A large part of running an information security management system is to see it as a living and breathing system. Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business-led strategy, going beyond a 'tick box' regime.

There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:

• 6.1 risk assessment and treatment - ongoing
• 6.2 objectives monitoring, measurement and evaluation - ongoing
• 9.2 Internal audits - ongoing
• 9.3 management reviews - ongoing
• 10.1 nonconformities and corrective actions - ongoing
• Annex A 5.1 - reviews of policies - ongoing
• Annex A 6.3 - information security awareness, education and training
• Annex A 5.27 - learning from information security incident
• Annex A 5.36 - compliance reviews - ongoing
• General external audits (eg for UKAS certification by ISO certified bodies)

Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.

Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:

• Customers requests or concerns
• Trending data from other operational systems
• Other observations e.g. from suppliers or other interested parties

It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement - so make sure that it is clear what is and what isn't considered.