Clause 9 ISO 27001
ISO 27001 Section 9.1 - Monitoring, measurement, analysis and evaluation
The ISO 27001 requires organisations to evaluate how the ISMS is performing and how effective the information security management system is.
For this you will need to:
- decide what needs to be monitored;
- agree on the methods you will use for monitoring and analysing;
- when you will conduct the monitoring and measuring;
- decide who will conduct the measurement;
- decide when you will analyse the results of the measurement; and
- who will be responsible for evaluating the results.
ISO 27001 Section 9.2 - Internal audit
The International Standardisation Organisation will expect you to have carried out a number of planned internal audits of your information security management system. These audits will be reviewed independently by an external auditor at stage 2 of the accreditation.
These audits should ensure that the information security management system meets the goals and objectives of the business, as well as the requirements of ISO 27001.
- Plan, establish, implement and maintain an audit programme
- Define the scope and criteria
- Appoint the internal auditors, ensuring objectivity and impartiality
- Report results to the previously agreed staff member
- Ensure all results and comments are documented in the information security management system
ISO 27001 Section 9.3 - Management review
It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and often enough to ensure that the information security management system continues to be effective and achieves the aims of the business.
Management reviews should include:
- Details of past management reviews with updated actions
- Any changes to internal and external issues that concern information security
- Feedback on any corrective actions, audit and measurement results
- Interested parties
- Risk assessment results
- Continual improvements opportunities for the ISMS