How to implement this control when the company is very small, that is, it has 6 employees?
Critical analyzes are usually carried out by the entire company team.
In this situation, would it always be necessary to hire a specialized external organization, as suggested by the ISO27002 standard?
For control 18.2.1 Independent review of information security, please note that this control is usually done in the form of an internal audit or certification audit.
In companies very small like yours, the common approach for the internal auditor is hiring an external party for the task, because the organization wouldn’t have enough work to justify contracting a full-time auditor, and a part-time internal auditor would have difficulty keeping his independence over all organization processes for performing his task.
About certification audits, they are conducted by accredited organizations (the certification bodies) to evidence that an organization is compliant with all requirements of the ISO 27001 standard.
Regarding control 18.2.2 Compliance with security policies and standards, it does not require independence of the reviewed area. In fact, it is quite the opposite (the management is the focus of this control - they have to do the review). So, your current implementation for critical analysis is acceptable to fulfill the control.
This article will provide you a further explanation about management review: