Connect with us

Hi, what are you looking for?


ISO 27001 Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation

Required activity

Knowledge security performance is analyzed by the organization to determine how effective its ISMS is.

Guidelines for Implementation

Monitoring and measuring data security activities are intended to assist an organization in determining whether the intended outcomes, such as risk assessment and treatment, are being achieved. Unlike measurement, monitoring is about finding out the status of a process, system, or activity, whereas measurement is about determining its worth. So monitoring often entails taking successive measurements over a long period that are comparable.

The organization establishes the following monitoring and measurement systems:

– What to observe and measure;
– Who monitors the process and measures whether it’s working
– A method to be followed so that valid results are obtained (i.e. comparable and repeatable).

The organization establishes the following processes for analysis and evaluation:

– The investigator is responsible for analysing, evaluating and reporting monitoring and measurement results
– Techniques to be employed to ensure accurate results.

Evaluation involves two aspects:

– Assessing the knowledge security performance of an organization, including whether its ISOMS meets its requirements;
– Investigate how effectively the organization uses the ISMS by determining if it is doing the right thing, which includes examining whether information security objectives are being met.

It should be noted that “as applicable” (ISO/IEC 27001:2013) implies that if monitoring methods, measuring, analyzing, and evaluating are determined frequently then those must also be determined.

Defining the ‘information need’ is a good practice in monitoring, measuring, analyzing, and evaluating functions. A high-level statement or question about information security, and information need provides insight into a company’s information security performance and effectiveness of its ISMS. As a result, monitoring as well as measuring should be undertaken to fulfil outlined information needs.

Choosing the attributes to be measured should be done with care. With too many attributes and the wrong ones, it is impractical, expensive, and counterproductive to measure them all. There are other possibilities, such as that key issues might be obscured or even missed entirely, something that’s possible when measuring, analyzing and evaluating numerous attributes.

Measurements fall into two general categories:

1. Performance measurements, such as headcounts, milestones accomplished, or the extent to which information security controls are implemented, that illustrate the planned outcomes;
2. Effectiveness measurements, which quantify the security objectives of the organization based upon the actions that are taken to achieve them.

When involved in monitoring, measurement, analysis, and evaluation, it is appropriate to identify and assign distinct roles. It is common for measurement clients, measurement planners, measurement reviewers, information owners, information collectors, information analysts and knowledge communicators to fulfil these roles.

Individuals with different competencies are often assigned the responsibilities of monitoring and measurement and analysis and evaluation.

The success of an ISMS depends on monitoring, measurement, analysis, and evaluation. There are several clauses in ISO/IEC 27001 that require assessment of effectiveness, for instance, ISO/IEC 27001:2013. Further information can be found in ISO/IEC 27004, a document that describes how to meet the requirements for ISO/IEC 27001:2013, including an explanation of each of the processes described above, roles and responsibilities, and forms, as well as numerous examples.


Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

Latest Post

Advertisement Advertisement
  • solutions-inc
  • solutions-inc
  • solutions-inc
  • solutions-inc

You May Also Like

Information Privacy

ISO/IEC TS 27560 — Privacy technologies — Consent record information structure [Draft] Introduction For recording PII Principals’ (data subjects’) consent to data processing, this...


The task to be performed ISO 27001 Clause 10.1 Nonconformity and corrective action, Clause 10 which includes sections 10.1 and 10.2 covers the “Act”...

Cyber Security

ISO/IEC TS 27110:2021 — Information security, cybersecurity and privacy protection — Cybersecurity framework development instructions Introduction As a Technical Specification, the standard (an architecture...


The article discusses Compliance with Legal and Contractual Requirements, Identification of Applicable Legislation and Contractual Requirements and Intellectual Property Rights accordingly controls.A.18.1 Compliance with...