A.5.35 Independent Review of Information Security
What is this control?
ISO 27001 control A.5.35 Independent Review of Information Security ensures the ISMS is subject to planned independent reviews including internal audits, external certification audits, and customer audits to validate the continuing suitability, adequacy, and effectiveness of controls. Reviews are coordinated via a formal Audit Programme Register and all findings are tracked in the Corrective Action Register. This control supports the Plan-Do-Check-Act cycle of the ISMS.
How to implement in Microsoft 365
Implement A.5.35 by establishing and maintaining a formal Audit Programme Register in SharePoint listing all planned internal and external audits. Plan a full Internal Audit at least annually ensuring auditors are independent and do not audit their own work. Grant auditors read-only access to relevant systems using Global Reader and Sentinel Reader roles.
Provide Microsoft Purview Compliance Manager as primary evidence source for technical control assessment. Engage an accredited certification body for annual surveillance audits and triennial recertification audits. Log all audit findings in the central Corrective Action Register with assigned owners and resolution tracking.
What an auditor looks for
Auditors will verify a formal Audit Programme Register scheduled with internal and external audits planned within 12 months. They will check an example of completed Internal Audit Report dated within 12 months with scope, findings, and nonconformities documented. Auditors will review the Corrective Action Register showing findings logged with assigned owners and resolution status tracked.
They will verify evidence of independent auditor credentials and confirmation of audit independence. Auditors will check for a valid ISO 27001 certificate if applicable from an accredited certification body.