ISO/IEC 27035 & ISO/IEC 27036 Extended Control Assessment
Strengthen incident and third-party risk posture with independent validation.
What Are ISO/IEC 27035 and ISO/IEC 27036?
ISO/IEC 27035 and 27036 expand, rather than replace, the ISO/IEC 27001 methodology.
ISO/IEC 27035 and 27036 expand, rather than replace, the ISO/IEC 27001 methodology.
- ISO/IEC 27035 Establishes a lifecycle for preparation, identification, containment, eradication, recovery, and lessons learned.
- ISO/IEC 27036 Defines information security requirements for supplier relationships throughout initiation, contracting, operation, and termination, as outlined by the International Electrotechnical Commission (IEC).
What Extended Control Set Assessments Prove
Incident handling controls validated through operational evidence.
SLA, escalation, and communication controls substantiated with proof.
Supplier access domains and governance boundaries justified through artifacts.
Third-party risk controls verified across onboarding, monitoring, and offboarding.
Why These Extensions Matter
Organizations that already maintain an ISO/IEC 27001-certified information security management system (ISMS) often face growing scrutiny around incident handling and supplier governance. An extended control assessment from Insight Assurance provides objective evidence that incident response processes and third-party oversight meet the deeper expectations set by ISO/IEC 27035 (for incident management) and ISO/IEC 27036 (for supplier relationships).
By validating escalation paths, service-level agreements (SLAs), and governance boundaries, the assessment helps protect the business, earn stakeholder trust, and reduce the risk of costly breaches.
Key Benefits
- Verified alignment between operational practices and ISO/IEC 27035 & 27036 requirements, bolstering resilience.
- Documented proof of incident detection, escalation, and post-incident learning that satisfies regulators and clients.
- Evidence-backed assurance of supplier onboarding, monitoring, and offboarding controls across complex ecosystems.
What Insight Assurance Validates in Assessments
ISO/IEC 27035 Focus Areas
- Incident handling roles and responsibilities evidence.
- Detection and classification control proof.
- Escalation, SLA, and communication substantiation.
- Incident records, timelines, RCA, and corrective action evidence.
- Post-incident learning and control improvement justification.
ISO/IEC 27036 Focus Areas
- Third-party onboarding and offboarding evidence.
- Access governance and revocation validation.
- Monitoring and relationship risk control logs.
- Segmentation and isolation of supplier access domains.
- Contractual control obligation substantiation (DPAs, SLAs, processor agreements, shared responsibility boundaries).
Common Evidence Artifacts Sampled
- Incident tickets, timelines, and RCA records.
- SLA and escalation evidence.
- Cloud or system event logs tied to incidents.
- Supplier onboarding/offboarding records.
- Access review and revocation validation.
- Third-party monitoring and segmentation logs.
- Contractual obligation proof (shared responsibility domains, PII/processor boundaries, SLAs, and governance artifacts)
This evidence demonstrates that controls operate as designed across the entire incident and supplier-management lifecycles.
Why Choose Insight Assurance?
Cloud-Focused Expertise
Independent Evaluation
In-House Professionals
AI-Enhanced Workflows
Clear Reporting
Big 4-Trained Auditors
Seasoned auditors drawn from Big 4 backgrounds bring global reach, transparent workflows, and a 24-hour SLA on responses.
Validate Your Incident Management Controls
Elevate stakeholder assurance and meet escalating regulatory expectations. Contact Insight Assurance to schedule your ISO/IEC 27035 & 27036 extended control assessment today.