Instant 27001 demo environment

9.1 Monitoring, measurement, analysis and evaluation

Owned by Maurice Pasman
Mar 25, 2022
1 min read

Control details

Requirement

The organization shall evaluate the information security performance and the effectiveness of the information security management system.

The organization shall determine:

a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;

The methods selected should produce comparable and reproducible results to be considered valid.

c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.

The organization shall retain appropriate documented information as evidence of the monitoring and measurement results.

Instruction

Define metrics on how the organization can be sure the ISMS and the selected controls are living up to their expectations.

One proven way to do this, is by defining a Monitoring plan, an overview of all the checks you wish to perform during the year. Our Monitoring plan is populated automatically with the information from the "Check details" on each page (see below). The check details show:

  • Owner (the person responsible for performing the check, usually the control owner)
  • Frequency (how often should the check be performed, depending on the associated risk)
  • Instruction (optional instruction how to perform the check)


(question) What is the difference between 9.1 Monitoring, measurement, analysis and evaluation and 9.2 Internal audit?

The Monitoring plan (9.1) defines a series of short cycle checks the organization needs to perform during the year to make sure the selected controls are functioning as intended. They can be performed by the control owner (hence the name, Monitoring plan). It focuses on control conformance.

The internal audit (9.2) is more infrequent (often once per year, and not all parts of the standard need to be audited each year). The goal of the internal audit is to provide assurance that the management system complies to ISO 27001. The Internal auditor needs to be qualified to do so (although the organization may refine the level of qualification). He or she must be impartial and objective, therefore, the internal audit cannot be performed by the control owner and/or the Security officer. It is however possible to conduct an internal audit with more then one control owner, each checking the work of the other. 

Implementation

Our organization evaluates the effectiveness of the management system according to the Monitoring plan. The evidence is archived on each individual page. The results are reported back to management during the Management reviews.

Check details

OwnerSecurity officer
FrequencyYear
InstructionIs the Monitoring plan executed according to plan?


  File Modified
No files shared here yet.

© Instant Management Systems | Terms and Conditions