Review compliance with information security policies
Regularly check if your organisation's security policies and rules are being followed.
🏛️ Framework
ISO/IEC 27001:2022
🧭 Control effect
Preventative
🧱 ISO 27001 domain
Organisational controls
🔐 Classifications
N/A
🗓️ Official last update
24 Oct 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 Maturity levels
N/A
Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Source: ISO/IEC 27001:2022
Plain language
This control is about checking regularly to make sure your organisation is following its own information security rules and standards. If this isn't done, there might be security weaknesses that could lead to data breaches or compliance issues with laws like the Privacy Act 1988.
Why it matters
Without regular compliance reviews, staff may not follow the organisation’s security policies and standards, increasing audit nonconformities and security incidents.
Operational notes
Schedule quarterly compliance reviews against the organisation’s information security and topic-specific policies; sample evidence (logs, approvals, training) and track corrective actions to closure.
Implementation tips
- The IT manager should organise regular reviews to ensure compliance with the organisation's security policies. They can do this by scheduling monthly checks where they compare current practices with the standards set in the policy documents. This can involve using software tools that automatically report on security compliance.
- Department heads should ensure that their teams understand and follow the organisation’s information security policies. This can be done by conducting training sessions and quizzes to reinforce the rules and standards applicable to their roles, referencing the Privacy Act 1988 to emphasise compliance requirements.
- The HR department should maintain up-to-date records of all compliance training completed by employees. This involves tracking employee participation in security awareness programs and making sure everyone attends refresher courses at least annually.
- The compliance officer should work to identify causes of any non-compliance and implement corrective actions as soon as they are found. This can be done by investigating reported discrepancies, understanding their root causes, and collaborating with relevant managers to fix these issues.
- The board should ensure that there is an independent review process in place, as recommended by ISO 27002:2022, to oversee the effectiveness of the compliance checks. This involves appointing an external party to periodically audit the organisation’s adherence to its own policies.
Audit / evidence tips
-
Ask: Request the most recent compliance review report.
Good: The report should show clear methods of review and documented corrective actions with timelines and responsibilities.
-
Ask: Ask for the schedule of compliance reviews.
Good: The schedule should indicate regular review intervals, such as monthly or quarterly, with records showing these reviews were completed on time.
-
Ask: Request records of training and awareness sessions.
Good: There should be a full attendance record for all staff, showing repeated training could indicate effectiveness.
-
Ask: Inquire about the process for dealing with non-compliance.
Good: A detailed log with timely follow-up and satisfactory resolution for each issue indicates effective compliance management.
-
Ask: Request a report from an independent review, if one has been conducted recently.
Good: The independent review should confirm adherence to policies and suggest areas of improvement, showing external objectivity.
Cross-framework mappings
How Annex A 5.36 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| ISM-1037 | ISM-1037 requires gateways to be tested after changes and at least every six months to validate conformance to expected security configur... | |
| ISM-1523 | ISM-1523 requires a three‑monthly review of a sample of CDS security-relevant events against data transfer security policies to identify ... | |
| Partially overlaps (4) | ||
| ISM-0072 | Annex A 5.36 requires organisations to regularly review compliance with information security policies, rules and standards | |
| ISM-0718 | ISM-0718 mandates regular cyber security reporting by the CISO to the board | |
| ISM-1738 | Annex A 5.36 requires organisations to regularly review compliance with information security policies, rules and standards | |
| ISM-1971 | ISM-1971 mandates periodic ASD security assessments for TOP SECRET managed services, providing formal assurance against the ISM baseline | |
| Supports (18) | ||
| ISM-0039 | ISM-0039 requires the organisation to maintain an effective cyber security strategy over time | |
| ISM-0041 | Annex A 5.36 requires regularly reviewing compliance with information security policies, rules and standards | |
| ISM-0264 | ISM-0264 requires an organisation to maintain an email usage policy, implying it should remain effective and relevant over time | |
| ISM-0588 | ISM-0588 requires an MFD usage policy to be developed, implemented and maintained to govern how MFDs are used | |
| ISM-0724 | ISM-0724 requires the CISO to implement metrics and KPIs to measure and track cyber security performance in the organisation | |
| ISM-1359 | ISM-1359 requires an organisation to develop, implement and maintain a removable media usage policy to manage removable media risks | |
| ISM-1478 | ISM-1478 requires the CISO to oversee the organisation’s cyber security program and ensure compliance with cyber security policies, stand... | |
| ISM-1533 | ISM-1533 requires the organisation to develop, implement and maintain an MDM policy | |
| ISM-1549 | ISM-1549 requires an organisation to develop, implement, and maintain a media management policy | |
| ISM-1551 | ISM-1551 requires the organisation to implement and maintain an IT equipment management policy | |
| ISM-1617 | ISM-1617 requires the CISO to regularly review and update the cyber security program for alignment with evolving threats and opportunities | |
| ISM-1755 | ISM-1755 requires a vulnerability disclosure policy to be developed, implemented and maintained over time | |
| ISM-1763 | ISM-1763 requires organisations to standardise ECDSA signature configurations to approved NIST curves, preferably P-384 | |
| ISM-1864 | ISM-1864 requires a system usage policy to be developed, implemented, and maintained | |
| ISM-1884 | ISM-1884 requires compliance with ASD EMSEC doctrine, including verifying that required emanation controls are actually followed in relev... | |
| ISM-1956 | ISM-1956 requires organisations to maintain a recurring AD FS certificate change practice (at least annually) and an accelerated double-r... | |
| ISM-1997 | Annex A 5.36 requires regular reviews to confirm compliance with the organisation’s information security policies, rules and standards | |
| ISM-1998 | ISM-1998 requires executive leadership to integrate cyber security across all business functions, which implies ongoing oversight of how ... | |
| Depends on (2) | ||
| ISM-1078 | Annex A 5.36 requires regular review of compliance with the organisation’s information security policies, topic-specific policies, rules ... | |
| ISM-2074 | ISM-2074 requires an organisation to develop, implement and maintain a general-purpose AI usage policy | |
| Related (1) | ||
| ISM-0499 | Annex A 5.36 requires organisations to regularly review whether information security policies and standards are being complied with | |