This blog is about Clauses 9.1, 9.2, 9.3 Performance Evaluation - Monitoring, measurement, analysis & evaluation, Internal audit, Management review
If you have been keeping up with the Plan-Do-Check-Act cycle of improvement, then clause 9 is the “Check” part of the cycle.
Clause 9 is a great clause to use to check how well things are working. You’ll ask yourself valuable questions like, “are we making progress?”, “are we getting any better?” and “is this information security risk under control?”.
Let’s start with the first clause, 9.1 Monitoring, measurement, analysis and evaluation.
To see how effective your information security management system (ISMS) really is, you’re going to have to carry out an evaluation.
You need to work out
To work out what you will measure, first go back to the information needs of your interested parties. Then determine the most important needs and create a statement of those needs. For example, here at Mango one of the most important needs our customers have is for Mango to be available whenever the customer wants to use it. Our statement is that “we want the product to be available to customers 100% of the time”. Therefore, we monitor and measure the server up-time to ensure that the product is available for the customer to use anytime they need it.
A word of warning here though: great care should be taken to not have too many attributes to measure. Here at Mango we only have about 5 high-level measures that we monitor to ensure that the system is working well and our performance is high.
The next clause is 9.2 Internal Audit.
Start this process by scheduling your audits based on risk. Procedures that are high risk should be audited frequently. Maybe once or twice a year. Those areas of the business that are lower risk can be audited every 2-3 years.
Now that you have scheduled them, it’s time to conduct the audit. The over-riding principles of audit are:
The internal audit needs to identify non-conformities, risks and opportunities. I have written many times on how to conduct an internal audit. Follow that advice and you can’t go wrong.
Next you must keep records of the audit. Highlight the non-conformances, risks and opportunities.
Finally, the section is completed with 9.3 Management Review.
Your management review is there to ensure the continuing suitability, adequacy and effectiveness of your ISMS.
So what does this mean? You should continually review your business and your ISMS to ensure:
It doesn’t mean that you need to have a review meeting but I think that is the best forum to review your systems.
Once again I have written lots of times about Management Review.
That advice still stands. Just do it.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
ISO 27001 Information Security Management Standard: Principle 5 - Enhancing Societal Values
ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.1 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.2 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 5.3 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 6.1 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 7.1 - 7.4 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 7.5 of ISO 27001:2013
ISO 27001 Information Security Management Standard: Clause 8.1, 8.2, 8.3 of ISO 27001:2013