Table of contents
Hello! My name is Stuart Barker. I am the ISO27001 Ninja and this is ISO27001 Clause 9.1 Monitoring, Measurement, Analysis and Evaluation.
Now this is a sub clause of ISO27001 Clause 9 Performance Evaluation but we’re going to dedicate an entire tutorial to it.
In this tutorial I’m going to show you what it is and then I’m going to give you the tips and the steps that you need to follow to be successful when it comes to your ISO27001 certification.
So, let’s start off by understanding what it is that’s expected of us and then we can work out what it is that we need to do by reading what it is that the standard actually says.
So, ISO27001 Clause 9.1 Monitoring Measurement Analysis and Evaluation
– the organisation shall determine what needs to be monitored and measured including information security processes and controls.
The methods for measuring monitoring analysis and evaluation is applicable to ensure valid results.
The method selected should produce comparable and reproducible results to be considered valid.
When the monitoring and measuring shall be performed.
Who shall monitor and measure.
When the results from monitoring and measurement shall be analysed and evaluated.
Who shall have analyse and evaluate the results.
Documented information shall be available as evidence of the results.
The organisation shall evaluate the information security performance and the effectiveness of the information security management system.
DO IT YOURSELF ISO27001
STOP SPANKING £10,000s
So, here what we’re looking at is monitoring measurement analysis and evaluation. It covers two parts, as with everything there are now going to be two parts to this.
The ISO27001 Annex A Controls are the controls that we choose to mitigate the risk that we have and the needs of the business and they’re documented within the ISO27001 Statement of Applicability, the SOA.
Information Security Objectives
When it comes to the monitoring and measurement of the information security management system, the isms, you will remember that we have in previous tutorial and previous guides and tutorials gone through how to identify our information security objectives – ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them.
You may remember this information security objectives spreadsheet that sets out what our information security objectives are and you will remember that within that we have said within that what it is we are going to be monitoring and measuring, how we are going to be evaluating our results.
So, the very basic way that we’re going to satisfy this for the isms is by the regular monitoring and analysis against our objectives.
When we touched on that process we talked about where we review those objectives, that they become part of our security operational meetings if we have those, those weekly security operational meetings.
We definitely have management reviews at least monthly up until and including our first audit and ideally for the first year after audit. Our management reviews follow a structured agenda and meet a number of requirements and one of those requirements is that we are going to review the performance against the objectives. You can learn more in How to conduct an ISO 27001 Management Review Meeting.
We’re going to look at the things that we said that we were going to measure and monitor and we’re going to analyse that and make sure that our objectives are on track. So that is going to be the bare minimum that we’re going to do.
We are also for the information security management system going to perform our internal audit. Now, internal audit is going to cover the processes as well and that is touched on in the last sentence of this particular clause – the organisation shall evaluate the information security performance and the effectiveness of the management system.
We do that by conducting our ongoing internal audit. You can learn How to conduct an ISO27001 Internal Audit
Internal audit is the next ISO27001 sub clause 9.2 and will be the next next tutorial in the sequence – ISO 27001 Clause 9.2 Internal Audit – Ultimate Certification Guide.
So, we’re measuring our information security management system we’re measuring its objectives, we’re evaluating that and analysing that.
We’re doing that as part of our management review and our management oversight.
We’re conducting our internal audits and we’re assessing and going through the performance of our management system.
That structured internal audit process will generate reports that are fed to the management system and has its own subprocess so please check that out.
The part where it becomes a little bit more tricky and here I can only give you guidance is when it comes to the ISO27001 Annex A Controls because the ISO27001 Annex A Controls are going to be business specific.
These are processes that you are writing. They are how you run and operate your business.
My guidance and my advice is, every control in effect is a process or a series of processes but let’s take it at a high level logical step. If we have a process, a process will have an input, a process will have an output and a process will be able to be measured and monitored.
Operational Security Dashboard
You need to generate as part of your implementation a security dashboard. An operational security dashboard. What that operational security dashboard is going to cover is the metrics, the main metrics that you are measuring, at least on a monthly basis.
Now the kind of things that I see in operational security dashboards are the level of patching across devices, how many devices are patched, how many patches are outstanding. Speak to your IT teams and understand the metrics that you can get around patching.
The level of encryption that is on your devices, are devices encrypted, are they not encrypted, are there issues with encryption.
We’re going to be looking at things like malware, anti-malware technology, antivirus. What is the status on a monthly ongoing basis of our antivirus?
What I normally see in there are tickets, measurement of support tickets that are information security related. Measurement and Analysis of incidents on a monthly basis. At least that looks at the security incidents that you’ve had.
The kind of things that you can measure or monitor are the processes that you have.
The status of your training, you have a training program, how many people have completed it? How many are outstanding? How many haven’t completed it?
So, what I’m going to leave you in that aspect is, as you are developing your processes and documenting your processes for your ISO27001 Annex A Controls, think about what the process does, whether or not you can measure that, what kind of a report that you can generate out of the back of that that will provide value and as a minimum share those results with the management review team.
Now, the bigger you are the more complex that’s going to be. In a smaller organisation it’s going to be relatively straightforward. The report is going to be quite simplistic. The process is – you’re going to share it with the management review team. Probably you’re going to have some level of recommendation that goes with it. If you require action off of the back of that and you’re then following your continual improvement process to implement that continual improvement or you’re going to update your risk register because what you’ve identified is that through analysing these processes and analysing what’s going on that a risk has occurred because something has gone wrong and something isn’t operating.
There are tutorials on continued improvement ( ISO 27001 Continual Improvement Explained ) and there are tutorials on risk management.
The principle here is
- write a process,
- document the process,
- understand what the process can measure,
- measure it,
- report that to the management review team
and you are going to be golden.
Documented information should be available as evidence of the results, keep those reports, right. When it comes to the audit the auditor is going to want to see that you’ve got that.
The simplest way of doing that is to have a copy of that report alongside the minutes of your management review meeting within your folder structure so you can say
- here is the management review meeting,
- here are the minutes of that meeting,
- here is where that report was discussed,
- this is what was discussed about that report
- and here is a copy of that report.
That is the simplest and easiest way for you to satisfy that part of this particular ISO27001 clause.
So, monitoring measurement analysis and evaluation – it can be as hard or as easy as you want it to be but we want to make sure that things are working, we want to put in in almost real time reports of things that are occurring as they occur and then we want to be doing our performance review through our internal audit, which we’re going to look at next, to make sure that everything is operating effectively.
My name is Stuart Barker. I am the ISO27001 Ninja. That was ISO27001 Clause 9.1 monitoring measurement analysis and evaluation and until the next tutorial, peas out.