Performance Evaluation (9.0)

9.1 - Monitoring, Measurement, Analysis and Evaluation

The organisation shall evaluate the information security performance and the effectiveness of the ISMS.

The organisation shall determine:

  • What needs to be monitored and measured, including information security processes and controls.

Broadly, when talking about control it's talking about Annex A, and when talking about processes it's talking about clauses 4 - 10.

  • The methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results.

NOTE: The methods selected should produce comparable and reproducible results to be considered valid.

  • When the monitoring and measuring shall be performed.
  • Who shall monitor and measure
  • When the results from the monitoring and measurement shall be analysed and evaluated, and
  • Who shall analyse and evaluate these results.

The organisation shall retain appropriate documented information as evidence of the monitoring and measurement results.

9.2 - Internal Audit

The organisation shall conduct internal audits at planned intervals to provide information on whether the ISMS:

  • Conforms to
    • The organisations own requirements for its ISMS, and
    • The requirements of this International Standard.
  • Is effectively implemented and maintained

The organisation shall

  • Plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits.
  • Define the audit criteria and scope for each audit
  • Select auditors and conduct audits that ensure objectivity and the impartiality of the audit process
  • Ensure that the results of the audits are reported to the relevant management
  • Retain documented information as evidence of the audit programme(s) and the audit results

9.3 - Management Review

Top management shall review the organisations ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness.A

The management review shall include consideration of:

  • The status of actions from previous management reviews
  • Changes in external and internal issues that are relevant to the ISMS.
  • Feedback on the information security performance, including trends in
    • Nonconformities and corrective actions
    • Monitoring and measurement results
    • Audit results, and
    • Fulfilment of information security objectives.
  • Feedback from interested parties
  • Results of risk assessment and status of risk treatment plan, and
  • Opportunities for continual improvement.

The outputs of the management review shall include decisions related to the continual improvement opportunities and any needs for changes to the ISMS.

The organisation shall retain documented information as evidence of the results of management reviews.

results matching ""

    No results matching ""