Information security reviews ISO 27001 - Clause A.18.2

Information security reviews ISO 27001

Information security reviews

The objective here from the information security review is to ensure that information security is implemented and operated in accordance with the organizational policies and procedures and as per ISO 27001.

this article will be useful for people or organization looking for implementation of ISO 27001 for certification purpose, and it will cover the requirements of Clause A.18.2 Information security reviews

Independent review of information security

The organization’s approach (and the need for any change) to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) are reviewed independently at planned intervals, or when significant changes occur.

Such an independent review is necessary to ensure the continuing suitability, adequacy, and effectiveness of the organization’s approach to managing information security. The review also includes assessing opportunities for improvement.

Periodic independent information security reviews are carried out at an interval of 12 months (1 year). We also undertake such independent reviews when significant changes to the information security implementation occur.

Independent reviews are carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or a third party organization specializing in such reviews. We also ensure that the individuals carrying out these reviews have appropriate skills and experience.

The organization that seeking for ISO 27001 certification (ISMS) shall maintains a ‘Master List of Independent Information Security Reviewers.

For each independent review, the certified ISO 27001 organization chooses reviewer(s) from its ‘Master List of Independent Information Security Reviewers’ and gets the review done.

Reports submitted by the independent reviewers shall discussed immediately with the top management and the concerned department within the organization, and, necessary corrective and/or preventive actions are taken.

The outcome of independent review and actions taken would be discussed in the subsequent management review as well.

Compliance with security policies and standards

Head of department should be involved and committed to regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

If any non-compliance is found as a result of the review, Head of departments would:

  1. Determine the causes of the non-compliance
  2. Evaluate the need for actions to ensure that non-compliance do not recur
  3. Determine and implement appropriate corrective action, and
  4. Review the corrective action taken.

Technical compliance review

Information systems are regularly reviewed for compliance with the organization’s information security policies and standards.

Technical compliance review is performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist.

If penetration tests or vulnerability assessments are used, due caution is exercised as such activities could lead to a compromise of the security of the system. Such tests are planned, documented and repeatable.

Technical compliance reviews are carried out only by competent, authorized persons, or under the supervision of such persons.