Compliance with Policies, Rules and Standards for Information Security

It is an organizational control that requires an organization to regularly review and verify that its actual operational practices and systems comply with its established information security policies, topic-specific rules, and technical standards.

Organizations must review their daily operations, system configurations, employee behaviors, and technical environments to confirm they align with the requirements defined in the organization's approved security policies and technical standards.

Compliance should be reviewed at planned intervals (such as annually through an information security standards compliance review process) and continuously or periodically via technical methods like vulnerability scanning and log reviews.

An ISO 27001 policy review evaluates if the written policy document itself is still relevant and accurate (A.5.1), whereas a policy compliance review (A.5.36) checks whether the organization's personnel and systems are actually following the rules dictated by that policy.

ISO 27001 policy compliance evidence includes records of internal audits, notes from management reviews, vulnerability scan results, penetration testing reports, and evidence of tracked and remediated nonconformities. WatchDog Security's Compliance Center can help keep this evidence organized by control and review cycle, making it easier to show that reviews occurred and that corrective actions were completed.

You measure compliance by performing targeted reviews—such as sampling access requests to verify the Access Control Policy, or reviewing server configurations—and documenting the findings using a topic-specific policy compliance checklist or internal audit report.

Practical methods include sampling access control logs to verify approval workflows, running automated vulnerability scans to check system configurations against technical baselines, and conducting formal internal audits.

Internal audits (Clause 9.2) act as the primary mechanism to perform these operational compliance reviews, and the findings are then presented during the management review (Clause 9.3) so leadership can address any systemic enforcement gaps.

Policy exceptions must be formally documented, risk-assessed, and approved by management through an exception management process, ensuring the deviation is tracked in a risk register and reviewed regularly.

A security policy compliance audit report should include the specific policy or standard being reviewed, the review methodology (e.g., sample size, tools used), identified findings of nonconformity, and assigned corrective actions.

Manual spot-checks often miss drift between written standards and real configurations. WatchDog Security's Compliance Center helps structure recurring compliance reviews by mapping this control to your policies, tracking review cadence, and centralizing evidence (e.g., audit plans, management review notes, and nonconformity records) so teams can demonstrate consistent enforcement over time.

Organizations commonly struggle to prove that systems stay aligned with baselines after changes and deployments. WatchDog Security's Posture Management helps detect misconfigurations and configuration drift through continuous checks and remediation guidance, producing actionable findings that can be used as supporting evidence during A.5.36 compliance reviews.