Information Security Principle 10

Part 11 - Continual reassessment of information security and making of modifications as appropriate

The final principle of information security is to continually assess your information security, modifying and possibly improving it over time. The constant assessment and reassessment of your information security will provide evidence it is operating well and providing value to your organisation.

There are always newer and newer vulnerabilities to your systems and networks. Plus the threats to your systems won’t go away.

Reassessing your system and making modifications ensures you are keeping up-to-date with latest changes whether they be legislated externally or just through your internal requirements.

One of the best ways to reassess your information security is to implement a formal internal audit programme. This involves having trained internal auditors. They then follow a planned audit schedule. Then they will audit your information security at regular intervals to ensure everything is being managed effectively. It’s best to have a team of auditors that include at least one Technical Expert. The Technical Expert must have knowledge in the area under audit. They should be independent and impartial, i.e. they must not audit their own work.

Another process that helps reassess your information security is conducting a regular Management Review. This is typically a meeting with a formal agenda. Attendees to your Management Review will be your top management and your Information Security Officer. I believe it’s best that the review is held monthly. 

So you need to be in a constant state of analysing, evaluating and updating your information security. You need to continuously improve the information security. Use tools like internal auditing and management review to ensure your processes remain efficient and effective.

Learn More:

1. Information Security - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
2. Information Security - Principle 2 - Awareness of the need for information security
3. Information Security - Principle 3 - Assignment of Responsibility for Information Security
4. Information Security - Principle 4 - Incorporating management commitment and the interests of stakeholders
5. Information Security - Principle 5 - Enhancing Societal Values
6. Information Security - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk
7. Information Security - Principle 7 - Security incorporated as an essential element of information networks and systems
8. Information Security - Principle 8 - Active prevention and detection of information security incidents
9. Information Security - Principle 9 - Ensuring a comprehensive approach to information security management