ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

Home / ISO 27001 Clauses / ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

The ISO 27001 standard for ISO 27001 certification wants you to ensure the effective operation of the management system and to implement appropriate analysis and evaluation of the measures and monitors.

In this ultimate guide to ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation you will learn

  • What ISO 27001 Clause 9.1 is
  • How to implement it
  • What and how to monitor, measure, analyse and evaluate

What Is ISO 27001 Clause 9.1?

ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation requires an organisation to implement measures and monitors to evaluate the effectiveness of the information security management system. It is a requirement to maintain evidence of the results of measures and monitors.

ISO 27001 Clause 9.1 Definition

The ISO 27001 standard defines ISO 27001:2022 clause 9.1 as:

The organisation shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
Documented information shall be available as evidence of the results.
The organisation shall evaluate the information security performance and effectiveness of the information security management system.

ISO27001:2022 Clause 9.1 Monitoring, Measurement, analysis, evaluation

What are the ISO 27001:2022 Changes to Clause 9.1?

There are clarification changes to the ISO 27001 Clause 9.1 in the 2022 update.

  • The words about the organisation evaluations the information security performance and the effectiveness of the management system have been removed. They are covered to a greater or lesser degree elsewhere in the clause.
  • 9.1 b has been updated to give guidance on the methods of monitoring, measurement, analysis and evaluation and provides that they should produce comparable results and reproducible results to be considered valid. This was previously a footnote so no material change.
  • 9.1 e has had the word ‘and’ removed with little to no consequence.
  • A requirement for documented information to be available to evidence results has been included making it an explicit rather than implied requirement.
  • Rather than retain appropriate documentation as evidence the line has been replaced with the requirement to evaluate the information security performance and effectiveness of the information security management system.

It says pretty much the same thing, with the same requirement with a change to the wording of how it says it.

Implementation Guide

You demonstrate compliance to ISO 27001 Clause 9.1 by having in place measures and monitors that you can show to an auditor and evidence of the operation of those measures and monitors with historical reports that show historic results.

Document your systems and processes

To understand what needs to be measured and monitored you must know what you have. Document your systems and processes. System architecture diagrams, network diagrams, server and virtual server layout diagrams, technology stacks, physical asset register and data asset register are examples of good, best practice documentation that will enable you to implement effective measures and monitors.

Conduct a risk assessment

Follow your risk management methodology and conduct a risk assessment on the assets that make up your products and services. This will allow you to prioritise your resources and identify they key systems that require monitoring.

Decide what to monitor

Looking at the functionality of the process and systems and using the diagrams and risk assessment decide exactly what it is that you are going to monitor. It is often not feasible to monitor everything. Make sure you are monitoring what is important and of risk.

Decide what to measure

The measures that make up the monitors should be decided. Exactly what are you going to measure, technically. This will be based on the technology that you have deployed and it’s inbuilt capabilities as well as a review of third party tools that may be required to plug any gaps.

Create a measures report

Reporting should be conducted at several levels. You will have automatic alerts on that feed into your various processes such as incident management as well as creating snap shot reports to satisfy the various needs of stakeholders in your organisation. You will maintain evidence of these reports.

Implement regular reviews

It is no point in having measures and monitors if they are not reviewed. Some tools have the capability to issue realtime alerts. It is also good practice to set aside time on a regular basis to preform manual reviews of the all of the data points that you are collecting. This includes a pass over of the automated alerts to ensure that none have been missed, they are configured correctly and being responded to correctly.

Implement exception steps

Exception steps are important as they define what happens when a measure or monitor hits a particular threshold. Implement steps that cover what happens if the measures and monitors fail, or exceed defined thresholds.

Regularly report the Management Review Team

It is a requirement to share the out put of the measure and monitors with the management review team as part of the process of continual improvement and oversight. Results should be shared and talked through as well as any required corrective actions.

Follow the continual improvement process

Measures and monitors will continually evolve so be sure to follow the continual improvement processes. Threat intelligence will lead to changes to what you monitor and how you respond.

Standard Guidance

There is further guidance provided in the ISO 27001 Annex A Controls that was revised in 2022 with changes to the ISO 27002 standard and specifically calls out required monitoring and analysis. As you would expect this a fundamental area for an information security management system and as such it touches most of the controls. Here will look at some actual specifics and take a look at what Annex A says.

There are many ways to implement measures and monitors and what is right for you will depend on your company culture and the tools available.

Consider the best methods for you that you know get results and where possible retain evidence of your measures and monitors.

Technical tools are great but also consider the manual reviews, checks and balances and consider for the manual processes how you will record them and evidence them.

Threat Intelligence

This is a new control introduced in 2022. Whilst not a direct measure and monitor it is an indirect measure and monitor that allows an organisation to gather threat intelligence to more effectively understand risk, what controls may be required and better protect itself.

Information relating to information security threats should be collected and analysed to produce threat intelligence.

ISO 27001:2022 Annex A 5.7 Threat Intelligence

Logging

Logging is one of the more straight forward measures and monitors that we can introduce and is often provided as a default capability of most applications and systems.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

ISO 27001:2022 Annex A 8.15 Logging

Monitoring, review and change management of supplier services

Supply chain security represents one of the biggest risks to any organisation as it is something that is outside your direct control. Ensuring a regular review and monitoring of their security practices and service delivery seeks to gain assurance that they are doing the right thing for information security and therefore protecting you, your customers and your clients.

The organisation should regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services

Physical security monitoring

The requirements of ISO 27002 clause 7.5 are satisfied by physical controls such as locked doors, person controlled reception areas, visitor cards, escorted visitors, potentially CCTV cameras and alarms. This is traditional security around access to physical locations.

Premises should be continuously monitored for unauthorised physical access.

ISO 27001:2022 Annex A 7.5 Physical security monitoring

Capacity Management

Monitoring, reporting, analysing and responding to capacity management is specifically aimed at the availability aspect of information security. Ensuring that information and systems are available when required and negating any unintended consequences of exceeding the capacity capabilities of those systems.

The use of resources should be monitored and adjusted in line with current and expected capacity requirements.

ISO 27001:2022 Annex A 8.6 Capacity Management

Configuration Management

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

ISO 27001:2022 Annex A 8.9 Configuration Management

Logging

Similar to the next clause, 8.16 monitoring actives, this clause on logging is a bit of a catch all clause.

Logs that record activities, exceptions, faults and other relevant events should be produced, stored, protected and analysed.

ISO 27001:2022 Annex A 8.15 Logging

Monitoring Activities

We have seen some specific requirements on measures and monitors but now we enter what we call a ‘catch all’ clause that basically says monitor everything. There is an art and a science in actually deciding and justifying what you monitor so as not to have monitoring overload.

Networks, systems and applications should be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

ISO 27001:2022 Annex A 8.16 Monitoring Activities

Security of Network Services

Security mechanisms, service levels and service requirements of network services should be identified, implemented and monitored.

ISO 27001:2022 Annex A 8.21 Security of Network Services

Outsourced Development

This is one of the few clauses in the statement of applicability that is often not applicable, especially if you do not outsource your software development or do software development. If you do then monitoring and review is required.

The organisation should direct, monitor and review the activities related to outsourced system development.

ISO 27001:2022 Annex A 8.30 Outsourced Development

ISO 27001 Templates

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 9.1

ISO 27001 Toolkit

Watch the Tutorial

Watch How to implement ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation

FAQ

What is ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation?

ISO 27001 Clause 9.1 Monitoring, Measurement, analysis, evaluation requires and organisation to implement measures and monitors to evaluate the effectiveness of the information security management system. It is a requirement to maintain evidence of the results of measures and monitors.

How do I evidence I meet the requirement of ISO 27001 Clause 9.1?

You demonstrate compliance to ISO 27001 Clause 9.1 by having in place measures and monitors that you can show to an auditor and evidence of the operation of those measures and monitors with historical reports that show historic results.

Where can I download ISO 27001 Clause 9.1 templates?

You can download ISO 27001 Clause 9.1 templates in the ISO 27001 Toolkit.

ISO 27001 Clause 9.1 example?

An example of ISO 27001 Clause 9.1 can be found in the ISO 27001 Toolkit.

What is an ISO 27001 measure for clause 9.1?

A measure is something that can be observed to happen that has a quantitive value.

What is an ISO 27001 monitor for clause 9.1?

A monitor is the system by which the measures are collected and recorded.

What is the difference between ISO 27001 measures and ISO 27001 monitors?

Monitors are the systems by which the measures are captured. A monitor is an oversight or observation where as a measure is an actual value or metric.

How do you comply with ISO 27001 clause 9.1?

You comply with ISO 27001 clause 9.1 by identifying which measures and monitors you need based on risk and business need and then implementing them. In addition you implement the processes to oversee and react to them and you implement effective reporting for governance and oversight. Finally you implement continual improvement and incident management processes to handle the out put of the processes.

What is an example of an ISO 27001 measure for ISO 27001 clause 9.1?

An example measure for ISO 27001 clause 9.1 would be the number of machines with active anti virus, the number of machines patched, the number of people trained.

What is an example of an ISO 27001 monitor for ISO 27001 clause 9.1?

An example monitor for ISO 27001 clause 9.1 would be to have anti virus in place with auto alerts and reporting enabled, to have asset management software in place than handles patching and reports on failed patching attempts, to have a report that periodically shows the number of people that are not trained in information security.

Who does the analysis of ISO 27001 measures and monitors?

The analysis of ISO 27001 measure and monitors is performed by the allocated system and process owner. They are best placed to understand the results and provide guidance based on those results.

How often do you review and analyse ISO 27001 measures and monitors?

As often as is necessary based on risk. It would not be unreasonable for the review to be conducted monthly.

How long do I keep results of ISO 27001 measures and monitors?

For as long as is necessary based on business need and risk. It would not be unreasonable to keep the results for a rolling period of 18 months.

Who do I share ISO 27001 measures and monitors with?

You share the results with the owner of the thing, process, system that is being measured and monitored. In addition you share it with the Management Review Team as part of the process of continual improvement for oversight and signify.

I identified a problem in my ISO 27001 measures and monitors, what do I do now?

Follow your process of continual improvement and make the necessary changes to the measure and monitor.

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing