# Triggers for Reviews of Policies **From [A 5.35](../Standards/ISO27x/OST/27002/EN/a-5.35-Independent-review-of-information-security.md), Independent review of information security:** The organization should consider conducting independent reviews when: a\) laws and regulations which affect the organization change; b\) significant incidents occur; c\) the organization starts a new business or changes a current business; d\) the organization starts to use a new product or service, or changes the use of a current product or service; e\) the organization changes the information security controls and procedures significantly. ISO/IEC 27007 and ISO/IEC TS 27008 provide guidance for carrying out independent reviews. ## From NotebookLM The source documents specify several explicit triggers that necessitate the review and updating of an organization's policies, particularly the main information security policy and supporting topic-specific policies. Key triggers for policy review include: ### 1. Significant Changes Both the overarching organizational information security policy and specific topic-specific policies must be reviewed when **significant changes occur**. Specifically, management should review and update information security policies in response to changes in: - **Regulations, statutes, legislation, and contracts**. - **The organization's business strategy**. - **The organization's technical environment**. - **Information security risks**. - **The current and projected information security threat environment**. - **The organization itself**, such as starting a new business or changing a current business. - **Products or services**, such as starting to use a new product or service, or changing the use of a current one. - **Information security controls and procedures**, if they change significantly. The requirement for independent review of the organization's approach to managing information security (which includes policies) is also triggered **when significant changes occur**. ### 2. Planned Intervals In addition to being reviewed when significant changes occur, policies must be reviewed at **planned intervals**. - The information security policy and topic-specific policies should be reviewed at **planned intervals**. - Confidentiality or non-disclosure agreements should be **regularly reviewed**. - The organization's approach to managing information security (which includes policies) should be reviewed independently at **planned intervals**. - Compliance with the organization’s policies, rules, and standards should be **regularly reviewed**. ### 3. Incidents and Learning Feedback from incidents and assurance activities also triggers policy review: - The review should be built on **lessons learnt from information security incidents**. - Lessons learned from **information security events and incidents** should be taken into account during the review of the information security policy and topic-specific policies. - The evaluation of information gained from information security incidents should be used to update the organization's information security risk assessment and **determine and implement necessary additional controls**. This necessitates policy review if control changes are determined. - The organization should consider conducting independent reviews when **significant incidents occur**. ### 4. Management Activities and Audits Policy reviews are integrated into the management system framework: - Review and update of policies should take the **results of management reviews and audits** into account. - The management review inputs include considering **changes in external and internal issues** (relevant to the ISMS scope), and **changes in needs and expectations of interested parties** (relevant to the ISMS), which inherently requires reviewing the policy for continuing suitability. When a policy is changed, review and updates of **other related policies** should be considered to maintain consistency.