How to perform monitoring and measurement in ISO 27001
Performance monitoring and measurement are key actions in the maintenance and improvement of any system. (See this article for more information: Achieving continual improvement through the use of maturity models.) ISO 27001 recognizes their importance in clause 9.1 (Monitoring, measurement, analysis and evaluation), defining requirements to be observed when implementing such practices.
This article will present some tips about making monitoring and measurement useful to your business while complying with the standard.
Differences between monitoring and measurement
When you do monitoring, you are watching something, usually devices and applications, with the purpose of being aware of its state; e.g., is it on or off, moving or stationary, processing quickly or slowly, etc.
On the other hand, when you do measurement, you are assigning value to something based on predefined dimensions and units, e.g., processed data in registers per second, session duration in minutes, or datacenter room temperature in degrees Celsius (°C) or Fahrenheit (°F).
While monitoring is less complex (watch and detect) and can provide a quicker alert when things become different than expected, the complexity of measurement (value, dimension, and unit) can provide more detailed information about the situation and how things should be handled.
Why do I need them?
In general, you do monitoring and measurement for at least one of these reasons:
- To validate previous decisions: Management review decision follow ups are examples for this case, since you must provide evidence that actions you implemented were effective.
- To set direction for activities in order to meet set targets: Planning backup activities is a good example, since these data can be used to choose between multiple alternatives (full, incremental, or differential backup, or a combination of these). For more information, please see this article: ISO 27001 control objectives – Why are they important?
- To present factual evidence to justify a required course of action: Business cases for updating a firewall or implementing cryptography require strong and consistent data to sell an idea to management and interested parties.
- To identify a point of intervention and subsequent changes and corrective actions: Cause analysis in an access control process problem is a good example of the use of monitoring and measurement data for this reason.
ISO 27001 requirements
Clause 9.1 of ISO 27001 establishes two aspects to be monitored and measured: information security performance and ISMS effectiveness.
The basic difference between them is that while information security performance deals individually with security results viewed as relevant to the organization (e.g., information availability, event response time, protection costs, etc.), the ISMS effectiveness shows you how the interaction between these individual security results affects security as a whole, including compliance with the standard. For example, you can have good information availability and response time to incidents, but if these results demand high protection costs, in a general view, the security results may not be so good.
Therefore, without proper monitoring and measurement, you can finish with good individual security results that don’t add business value, or that don’t comply with the standard´s requirements and demand undesired adjustment efforts, or both.
To help prevent these situations, clause 9.1 of ISO 27001 establishes some items that must be set to ensure proper monitoring and measurement:
- What needs to be monitored / measured: First, identify all business results and processes that can be affected by variations on information security performance, including the information security controls and processes themselves, and mandatory requirements like laws, regulations, and contractual obligations. E-commerce systems’ availability, accounting data integrity, and special access rights review are good examples.
- Which methods may be used for monitoring / measurement: Here you can choose any method you are comfortable with (e.g., manual, mechanical, by software, etc.). The critical criterion is that the chosen method must be verifiable (capable of producing comparable and repeatable results).
- When monitoring / measurement must be done: Different needs require different monitoring / measurement times and you must consider this, including periodicity. For example, an application can have monitoring / measurement points at data input, during data processing, or at data output. Restricted internal use applications may be monitored / measured in periodicities longer than Internet-oriented applications.
- When monitoring / measurement results must be analyzed and evaluated: To add value to the business, the monitoring / measurement results must be considered on decisions and actions at proper times. Considering them too soon or too late may result in unnecessary effort, wasted resources, or loss of opportunities.
- Who must analyze and evaluate monitoring / measurement results: As important as when the data is analyzed / evaluated is who does this. In general, the operational level should perform analysis (e.g., technicians and administrators), while management staff performs evaluations.
Additionally, there is a specific requirement related to preservation of evidence of monitoring and measurement results, to fulfill the standard’s clause 7.5 (documented information). Control charts, checklists, and analysis reports reviewed by management are good examples of proper documentation to be preserved. Besides ensuring compliance with the standard, by doing that you are also building a monitoring / measurement history that can help you better track the organization’s results, as well as learn from past problems.
Achieve better results through good monitoring and measurement
Change is the only constant in life, so your organization should be prepared for it. Monitor closely what has more impact on your results, and measure what can bring you more advantages in avoiding threats and seizing opportunities. Your results will benefit.
For more information about how to set objectives, and which documents and techniques to use for measurement, see this free webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security?