Clarification Regarding Control Review Frequency in Policy Documents
I wanted to clarify that all the policy documents we've prepared specify a requirement for a 6-month review. However, the specific controls we discussed are not mentioned in the documents. My question is whether, according to the policy, we need to review the controls every 6 months or if we have the flexibility to define the update frequency for the controls ourselves, separate from the document reviews. Please refer to the attached image for more details.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Controls can be reviewed at a different frequency than those defined for the review of documents related to them. You only need to ensure that control review results are considered in the next document review. Please also note that, depending upon the controls review results, an immediate review of documents may be necessary.
Check our article for further information on performing monitoring and measurement in ISO 27001.
Comment as guest or Sign in
Oct 12, 2023