A.5.36 Compliance with Policies Rules and Standards for Information Security
What is this control?
ISO 27001 control A.5.36 Compliance with Policies, Rules and Standards for Information Security ensures information security and privacy are continuously operated in conformity with the organisation’s ISMS policies and standards through three mechanisms: managerial oversight, automated technical monitoring via Compliance Manager and Intune Device Compliance, and periodic independent audits. Non-conformities are formally logged in the Corrective Action Register.
How to implement in Microsoft 365
Implement A.5.36 by assigning manager accountability for team ISMS policy conformity via A.5.4 and including conformity expectations in induction and discipline process. Deploy Microsoft Purview Compliance Manager with ISO 27001 and CIS Benchmark assessments and monitor real-time compliance score. Configure Intune Device Compliance policies for encryption, antivirus, and other requirements with Conditional Access blocking non-conformant devices.
Deploy Azure DevOps branch policies requiring Microsoft Defender for DevOps security scans before code merges to production. Log all identified non-conformities in the Corrective Action Register with assigned owners.
What an auditor looks for
Auditors will verify Microsoft Purview Compliance Manager assessment is active for ISO 27001 with documented compliance score. They will check Intune Device Compliance policies are deployed with configuration details for encryption and AV. Auditors will review Azure DevOps branch policy configuration showing Defender for DevOps security scanning is required before merge to main branch.
They will verify the Corrective Action Register shows identified non-conformities with assigned owners, remediation plans, and resolution tracking. Auditors will check evidence of manager communication of ISMS policies to teams via induction materials.