Implementation of control A.18.2.2

Challenge here is that the "line managers" are usually not in a position to review information security ... so to fulfil this what would they actually need to prove/review? The standard does say "review IS processing in their area [...] with appropriate security policies, standards and any other security requirements".

Actually this could be read that, let´s say the production manager has to make sure that OHAS, 9001 etc are correctly followed - so the fulfillment of A18.2.2 is rather an issue outside 27k (and would not require a special Risk Assessment for this)

Answer: The main objective of the section A.18.2 is "to ensure that information security is implemented and operated in accordance with the organizational policies and procedures", so I wouldn't agree with your interpretation that "production manager has to make sure that OHAS, 9001 etc are correctly followed" is related to A18.2.2 because this control speaks about information security implementation, not about quality management o r health & safety.

Considering that, to fulfil control A.18.2.2 managers must define how this will be done. The most common approaches are:

- through review of internal audits results
- through results provided by monitoring and measurement tools
- through the evaluation of the results achieved against security objectives and security performance indicators

Additionally, the managers also must define how eventual non conformities identified will be handled.

This article will provide you further explanation about controls monitoring:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/