ISO 27001 Information Security Management Standard

Part 11 - Continual reassessment of information security and making of modifications as appropriate

The final principle of ISO 27001 is to continually assess your information security management system (ISMS) and modifying and possibly improving it over time.

The constant assessment and reassessment of your ISMS will provide evidence it is operating well and providing value to your organisation.

There are always newer and newer vulnerabilities to your systems and networks. Plus the threats to your systems won’t go away.

Modern notebook computer with future technology media symbols.jpeg

Let’s not forget that if the companies affected by the WannaCry ransomware attack in May 2017 had reassessed the effectiveness of their ISMS, then perhaps it may have been prevented. A fix (patch) to the problem had been available from Microsoft for 2 months prior to the attack. The fix to this serious issue may have been highlighted during the reassessment process.

On the other hand though, sometimes these attacks are almost indefensible. A case in point is the recent 2017 Petya virus that hugely affected major organisations like Maersk. It was a new type of malware that went undetected. A Maersk spokeman said: “This virus attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and our antivirus were not an effective protection in this particular case.” Therefore, your reassessment needs to comprehensive enough to ensure you cover as many vulnerabilities as you can.

Reassessing your system and making modifications ensures you are keeping up-to-date with latest changes whether they be legislated externally or just through your internal requirements.

One of the best ways to reassess your ISMS is to implement a formal internal audit programme. This involves having trained internal auditors. They then follow a planned audit schedule. Then they will audit your ISMS at regular intervals to ensure the ISMS is being managed effectively. It’s best to have a team of auditors that include at least one Technical Expert. The Technical Expert must have knowledge in the area under audit. They should be independent and impartial, i.e. they must not audit their own work.

I have written many blogs on the processes around internal auditing.

Are You Running An Effective Internal Audit Programme?

How to Create an Internal Audit Schedule

The Use of Risk Based Thinking When Creating an Internal Audit Schedule

Is it time to STOP Internal Auditing

7 Keys to Running an Effective Internal Audit Programme

Freshening-up Your Internal Auditing Programme

Internal Audits - Your (Not So) Secret Weapon

Another process that helps reassess your ISMS is conducting a regular Management Review. This is typically a meeting with a formal agenda. The agenda should cover the items listed in ISO 27001. There are:

the status of actions from previous management reviews;
changes in external and internal issues that are relevant to the ISMS;
feedback on the information security performance, including trends in:
- non-conformities and corrective actions;
- monitoring and measurement results;
- audit results; and
- fulfillment of information security objectives;
feedback from interested parties;
results of risk assessment and status of risk treatment plan; and
opportunities for continual improvement.

Attendees to your Management Review will be your top management and your Information Security Officer. I believe it’s best that the review is held monthly. I have alos written many blogs on the processes around Management Review:

How to Get More Value Out of Your Mnagaement Reviews

Top Tips for getting More Value Out of Your Management Reviews

So you need to be in a constant state of analysing, evaluating and updating your ISMS. You need to continuously improve the ISMS. Use tools like internal auditing and management review to ensure your processes remain efficient and effective. Start these processes now.