ISO 27001 Annex : 18.2 Information Security Reviews

Its objective is to ensure that information security is enforced and managed in compliance with organizational policies and procedures.

A.18.2.1 Independent Review of Information Security

Control- A proposed or major improvement should be taken into account internally for the organization’s approach to information security management and execution, (ie. control objectives, controls, policies, processes, and procedures for information security).

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Implementation Guidance

The independent review will be conducted by the board. Such an independent review is required to ensure that the organization ‘s approach to information security management remains consistent, appropriate, and efficient. The analysis will include an assessment of improvement opportunities and the need to change the security approach, including policy and control objectives. Such a review would need to be conducted by people independently of the area being reviewed, e.g. an internal audit function, an independent manager, or a specialized external party organization. Those who conduct these reviews should have the skills and experience needed. The independent review results must be recorded and reported to the management responsible for initiating the review. These records are to be maintained. When, for example, the defined aims and objectives and needs of the company are not met in compliance with the guiding principle for security of information as set out in the information security policy (Refer 5.1.1), management should pursue corrective measures.

Other Information

In addition, the guidance on carrying out an independent review is provided by ISO/27007, the Guidelines on Information Security Management Systems Auditing and ISO / IEC TR 27008 Guidelines for Auditors on Information security controls.

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers informationsecurity clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner. Infosavvy , an institute in Mumbai conducts training and certification for multiple domains in InformationSecurity which includes IRCA CQI ISO 27001:2013 Lead Auditor (LA), ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and ensure privacy and

also ensure that information-security is enforced and managed in compliance with organizational policies and procedures. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures, and techniques.

A.18.2.2 Compliance with Security Policies and Standards


Managers will review on a regular basis compliance with relevant security policies, guidelines, and other security specifications of information processing and procedures within their field of responsibility.

Implementation Guidance

Managers will determine how informationsecurity criteria identified in policies, standards, and other regulations are to be assessed. For efficient routine analysis, automated measuring and reporting tools should be considered.

If any failure to comply results from the review are detected, managers should:-

  • Identify the reasons of failure to comply;
  • Assess the need for compliance measures;
  • Implement effective remedial measures;
  • Review the steps taken to verify their efficiency and recognize any deficiencies or vulnerabilities.

Details of the managers’ assessments and disciplinary measures should be reported and documented. If an independent review takes place within its area of responsibility, administrators will report the findings to individuals conducting independent reviews (see 18.2.1).

Also Read : ISO 27001 Annex : A.18.1.3 Protection of Records, A.18.1.4 Privacy and Protection of Personally Identifiable Information and A.18.1.5 Regulation of Cryptographic Controls

Other Information

Operational system usage monitoring is entailed in 12.4

A.18.2.3 Technical Compliance Review


Information systems for compliance with the InformationSecurity Policies and practices of an organization should be periodically reviewed.

Implementation Guidance

In order to achieve a subsequent interpretation by a technical specialist, technical compliance should be preferably assessed with the assistance of automated tools. Alternatively, an experienced system engineer could carry out manual reviews (supported by appropriate software tools, if necessary). Caution should be used when penetration tests or vulnerability assessments are used as these practices can lead to a system security compromise. Such tests should be planned, documented, and replicated. Any professional assessment of enforcement should only be conducted by or under the supervision of qualified, approved persons.

Other Information

The technical compliance reviews involve the review of operational systems to ensure proper implementation of hardware and software controls. Specialist professional expertise is required for that form of compliance review. For example, compliance reviews require penetration tests and risk assessments that may be conducted by specially appointed independent experts. This may be useful for detecting system vulnerabilities and assessing the effectiveness of controls in preventing unauthorized access because of these vulnerabilities. The penetration tests and vulnerability assessments include a system snapshot of a specific state at a certain time. The snapshot is limited to certain areas of the device that have already been tested during the attempted penetration. Penetration testing and validation of vulnerability do not substitute risk assessment. Specific technical compliance reviews are given in ISO / IEC TR 27008.

Questions related to this topic

  1. What is Annex A ISO 27001?
  2. Is ISO 27001 mandatory?
  3. What are the controls in ISO 27001?
  4. What are the ISO 27001 domains?

ISO 27001 Requirements

Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities 
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 6.2 Information security objectives & planning
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement 

ISO 27001 Annex A Controls

Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights  
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights 
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs 
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews

About ISO 27002

This Blog Article is posted by

Infosavvy, 5B 306 Riverside Greens, Panvel, Raigad 410206 Maharashtra, India

Contact us –

Leave a Comment

Your email address will not be published.

Open Whatsapp chat
Whatsapp Us
Chat with us for faster replies.