When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this during internal audits to test whether A.5.36 Compliance with Policies, Rules and Standards for Information Security is designed, implemented, operating, and evidenced.
Audit checklist
- Compliance review plan covers policies, rules, standards, management areas, technical systems, frequency, method, and owner.
- Management reviews or spot checks show policy compliance in each area of responsibility.
- Technical compliance checks cover relevant systems and are performed by competent authorized personnel.
- Testing tools are controlled, approved, and scoped to prevent misuse or accidental testing of wrong systems.
- Findings trace to root cause, corrective action, implementation evidence, and effectiveness verification.
- Patterns are reviewed to find similar issues elsewhere.
Evidence requested
- Review/procedure/register reviewed.
- Responsible owner interviewed.
- Sample records selected.
- Evidence location recorded.
- Gaps converted into findings or corrective actions.
Related notes
- Iso27001
- ISO27002
- Template
- Audit
- A5 36
Note Metadata
Aliases: A.5.36 Checklist
Source: 90 Templates/A.5.36 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.