ISO27001 and the Performance Evaluation Clauses

ISO27001-and-the-Performance-Evaluation-Clauses

ISO27001 for Information Security Management Systems clause 9 Performance Evaluation is full of that favourite ISO term "shall" which as we all know means you must do what they are asking. Clause 9 is split into 3 subclauses to help focus you onto the things that really drive the performance evaluation requirements in any management:

9.1 Monitoring, Measurement, Analysis and Evaluation, 9.2 Internal Audit and 9.3 Management Review, if you look closely and cast your mind back to the structure of the new ISO standards, they all follow a PDCA or Plan, Do, Check, Act (adjust) loop, it is pretty obviously then that clause 9 is all about the Check part of that loop.

Clause 9.1 Monitoring, Measurement, Analysis and Evaluation

Evaluating how well your Information Security management System (ISMS) is working is a key requirement, as it is for all other ISO management systems. So, what do you have to do? Well, the standard gives you some things to tick off in terms of designing how you do things, it will not tell you what to measure, monitor or evaluate because, well it's your system you need to figure that out. Thankfully earlier on you worked out what the needs of your interested parties were, perhaps it was an expectation of their data being secure, of the system being available, or carefully controlled access, it could be any number of things, but the point is those are going to let you figure out what you need to monitor. If for example one of the interested parties' needs was security of data, then you would absolutely want to measure system attacks or data breaches. That means you need to come up with a clear statement on what you will measure. Then you can figure out who should measure it, when and how often they measure it, where they record the data for that measurement and what to do when the measurement falls below your target.

When you get done figuring out what you must measure, before you lock it all in just take a step back and look at how many items you have. It is easy decide that you must try to measure everything in your ISMS but you don't, in fact at most you should be targeting between 3 – 5 things, if you think about it for a while those things will jump out at you as the key ones, it just takes a little time and some discussion.

Clause 9.2 Internal Audit

I do not know what the word audit strikes fear into people, but it does. It should not as it is a fantastic improvement tool, and that is all it is, it is a structured method of looking at your processes and systems to make sure they are being followed and delivering you want you need. If they are not or do not then you need to make a change, which is a good thing. In fact, if you always pass your audits with zero opportunities to improve you probably are not doing them right. There is such a thing as over auditing. Your auditing program needs to take a risk-based approach, audit those high-risk areas more frequently than low risk areas. Low risk areas for example may be something you audit every 2 or 3 years, high risk area could be 3 or 6 months!

The key to running good audits is not rocket science. Always remember you are dealing with people so be kind, enquiring, be independent and do not offer your solutions to issues or prompts, that is not your role here, even if you do know the answer. Of course, equally important is keep a record of the audit, the actions, the non-conformances, and the opportunities for improvement, otherwise the audit never happened.

Clause 9.3 Management Review

The final part of the Clause 9 Performance Evaluation puzzle for your ISO27001 ISMS is the Management Review. The focus for your management review is to take that higher level view of your entire system to ensure that it continues to meet all the requirements of the system that you set out to meet. The management review of your Information security management system needs to ensure that it continues to align with the objectives of the business, that it still considers the interested parties, that the monitoring, measuring, and auditing of your system is happening and are producing good results that are useful to improving the system. Non-conformances, corrective actions, risk assessments, opportunities for improvement and of course feedback from any interested parties are all considered. In terms of frequency of the Management review, it should be at least annual, for younger systems however I'd strongly suggest a mid-year review as well just to ensure things are being followed through on.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo

Simplify ISO27001 with Mango

Stop waiting time with multiple different systems, see how Mango can manage all of your ISO27001 requirements in one fully integrated solution.

Make a booking now to see how simple it is to integrate your systems, reduce paperwork, save time and be compliant.
Mango QHSE Compliance Software made simple
Reclaim your precious time
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.

Copyright

© Many Caps Consulting | All Rights Reserved

Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

5 Top Tips for Creating a Great Internal Audit Sch...
Reasons companies look to move their Compliance Sy...
 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, 14 December 2024

By accepting you will be accessing a service provided by a third-party external to https://www.test.manycaps.com/

Subscribe to Our Newsletter

To Get Regular Updates on ISO | Lean | Free Resources
Sorry we need your name
Invalid Input - Sorry we need your last name here
Sorry Can you just check your email address as well
Invalid Input