ISO 27001 Information Security Management Standard - Performance Evaluation

This blog is about Clauses 9.1, 9.2, 9.3 Performance Evaluation - Monitoring, measurement, analysis & evaluation, Internal audit, Management review

If you have been keeping up with the Plan-Do-Check-Act cycle of improvement, then clause 9 is the “Check” part of the cycle.

Clause 9 is a great clause to use to check how well things are working. You’ll ask yourself valuable questions like, “are we making progress?”, “are we getting any better?” and “is this information security risk under control?”.

9.1 Monitoring, measurement, analysis and evaluation

Let’s start with the first clause, 9.1 Monitoring, measurement, analysis and evaluation.

To see how effective your information security management system (ISMS) really is, you’re going to have to carry out an evaluation.

You need to work out

• what you will measure,
• who will measure and analyse it,
• and how you will produce valid results.

To work out what you will measure, first go back to the information needs of your interested parties. Then determine the most important needs and create a statement of those needs. For example, here at Mango one of the most important needs our customers have is for Mango to be available whenever the customer wants to use it. Our statement is that “we want the product to be available to customers 100% of the time”. Therefore, we monitor and measure the server up-time to ensure that the product is available for the customer to use anytime they need it.

A word of warning here though: great care should be taken to not have too many attributes to measure. Here at Mango we only have about 5 high-level measures that we monitor to ensure that the system is working well and our performance is high.

9.2 Internal Audit

The next clause is 9.2 Internal Audit.

Start this process by scheduling your audits based on risk. Procedures that are high risk should be audited frequently. Maybe once or twice a year. Those areas of the business that are lower risk can be audited every 2-3 years.

Now that you have scheduled them, it’s time to conduct the audit. The over-riding principles of audit are:

1. Have integrity;
2. Show a fair presentation;
3. Have professional care;
4. Be confidential;
5. Ensure you are independent; and
6. Take an evidence-based approach.

The internal audit needs to identify non-conformities, risks and opportunities. I have written many times on how to conduct an internal audit. Follow that advice and you can’t go wrong.

Next you must keep records of the audit. Highlight the non-conformances, risks and opportunities.

9.3 Management Review

Finally, the section is completed with 9.3 Management Review.

Your management review is there to ensure the continuing suitability, adequacy and effectiveness of your ISMS.

So what does this mean? You should continually review your business and your ISMS to ensure:

1. Your ISMS aligns with the objectives of the business, and
2. Your processes and controls, that are driven by your ISMS, are implemented and embedded in your business

It doesn’t mean that you need to have a review meeting but I think that is the best forum to review your systems.

Once again I have written lots of times about Management Review.

That advice still stands. Just do it.

Takeaways

1. Work out the information needs of your interested parties
2. Create measures to check that the needs are being met (like up-time)
3. Schedule your internal audits based on risk
4. Conduct the audit using best practise.
5. Conduct Management Reviews to ensure all areas of the business are checked against the stated performance.   Discuss any abnormalities.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

ISO 27001 Information Security Management Standard: Principle 1 - Analysing the Protection of Your Information and then Applying Controls

ISO 27001 Information Security Management Standard: Principle 2 - Awareness of the Need for Information Security 

ISO 27001 Information Security Management Standard: Principle 3 - Assignment of Responsibility for Information Security

ISO 27001 Information Security Management Standard: Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values

ISO 27001 Information Security Management Standard: Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

ISO 27001 Information Security Management Standard: Principle 7 - Security incorporated as an essential element of information networks and systems

ISO 27001 Information Security Management Standard: Principle 8 - Active prevention and detection of information security incidents

ISO 27001 Information Security Management Standard: Principle 9 - Ensuring a comprehensive approach to information security management 

 ISO 27001 Information Security Management Standard: Principle 10 - Continual reassessment of information security and making of modifications as appropriate

ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013 

ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 5.3 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 6.1 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 7.1 - 7.4 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 7.5 of ISO 27001:2013

ISO 27001 Information Security Management Standard: Clause 8.1, 8.2, 8.3 of ISO 27001:2013