How does EchelonGraph detect ISO 27001 A.5.36 violations?

EchelonGraph automatically detects ISO 27001 A.5.36 violations using scanner rule ISO27001-A536. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for ISO 27001 A.5.36?

What policies are reviewed quarterly for compliance? Show last compliance review report. What deviations were found? How were they remediated? How is the gap-trend communicated to leadership?

📋ISO 27001 A.5.36Rule: ISO27001-A536medium

Compliance with Policies, Rules, and Standards

Description

Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

⚠️ Risk Impact

Policies that no one verifies become aspirational rather than operational. The gap between documented policy and actual practice grows silently until an audit or incident exposes it.

🔍 How EchelonGraph Detects This

ISO27001-A536Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Quarterly compliance reviews: sample-test policy compliance across systems. Document deviations + remediation. Trend compliance over time. Surface to leadership.

💀 Real-World Attack Scenario

A company's password policy required 90-day rotation. Quarterly review found 47% of service accounts hadn't been rotated in 18+ months — the policy required rotation but no one enforced it. The accounts were prime credential-stuffing targets; audit recommended automated rotation. The policy-vs-practice gap had existed for 2 years undetected.

💰 Cost of Non-Compliance

Policy-vs-practice gaps as breach contributor: 27% of cloud breaches (Mandiant M-Trends 2024). Increases audit-finding rate 2-3×.

📋 Audit Questions

1.What policies are reviewed quarterly for compliance?
2.Show last compliance review report.
3.What deviations were found? How were they remediated?
4.How is the gap-trend communicated to leadership?

⚡ Common Pitfalls

⛔Annual review only — gaps accumulate for months
⛔Sample size too small — review misses systematic gaps
⛔Reviews documented but findings never trigger leadership action

📈 Business Value

Regular compliance verification keeps the policy library honest. Material for sustained audit quality + early detection of degradation.

⏱️ Effort Estimate

Manual

8-16 hours quarterly for compliance review per policy area

With EchelonGraph

EchelonGraph evaluates policy compliance continuously

🔗 Cross-Framework References

SOC2-CC4.1

Automate ISO 27001 A.5.36 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →