ISO/IEC 27001 Control 5.36: Compliance with policies, rules and standards for information security


Compliance with the organization’s information security policy, topic-specific policies, rules and standards should be regularly reviewed.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint provides many essential capabilities for verifying, reviewing and demonstrating compliance, as well as implementation of corrective actions.

Implementation Details

MidPoint is designed to automatically enforce compliance with policies defined in forms of roles and policy rules. Policies that are not automatically enforces can be analyzed, and violations of the policies can be reported and/or displayed using dashboards. Objects that do not conform to the policies can be automatically or manually marked (using object marks) and manually reviewed. Integral documentation can be used to document policies, as well as exceptions and special cases. Role governance capabilities can be used to track role, application and information owners and other responsible person, distributing review effort to a broader team. Policy rules can be set up to make sure every application and role has an appropriate governance structure (e.g. it has an active owner). Certification campaigns can be used to review applicability of policies, especially applicability and adequacy of role definitions. Simulation capabilities can be used to verify that new corrective actions can be effective.

Implementation Notes

  • The control asks for use of "automatic measurement and reporting tools". MidPoint is an ideal tool for automatic measurement and reporting of information regarding identities and access control.

Was this page helpful?
Thanks for your feedback