ISO 27001 Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation

Required activity

Knowledge security performance is analyzed by the organization to determine how effective its ISMS is.

Guidelines for Implementation

Monitoring and measuring data security activities are intended to assist an organization in determining whether the intended outcomes, such as risk assessment and treatment, are being achieved. Unlike measurement, monitoring is about finding out the status of a process, system, or activity, whereas measurement is about determining its worth. So monitoring often entails taking successive measurements over a long period that are comparable.

The organization establishes the following monitoring and measurement systems:

– What to observe and measure;
– Who monitors the process and measures whether it’s working
– A method to be followed so that valid results are obtained (i.e. comparable and repeatable).

The organization establishes the following processes for analysis and evaluation:

– The investigator is responsible for analysing, evaluating and reporting monitoring and measurement results
– Techniques to be employed to ensure accurate results.

Evaluation involves two aspects:

– Assessing the knowledge security performance of an organization, including whether its ISOMS meets its requirements;
– Investigate how effectively the organization uses the ISMS by determining if it is doing the right thing, which includes examining whether information security objectives are being met.

It should be noted that “as applicable” (ISO/IEC 27001:2013) implies that if monitoring methods, measuring, analyzing, and evaluating are determined frequently then those must also be determined.

Defining the ‘information need’ is a good practice in monitoring, measuring, analyzing, and evaluating functions. A high-level statement or question about information security, and information need provides insight into a company’s information security performance and effectiveness of its ISMS. As a result, monitoring as well as measuring should be undertaken to fulfil outlined information needs.

Choosing the attributes to be measured should be done with care. With too many attributes and the wrong ones, it is impractical, expensive, and counterproductive to measure them all. There are other possibilities, such as that key issues might be obscured or even missed entirely, something that’s possible when measuring, analyzing and evaluating numerous attributes.

Measurements fall into two general categories:

1. Performance measurements, such as headcounts, milestones accomplished, or the extent to which information security controls are implemented, that illustrate the planned outcomes;
2. Effectiveness measurements, which quantify the security objectives of the organization based upon the actions that are taken to achieve them.

When involved in monitoring, measurement, analysis, and evaluation, it is appropriate to identify and assign distinct roles. It is common for measurement clients, measurement planners, measurement reviewers, information owners, information collectors, information analysts and knowledge communicators to fulfil these roles.

Individuals with different competencies are often assigned the responsibilities of monitoring and measurement and analysis and evaluation.

The success of an ISMS depends on monitoring, measurement, analysis, and evaluation. There are several clauses in ISO/IEC 27001 that require assessment of effectiveness, for instance, ISO/IEC 27001:2013. Further information can be found in ISO/IEC 27004, a document that describes how to meet the requirements for ISO/IEC 27001:2013, including an explanation of each of the processes described above, roles and responsibilities, and forms, as well as numerous examples.