlled operational documentation.
Topic Summary
These controls close the A.5 organizational control set by checking whether the ISMS is independently reviewed, whether policies and standards are followed, and whether operating procedures are controlled and available.
Key Concepts
| Control | Exam cue |
|---|---|
| A.5.35 | Independent review at planned intervals or significant change |
| A.5.36 | Regular management and technical compliance review |
| A.5.37 | Documented, controlled, available operating procedures |
Common Exam Traps
- Thinking independent review must always be external.
- Treating policy review as the same as compliance review.
- Letting unauthorized people run technical testing tools.
- Closing findings without retest or effectiveness evidence.
- Assuming experienced operators remove the need for documented procedures.
Related Notes
- Iso27001
- Exam
- Assurance
Note Metadata
Source: 09-Exam-Preparation/EXAM-015-Assurance-Compliance-and-Operating-Procedures.md
Related Notes
- ISO 27001 A.5.35 - Independent Review of Information Security
- ISO 27001 A.5.36 - Compliance with Policies, Rules and Standards for Information Security
- ISO 27001 A.5.37 - Documented Operating Procedures
- Independent Information Security Review Plan and Report
- Operating Procedure Register
- Policy and Technical Compliance Review Register