ISO 27001 Information Security - Clause 9 Evaluation

This clause forms the Check step of the PDCA cycle. It has three elements:

• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review

These are discussed below.

9.1 Monitoring, measurement, analysis and evaluation

Monitoring, measurement, analysis and evaluation forms an all-important feedback loop in a management system. These inform us whether our activities are achieving what we set out to do. The standard is not prescriptive here on what needs to be checked, when, how and by whom. It is up to the organization itself to determine that. Records should be retained as evidence.

It may be worthwhile considering some definitions here:

• Monitoring is determining the status of a system, a process, or an activity. It may involve checking, supervision, or critical observation. For example; Are desks being left clear of paperwork? Monitoring can also be automated. For example: Event logging in operating systems and software applications.
• Measurement is an activity undertaken to determine a value. For example; how many people have participated in awareness training? how much spare capacity is there on a drive?
• Analysis is a detailed examination of something in order to understand it. In the context of information security, it is most applicable in analysing the findings of monitoring and measurement.
• Evaluation follows on from the above. It is the activity of considering the significance and value of results in order to make judgements such as should we change our processes or controls?

9.2 Internal Audit

Internal audits are a series of checks that the system is conforming to requirements of the standard and the organization itself, and that it's working well to achieve the objectives that have been set.

A common failing in management systems is when an organization does not maintain and update its system in the light of changing circumstances. Internal audits provide a structured, pro-active feedback mechanism to verify conformance and help continually improve performance over time. The internal audit process may be loosely broken down into the following steps:

• Scheduling
  
• Planning
• Performing
• Recording
• Communicating results

An internal audit program is a mandatory requirement of all ISO management system standards - and ISO 27001 is no exception.

9.3 Management Review

The performance of a 'Management review' is another mandatory requirement. It's also one of those areas where nonconformances are often raised at certification audits. That really shouldn't be the case, as it's quite a simple requirement that can easily be addressed, and can offer genuine benefits when done even reasonably well. Let's take a brief look at what the standard expects.

In general, top management is expected to review the system at 'planned intervals' to ensure that it continues to be suitable, adequate, and effective to achieve the organization's information security requirements. How long should the intervals be? Well, that is not prescribed, but a 6-month interval is our usual rule of thumb. At the early stages of system development, you may elect to hold them more regularly. The aim should be to get the best cost/benefit ratio. You can always hold interim, full or partial reviews if the need arises. At least one management review needs to take place prior to obtaining certification.

Top management can be taken to include the General Manager / CEO / MD, as well as others such as CIO / IT Manager, HR / People and Culture Manager, and COO / Operations Manager etc. It would certainly include the CISO or manager with overall responsibility for the ISMS. Naturally, the exact make-up of the top management team would depend on the size and type of organization.

ISO 27001 does not specify the format for a management review. However, it is typically conducted as a meeting - with an agenda, and minutes being taken with action points. The standard lists requirements for inputs - or what should be considered in the management review. That list can be very conveniently translated into an agenda.