ISO 27001 Information Security - Clause 9 Evaluation

ISO27001 Clause 9 Evaluation-750
Qudos guide to ISO 27001:2022 clause 9 Evaluation

16th November 2022 - ISO 27001 Information Security in plain English - Blog post #16.

ISO 27001 - Clause 9 Evaluation

This clause forms the Check step of the PDCA cycle. It has three elements:

  • 9.1 Monitoring, measurement, analysis and evaluation
  • 9.2 Internal audit
  • 9.3 Management review

These are discussed below.

9.1 Monitoring, measurement, analysis and evaluation

Monitoring, measurement, analysis and evaluation forms an all-important feedback loop in a management system. These inform us whether our activities are achieving what we set out to do. The standard is not prescriptive here on what needs to be checked, when, how and by whom. It is up to the organization itself to determine that. Records should be retained as evidence.

It may be worthwhile considering some definitions here:

  • Monitoring is determining the status of a system, a process, or an activity. It may involve checking, supervision, or critical observation. For example; Are desks being left clear of paperwork? Monitoring can also be automated. For example: Event logging in operating systems and software applications.
  • Measurement is an activity undertaken to determine a value. For example; how many people have participated in awareness training? how much spare capacity is there on a drive?
  • Analysis is a detailed examination of something in order to understand it. In the context of information security, it is most applicable in analysing the findings of monitoring and measurement.
  • Evaluation follows on from the above. It is the activity of considering the significance and value of results in order to make judgements such as should we change our processes or controls?

9.2 Internal Audit

Internal audits are a series of checks that the system is conforming to requirements of the standard and the organization itself, and that it's working well to achieve the objectives that have been set.

A common failing in management systems is when an organization does not maintain and update its system in the light of changing circumstances. Internal audits provide a structured, pro-active feedback mechanism to verify conformance and help continually improve performance over time. The internal audit process may be loosely broken down into the following steps:

  • Scheduling
  • Planning
  • Performing
  • Recording
  • Communicating results

An internal audit program is a mandatory requirement of all ISO management system standards - and ISO 27001 is no exception.

9.3 Management Review

The performance of a 'Management review' is another mandatory requirement. It's also one of those areas where nonconformances are often raised at certification audits. That really shouldn't be the case, as it's quite a simple requirement that can easily be addressed, and can offer genuine benefits when done even reasonably well. Let's take a brief look at what the standard expects.

In general, top management is expected to review the system at 'planned intervals' to ensure that it continues to be suitable, adequate, and effective to achieve the organization's information security requirements. How long should the intervals be? Well, that is not prescribed, but a 6-month interval is our usual rule of thumb. At the early stages of system development, you may elect to hold them more regularly. The aim should be to get the best cost/benefit ratio. You can always hold interim, full or partial reviews if the need arises. At least one management review needs to take place prior to obtaining certification.

Top management can be taken to include the General Manager / CEO / MD, as well as others such as CIO / IT Manager, HR / People and Culture Manager, and COO / Operations Manager etc. It would certainly include the CISO or manager with overall responsibility for the ISMS. Naturally, the exact make-up of the top management team would depend on the size and type of organization.

ISO 27001 does not specify the format for a management review. However, it is typically conducted as a meeting - with an agenda, and minutes being taken with action points. The standard lists requirements for inputs - or what should be considered in the management review. That list can be very conveniently translated into an agenda.

This article is based on an extract from the Qudos ISO 27001 InfoSec Toolkit Guide Book.

ISO 27001 InfoSec Toolkit
Qudos 3 IMS software

Qudos 3 IMS / ISMS Software - For better evaluation

Qudos 3 clients will find that there is a wealth of tools in the software to help address this clause effectively and efficiently. In particular:

  • The Benchmark and Audits modules may be used for measurement and evaluation exercises.
  • The Audits module will streamline all stages of the internal audit process.
  • The Meetings module with its template agendas etc. will greatly assist you to plan and record management reviews.
Find out about Qudos 3 IMS software

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Now updated for the latest version of the standard - ISO 27001:2022.

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!