The organization should have a process in place for conducting periodic independent reviews of their information security approach and implementation. These reviews should be conducted by individuals independent of the area under review and with appropriate competence. The results of the reviews should be reported to management and if necessary, top management. If the reviews identify any inadequacies, management should initiate corrective actions. Other factors include deciding what gets documented, how, at what level, and types of document control (revisions, updates, access, authority, etc.)
Conformance1
Tools for conforming to standards, goals and processes
