For copyright reasons, this space does not contain citations from the Standard.
Define metrics on how the organization can be sure the ISMS and the selected controls are living up to their expectations.
One proven way to do this, is by defining a Monitoring plan, an overview of all the checks you wish to perform during the year. Our Monitoring plan is populated automatically with the information from the "Check details" on each page (see below). The check details show:
Owner (the person responsible for performing the check, usually the control owner)
Frequency (how often should the check be performed, depending on the associated risk)
Instruction (optional instruction how to perform the check
The Monitoring plan (9.1) defines a series of short cycle checks the organization needs to perform during the year to make sure the selected controls are functioning as intended. They can be performed by the control owner. It focuses on control conformance.
The internal audit (9.2) is more infrequent (often once per year, and not all parts of the standard need to be audited each year). The goal of the internal audit is to provide assurance that the management system complies to ISO 27001. The /wiki/spaces/DEMO/pages/5669069 needs to be qualified to do so (although the organization may refine the level of qualification). He or she must be impartial and objective, therefore, the internal audit cannot be performed by the control owner and/or the Security officer (role). It is however possible to conduct an internal audit with more then one control owner, each checking the work of the other.
Our organization evaluates the effectiveness of the management system according to the Monitoring plan. The evidence is archived on each individual page. The results are reported back to management during the Management reviews.