ISO 27001 Monitoring, Measurement, Analysis and Evaluation: Explained Simply

Introduction

ISO 27001 Monitoring, Measurement, Analysis and Evaluation is a sub clause of ISO 27001 Clause 9 Performance Evaluation but we’re going to dedicate an entire tutorial to it.

You will learn

• What is ISO 27001 Monitoring, Measurement, Analysis and Evaluation
• How to implement ISO 27001 Monitoring, Measurement, Analysis and Evaluation

What is ISO 27001 Monitoring, Measurement, Analysis and Evaluation?

The information security management system (ISMS) is a living management system. As things change then so too must the ISMS. To ensure that the ISMS is operating effectively and meetings its intended out comes we need to ensure that we

• are monitoring it for effectiveness
• measuring it which can include process and system measures
• analysing those measures
• and evaluating those measures in the context of the ensuring the effectiveness of the ISMS.

In terms of the ISO 27001 standard this approach will be applied to both the Information Security Management System (ISMS) itself and to the ISO 27001 Annex A Controls.

The ISO 27001 Annex A Controls are the controls that we choose to mitigate the risk that we have and the needs of the business and they’re documented within the ISO 27001 Statement of Applicability, the SOA.

How to implement ISO 27001 Monitoring, Measurement, Analysis and Evaluation

On first glance it is often not obvious what should be done. In particular when it comes to the definition and implementation of measures. Let me walk you through some common ways to implement this.

Watch

If you would rather watch then read then you can, watch How to implement ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis and Evaluation.

Information Security Objectives

When it comes to the monitoring and measurement of the information security management system, the isms, you will remember that we have in previous tutorial and previous guides and tutorials gone through how to identify our information security objectives – ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them.

You may remember this information security objectives spreadsheet that sets out what our information security objectives are and you will remember that within that we have said within that what it is we are going to be monitoring and measuring, how we are going to be evaluating our results.

So, the very basic way that we’re going to satisfy this for the isms is by the regular monitoring and analysis against our objectives.

When we touched on that process we talked about where we review those objectives, that they become part of our security operational meetings if we have those, those weekly security operational meetings.

We definitely have management reviews at least monthly up until and including our first audit and ideally for the first year after audit. Our management reviews follow a structured agenda and meet a number of requirements and one of those requirements is that we are going to review the performance against the objectives. You can learn more in How to conduct an ISO 27001 Management Review Meeting.

We’re going to look at the things that we said that we were going to measure and monitor and we’re going to analyse that and make sure that our objectives are on track. So that is going to be the bare minimum that we’re going to do.

Internal Audit

We are also for the information security management system going to perform our internal audit. Now, internal audit is going to cover the processes as well and that is touched on in the last sentence of this particular clause – the organisation shall evaluate the information security performance and the effectiveness of the management system.

We do that by conducting our ongoing internal audit. You can learn How to conduct an ISO 27001 Internal Audit

Internal audit is the next ISO 27001 sub clause 9.2 and will be the next next tutorial in the sequence – ISO 27001 Clause 9.2 Internal Audit – Ultimate Certification Guide.

So, we’re measuring our information security management system we’re measuring its objectives, we’re evaluating that and analysing that.

We’re doing that as part of our management review and our management oversight.

We’re conducting our internal audits and we’re assessing and going through the performance of our management system.

That structured internal audit process will generate reports that are fed to the management system and has its own subprocess so please check that out.

The part where it becomes a little bit more tricky and here I can only give you guidance is when it comes to the ISO 27001 Annex A Controls because the ISO 27001 Annex A Controls are going to be business specific.

These are processes that you are writing. They are how you run and operate your business.

My guidance and my advice is, every control in effect is a process or a series of processes but let’s take it at a high level logical step. If we have a process, a process will have an input, a process will have an output and a process will be able to be measured and monitored.

Operational Security Dashboard

You need to generate as part of your implementation a security dashboard. An operational security dashboard. What that operational security dashboard is going to cover is the metrics, the main metrics that you are measuring, at least on a monthly basis.

Now the kind of things that I see in operational security dashboards are the level of patching across devices, how many devices are patched, how many patches are outstanding. Speak to your IT teams and understand the metrics that you can get around patching.

The level of encryption that is on your devices, are devices encrypted, are they not encrypted, are there issues with encryption.

We’re going to be looking at things like malware, anti-malware technology, antivirus. What is the status on a monthly ongoing basis of our antivirus?

What I normally see in there are tickets, measurement of support tickets that are information security related. Measurement and Analysis of incidents on a monthly basis. At least that looks at the security incidents that you’ve had.

The kind of things that you can measure or monitor are the processes that you have.

The status of your training, you have a training program, how many people have completed it? How many are outstanding? How many haven’t completed it?

So, what I’m going to leave you in that aspect is, as you are developing your processes and documenting your processes for your ISO 27001 Annex A Controls, think about what the process does, whether or not you can measure that, what kind of a report that you can generate out of the back of that that will provide value and as a minimum share those results with the management review team.

Now, the bigger you are the more complex that’s going to be. In a smaller organisation it’s going to be relatively straightforward. The report is going to be quite simplistic. The process is  – you’re going to share it with the management review team. Probably you’re going to have some level of recommendation that goes with it. If you require action off of the back of that and you’re then following your continual improvement process to implement that continual improvement or you’re going to update your risk register because what you’ve identified is that through analysing these processes and analysing what’s going on that a risk has occurred because something has gone wrong and something isn’t operating.

There are tutorials on continued improvement – ISO 27001 Continual Improvement Explained – and there are tutorials on risk management.

Implementation Summary

The principle here is

• write a process,
• document the process,
• understand what the process can measure,
• measure it,
• report that to the management review team

and you are going to be golden.

Documented information should be available as evidence of the results, keep those reports, right. When it comes to the audit the auditor is going to want to see that you’ve got that.

The simplest way of doing that is to have a copy of that report alongside the minutes of your management review meeting within your folder structure so you can say

• here is the management review meeting,
• here are the minutes of that meeting,
• here is where that report was discussed,
• this is what was discussed about that report
• and here is a copy of that report.

That is the simplest and easiest way for you to satisfy that part of this particular ISO 27001 clause.

Conclusion

So, monitoring measurement analysis and evaluation – it can be as hard or as easy as you want it to be but we want to make sure that things are working, we want to put in in almost real time reports of things that are occurring as they occur and then we want to be doing our performance review through our internal audit, which we’re going to look at next, to make sure that everything is operating effectively.

My name is Stuart Barker. I am the ISO 27001 Ninja. That was ISO 27001 Clause 9.1 monitoring measurement analysis and evaluation and until the next tutorial, peas out.