Control Definition
The organization's approach to managing information security — and the way that approach is implemented across people, processes, and technology — must be reviewed by parties independent of the area under review, both at planned intervals and whenever significant changes occur.
Control Objective
To verify, through reviewers free of conflicts with the area they assess, that the organization's way of managing information security remains suitable, adequate, and effective as the business and its risks change.
What This Really Means
Nobody should mark their own homework. The team that designs, builds, and operates your security program carries every assumption it ever made — about what matters, what works, and what can safely be ignored. A.5.35 exists to puncture that bubble: at planned intervals, and after significant changes, someone with no stake in the current setup examines your approach to managing information security and how it actually runs across people, processes, and technology, then reports what they find to the management who commissioned the review.
The word that trips people up is "independent." It means independent of the area being reviewed — not necessarily external to the company. A group internal audit function, a competent reviewer borrowed from another department or office, a parent-company audit team, or an external consultant all qualify. What disqualifies a reviewer is reviewing their own work: the ISMS manager assessing the ISMS they operate, or an engineer signing off the architecture they built. Auditors check the reporting line before they read a single finding.
Two boundary lines matter. This is not the clause 9.2 internal audit — 9.2 is the management-system machinery that audits ISMS conformity against ISO 27001 and your own requirements on a defined program, while A.5.35 is broader assurance that your whole approach and its implementation remain fit for purpose, which can include technical reviews, maturity assessments, and external health checks. And it is not the certification audit either: pointing at your certification body as your "independent review" is circular, because the certification auditor is there to verify that you run your own review arrangement, this control included.
What auditors treat as the heart of A.5.35 is a documented arrangement — who reviews, how often, against what criteria — plus demonstrable reviewer independence, reports that actually reached the management who commissioned them, and findings that were corrected rather than filed.
Why It Matters
Self-assessment has a ceiling. The people who built your security program are the least equipped to spot its structural flaws, because the flaws live inside assumptions they no longer see. Independent review is the mechanism that converts "we think our security works" into evidence that someone without a stake agrees.
Without genuinely independent review, organizations face:
- •Unchallenged Blind Spots – design weaknesses survive for years because everyone close enough to see them owns part of them
- •Undetected Policy-Practice Drift – the documented ISMS and the operated reality separate slowly, and nobody whose job depends on the gap reports it
- •Management Decisions on Bad Assurance – risk acceptances, budgets, and board attestations get signed on the strength of self-reported status
- •A Security Approach Frozen in Time – after a merger, a cloud migration, or a serious incident, yesterday's approach quietly stops fitting today's organization
- •Certification Nonconformities – auditors raise findings when no review arrangement exists, when the reviewer reports into the area reviewed, or when findings show no follow-through
The control also protects whoever runs security: an independent reviewer concluding that the program is underfunded for its risk carries weight no self-authored slide deck ever will.
Regional Compliance Context
Independent review obligations stack up quickly for Indian organizations in regulated sectors. RBI master directions expect regulated entities — banks, NBFCs, payment system operators — to subject IT and information security to periodic audit by functions independent of those they audit, and SEBI's CSCRF requires periodic cyber audits for market intermediaries. Under the DPDP Act 2023, organizations designated as Significant Data Fiduciaries must appoint an independent data auditor and conduct periodic audits of their data protection compliance, with full compliance obligations landing by 13 May 2027. A well-scoped A.5.35 program can be designed so one review cycle feeds several of these obligations instead of running parallel audits that exhaust the same teams.
Implementation Guidance
Define the Review Charter and Scope
Decide and document what independent review covers in your organization: the management approach itself (policies, risk methodology, governance structures) and how it is implemented across people, processes, and technology. State who commissions reviews — typically top management or the security steering committee — and where results are reported. A one-page charter inside the ISMS manual or audit program is enough.
Select Reviewers Who Can Demonstrate Independence
Choose a review mechanism that fits your size: an internal audit function, a competent reviewer from another department or group entity, or an external assessor. The test is structural — the reviewer must not own, operate, or report into the area being reviewed. Record the independence rationale for each reviewer; auditors check reporting lines, not job titles.
Set Planned Intervals and Change Triggers
Fix a recurring cadence — annual is the common anchor, scheduled ahead of surveillance audits — and define the events that force an out-of-cycle review: mergers and acquisitions, major platform or cloud migrations, serious security incidents, significant regulatory change, or restructuring. Name who decides whether a change is significant, and record the decision either way.
Agree Terms of Reference Before Each Review
For every review cycle, document scope, criteria, and method. Criteria should be concrete: your own policies and Statement of Applicability, ISO 27001 requirements, and ISO 27002 guidance — not unanchored best practice. Methods can combine document review, interviews, walkthroughs, and technical testing where the reviewer is competent to perform it.
Conduct the Review and Report to the Commissioning Management
The reviewer examines the approach and its implementation, documents findings with supporting evidence, and reports directly to the management that commissioned the review — not to the function being reviewed. Findings should distinguish what is unsuitable (wrong approach), inadequate (right approach, insufficient coverage), or ineffective (covered but not working). Retain the report and its distribution record.
Drive Findings Through Corrective Action
Route every finding into the same corrective-action process you use for audit nonconformities: an owner, a root cause, an action, a due date, and a verification of effectiveness before closure. Track findings in the corrective action register, not in the report PDF. Unactioned findings are the fastest way to turn a good review into a certification finding.
Feed Results into Management Review and Watch the Trends
Present review results as an input to the clause 9.3 management review, alongside internal audit results and the compliance status produced under A.5.36. Trend findings across cycles: a recurring theme — access control again, supplier oversight again — signals the approach needs redesign, not another point fix. Adjust review scope or reviewer skills where reviews keep missing what incidents later expose.
Audit Evidence
During your ISO 27001 certification audit, auditors will expect to see the following evidence to demonstrate compliance with A.5.35:
Documentation
- Independent review program or charter defining scope, frequency, and reviewer independence requirements
- Completed review reports with findings, supporting evidence, and the criteria reviewed against
- Records demonstrating reviewer independence — reporting lines, or engagement letters for external reviewers
- Corrective action records tracing each review finding to closure and effectiveness verification
- Management review minutes showing independent review results were presented and acted on
Interviews
- CISO or top management about how reviews are commissioned and how reviewer independence is assured
- The reviewer — internal auditor or external assessor — about scope, method, and freedom from interference
- Owners of reviewed areas about the findings they received and what changed as a result
Observations
- A sampled review finding traced through corrective action to verified closure
- Reporting lines checked against the areas reviewed to confirm the independence claimed on paper
- Evidence that a recent significant change — migration, restructure, major incident — triggered an out-of-cycle review
Practitioner Insights
A pattern I keep seeing at Stage 2: the "independent review" turns out to be the ISMS manager reviewing the ISMS they built and operate — which fails the control no matter how good the report is. The first thing a certification auditor checks is the reviewer's reporting line relative to what was reviewed, before reading a single finding. The second-most-common failure is pointing at the certification audit itself as the independent review, which is circular: we are there to verify that your own assurance arrangements work. Commission the review from a function with nothing to defend, and make sure the report lands with the management that commissioned it.
Smaller organizations often freeze on this control because they have no internal audit department — but the standard never asks for one. A competent reviewer borrowed from outside the security function working through a structured checklist, or a short annual external health check, both satisfy the control if you document why the reviewer counts as independent. The failure I see at the other extreme is a generic external report that could describe any company, with no reference to your policies or your risks. Scope the review against your own ISMS documents, and keep the whole trail — terms of reference, report, findings log — in one folder you can open at audit.
Common Challenges & Solutions
Challenge
The only person who understands the ISMS well enough to review it is the person who runs it — so they end up reviewing their own work.
Solution
Pair a reviewer from outside the security function — quality, group audit, an engineering lead from another business unit — with the ISMS manager acting as guide, not judge: the manager explains where things are, the reviewer forms the conclusions. Alternatively, commission a short annual external review. Either way, document the independence rationale in the review charter so the arrangement survives auditor scrutiny.
Challenge
Review reports get filed and forgotten, and the same findings reappear cycle after cycle.
Solution
Move findings out of the report and into the corrective action register the moment the review closes, each with an owner and a due date. Have management review track open items and aging. Treat a repeat finding as an automatic escalation — it means the previous corrective action failed its effectiveness check.
Challenge
Teams cannot articulate how A.5.35 differs from the clause 9.2 internal audit, so they either duplicate effort or quietly skip one.
Solution
Map the two explicitly: 9.2 audits ISMS conformity against ISO 27001 and your own requirements on a defined program, while A.5.35 asks whether the overall approach and its implementation remain suitable, adequate, and effective — which can also draw on technical reviews, maturity assessments, and external health checks. A single well-designed program can satisfy both if its scope statement says so. Write the mapping down; it is a one-paragraph answer that prevents a long audit conversation.
Challenge
Nobody defined what a "significant change" is, so change-triggered reviews never actually happen.
Solution
Publish a short trigger list in the review charter: acquisition or divestiture, major platform or cloud migration, serious security incident, new regulation in scope, leadership or structural change. Assign who decides — typically the CISO with the steering committee — and record the decision even when the answer is that no review is needed. The recorded "no" is evidence the trigger mechanism works.
Challenge
External reviewers deliver generic, template-driven reports that say little about the actual environment.
Solution
Control the engagement with tight terms of reference: criteria are your policies, Statement of Applicability, and risk register — not a generic checklist. Require findings to cite specific evidence, and brief the reviewer with last cycle's findings so they test whether fixes held. A shorter review against your real ISMS beats a long one against a template.
