Instant 27001 demo environment
9.1 Monitoring, measurement, analysis and evaluation
Control details
Requirement | The organization shall evaluate the information security performance and the effectiveness of the information security management system. The organization shall determine: a) what needs to be monitored and measured, including information security processes and controls; The methods selected should produce comparable and reproducible results to be considered valid. c) when the monitoring and measuring shall be performed; The organization shall retain appropriate documented information as evidence of the monitoring and measurement results. |
---|---|
Instruction | Define metrics on how the organization can be sure the ISMS and the selected controls are living up to their expectations. One proven way to do this, is by defining a Monitoring plan, an overview of all the checks you wish to perform during the year. Our Monitoring plan is populated automatically with the information from the "Check details" on each page (see below). The check details show:
What is the difference between 9.1 Monitoring, measurement, analysis and evaluation and 9.2 Internal audit? The Monitoring plan (9.1) defines a series of short cycle checks the organization needs to perform during the year to make sure the selected controls are functioning as intended. They can be performed by the control owner (hence the name, Monitoring plan). It focuses on control conformance. The internal audit (9.2) is more infrequent (often once per year, and not all parts of the standard need to be audited each year). The goal of the internal audit is to provide assurance that the management system complies to ISO 27001. The Internal auditor needs to be qualified to do so (although the organization may refine the level of qualification). He or she must be impartial and objective, therefore, the internal audit cannot be performed by the control owner and/or the Security officer. It is however possible to conduct an internal audit with more then one control owner, each checking the work of the other.
|
Implementation | Our organization evaluates the effectiveness of the management system according to the Monitoring plan. The evidence is archived on each individual page. The results are reported back to management during the Management reviews. |
Check details
Owner | Security officer |
---|---|
Frequency | Year |
Instruction | Is the Monitoring plan executed according to plan? |
File | Modified |
---|