Independent Review of Information Security

Suitability

Does your ISMS reflect your current business context? Controls designed for a 50-person firm rarely remain suitable at 200. An independent reviewer tests whether the approach still fits the organisation it is meant to protect.

Adequacy

Are the controls comprehensive enough to address your real risk exposure? Adequacy goes to coverage. An independent review identifies the gaps between what the policy says and what is actually protecting you day to day.

Effectiveness

Are the controls actually working? A policy exists. Access reviews are scheduled. But are they happening? Are they producing the right outcomes? Effectiveness testing is where most self-assessments fall short.

Regulatory change

A new law, regulation, or guidance affecting your information security obligations. In 2025 and 2026, the Cyber Security Act 2024, APRA CPS 230, and updated NZISM guidance have each created this trigger for many ANZ organisations.

Significant security incident

A data breach, ransomware event, or material compromise. The incident reveals that something in your ISMS did not work. A review determines what and why, before the next event occurs.

Major business change

Merger, acquisition, new product line, expansion into a new market, or a significant change to your cloud or technology environment. Your risk profile has changed. Your controls need to reflect it.

New service or product

A new offering that processes customer data, uses AI systems, or relies on third-party suppliers not previously assessed. This includes adopting AI tools that were not in scope when the ISMS was last reviewed.

Material change to controls

Significant changes to existing security controls, policies, or processes. If the controls have been rebuilt, the review of the previous version is no longer valid evidence of the current state.

Annual planned review

Regardless of the above, most certified organisations conduct a full independent review at least annually, aligned to the three-year ISO 27001 certification cycle, to ensure all 93 Annex A controls are verified for operational effectiveness.

Scoping and evidence gathering

We establish the review scope, confirm the ISMS boundary, and gather the documentation and evidence base required to assess all 93 Annex A controls, your risk register, treatment plans, and management review outputs.

Control effectiveness testing

We go beyond document review. We test whether controls are operating as designed, through staff interviews, configuration review, and operational sampling — focused on the areas most likely to reveal the gap between policy and practice.

Regulatory alignment check

For Australian and New Zealand organisations, we map ISMS controls to your applicable regulatory obligations — CPS 234, CPS 230, Privacy Act, NZISM, Essential Eight — and identify where a single control satisfies multiple requirements, and where it does not.

Board-ready findings report

We deliver a written findings report suitable for presentation to your board and audit committee. Findings are rated by severity, linked to corrective action requirements, and expressed in plain language that translates technical risk into business impact.

Financial services

APRA-regulated banks, insurers, and superannuation funds managing CPS 234 and CPS 230 obligations. The independent review provides documented evidence for APRA if queried on control effectiveness.

Aged care

Residential and home care providers under the Aged Care Act 2024, which strengthened governance and accountability obligations for providers handling sensitive health and personal data for vulnerable Australians.

Healthcare

Health service providers handling My Health Record data or subject to the My Health Records Act 2012, where the Office of the Australian Information Commissioner actively investigates compliance breaches.

Government suppliers

Australian and New Zealand organisations supplying services to government agencies, where ISO 27001 certification is either mandated or strongly preferred, and where an independent review supports contract retention and renewal.

Organisations pre-certification

Organisations preparing for initial ISO 27001 certification who want an independent assessment of their ISMS before the certification body arrives. An independent pre-audit review closes gaps before they become non-conformities.

Post-incident review

Organisations that have experienced a security incident and need to demonstrate to their board, regulators, or insurers that they have independently assessed what went wrong, why, and what has been corrected.

Is A.18.2.1 the same as Control 5.35 in ISO 27001:2022?

Yes. ISO 27001:2022 restructured and renumbered the controls from the 2013 edition. Annex A control A.18.2.1 (Independent Review of Information Security) from the 2013 standard is directly mapped to Control 5.35 in the 2022 standard. The core requirement is the same. The 2022 version adds greater specificity about when ad-hoc reviews are required. If your organisation was certified under the 2013 standard, your transition to ISO 27001:2022 requires confirming that your existing review process meets the 2022 version's additional guidance. Source: iso.org/standard/82875.html

How often does the independent review need to happen?

The standard requires reviews at "planned intervals" and provides no specific minimum frequency. Most certified organisations and their certification bodies treat annual as the practical standard, aligned to the three-year ISO 27001 surveillance cycle. Beyond the annual planned review, the standard explicitly requires ad-hoc reviews when significant changes occur. In the current ANZ environment — with the Cyber Security Act 2024 now in force, CPS 230 effective from 1 July 2025, and frequent APRA and ASIC guidance updates — many organisations should consider whether recent regulatory changes have already triggered this obligation.

Can our internal IT team conduct the independent review?

Only if they are genuinely independent of the area being reviewed. The standard does not mandate an external reviewer, but it requires impartiality. If the team members who would conduct the review were involved in designing, implementing, or operating the controls being assessed, they cannot satisfy the independence requirement. For most mid-market organisations in Australia and New Zealand, an external reviewer is the only practical way to achieve the separation the standard requires.

Does an ISO 27001 independent review satisfy our APRA CPS 234 audit obligations?

A well-structured ISO 27001 Control 5.35 review can satisfy core elements of CPS 234's internal audit requirements, provided the scope covers third-party controls and the reviewer is independent of the controls being assessed. CPS 234 has additional APRA-specific requirements — including 72-hour incident notification obligations and board-level accountability provisions — that sit outside the ISO 27001 scope. We recommend a combined approach that treats the ISO 27001 independent review as the foundation and then maps CPS 234-specific gaps on top of it.

We operate in both Australia and New Zealand. Can one review cover both jurisdictions?

Yes. ISO 27001 controls can be mapped to both Australian (APRA, Privacy Act, Essential Eight) and New Zealand (NZISM, NZ Privacy Act 2020) obligations within a single review scope. Insicon Cyber operates across both jurisdictions and delivers reviews that address trans-Tasman compliance simultaneously. This eliminates the cost and duplication of separate reviews for each market and provides a single, unified evidence trail for both Australian and New Zealand regulators.

What do we receive at the end of the review?

A written independent review report, structured for presentation to your board and audit committee. The report covers: findings against each assessed control, severity ratings, corrective action requirements, improvement recommendations, and a regulatory alignment summary mapping findings to your applicable obligations. Where findings require corrective action, we provide clear guidance on remediation and can support implementation through our Managed Compliance or CISO-as-a-Service engagements.