{"id":4350,"date":"2015-06-08T23:34:43","date_gmt":"2015-06-08T23:34:43","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/015\/06\/08\/how-to-perform-monitoring-and-measurement-in-iso-27001\/"},"modified":"2025-07-10T16:48:44","modified_gmt":"2025-07-10T16:48:44","slug":"how-to-perform-monitoring-and-measurement-in-iso-27001","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2015\/06\/08\/how-to-perform-monitoring-and-measurement-in-iso-27001\/","title":{"rendered":"How to perform monitoring and measurement in ISO 27001"},"content":{"rendered":"<p>Performance monitoring and measurement are key actions in the maintenance and improvement of any system. (See this article for more information: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2015\/04\/13\/achieving-continual-improvement-through-the-use-of-maturity-models\/\" rel=\"noopener noreferrer\" target=\"_blank\" title=\"Achieving continual improvement through the use of maturity models\">Achieving continual improvement through the use of maturity models<\/a>.) <a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" rel=\"noopener noreferrer\" target=\"_blank\" title=\"ISO 27001\">ISO 27001<\/a>\u00a0recognizes their importance in clause 9.1 (Monitoring, measurement, analysis and evaluation), defining requirements to be observed when implementing such practices.<\/p>\n<p>This article will present some tips about making monitoring and measurement useful to your business while complying with the standard.<\/p>\n<h2>Differences between monitoring and measurement<\/h2>\n<p>When you do monitoring, you are watching something, usually devices and applications, with the purpose of being aware of its state; e.g., is it on or off, moving or stationary, processing quickly or slowly, etc.<\/p>\n<p>On the other hand, when you do measurement, you are assigning value to something based on predefined dimensions and units, e.g., processed data in registers per second, session duration in minutes, or datacenter room temperature in degrees Celsius (\u00b0C) or Fahrenheit (\u00b0F).<\/p>\n<p>While monitoring is less complex (watch and detect) and can provide a quicker alert when things become different than expected, the complexity of measurement (value, dimension, and unit) can provide more detailed information about the situation and how things should be handled.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2>Why do I need them?<\/h2>\n<p>In general, you do monitoring and measurement for at least one of these reasons:<\/p>\n<ul>\n<li>To validate previous decisions: <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=management-review-minutes\" rel=\"noopener noreferrer\" target=\"_blank\" title=\"Management review\">Management review<\/a>\u00a0decision follow ups are examples for this case, since you must provide evidence that actions you implemented were effective.<\/li>\n<li>To set direction for activities in order to meet set targets: Planning <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=backup-policy\" rel=\"noopener noreferrer\" target=\"_blank\">backup<\/a>\u00a0activities is a good example, since these data can be used to choose between multiple alternatives (full, incremental, or differential backup, or a combination of these). For more information, please see this article: <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2012\/04\/10\/iso-27001-control-objectives-why-are-they-important\/\" rel=\"noopener noreferrer\" target=\"_blank\" title=\"ISO 27001 control objectives \u2013 Why are they important?\">ISO 27001 control objectives \u2013 Why are they important?<\/a><\/li>\n<li>To present factual evidence to justify a required course of action: Business cases for updating a firewall or implementing <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=information-security-controls&amp;doc=policy-on-the-use-of-encryption\" rel=\"noopener noreferrer\" target=\"_blank\">cryptography<\/a>\u00a0require strong and consistent data to sell an idea to management and interested parties.<\/li>\n<li>To identify a point of intervention and subsequent changes and <a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-documentation-toolkit\/?rel=management-system&amp;doc=corrective-action-form\" rel=\"noopener noreferrer\" target=\"_blank\">corrective actions<\/a>: Cause analysis in an access control process problem is a good example of the use of monitoring and measurement data for this reason.<\/li>\n<\/ul>\n<h2>ISO 27001 requirements<\/h2>\n<p>Clause 9.1 of ISO 27001 establishes two aspects to be monitored and measured: information security performance and ISMS effectiveness.<\/p>\n<p>The basic difference between them is that while information security performance deals individually with security results viewed as relevant to the organization (e.g., information availability, event response time, protection costs, etc.), the ISMS effectiveness shows you how the interaction between these individual security results affects security as a whole, including compliance with the standard. For example, you can have good information availability and response time to incidents, but if these results demand high protection costs, in a general view, the security results may not be so good.<\/p>\n<p>Therefore, without proper monitoring and measurement, you can finish with good individual security results that don\u2019t add business value, or that don\u2019t comply with the standard\u00b4s requirements and demand undesired adjustment efforts, or both.<\/p>\n<p>To help prevent these situations, clause 9.1 of ISO 27001 establishes some items that must be set to ensure proper monitoring and measurement:<\/p>\n<ol>\n<li><strong>What needs to be monitored \/ measured<\/strong>: First, identify all business results and processes that can be affected by variations on information security performance, including the information security controls and processes themselves, and mandatory requirements like laws, regulations, and contractual obligations. E-commerce systems\u2019 availability, accounting data integrity, and special access rights review are good examples.<\/li>\n<li><strong>Which methods may be used for monitoring \/ measurement<\/strong>: Here you can choose any method you are comfortable with (e.g., manual, mechanical, by software, etc.). The critical criterion is that the chosen method must be verifiable (capable of producing comparable and repeatable results).<\/li>\n<li><strong>When monitoring \/ measurement must be done:<\/strong> Different needs require different monitoring \/ measurement times and you must consider this, including periodicity. For example, an application can have monitoring \/ measurement points at data input, during data processing, or at data output. Restricted internal use applications may be monitored \/ measured in periodicities longer than Internet-oriented applications.<\/li>\n<li><strong>When monitoring \/ measurement results must be analyzed and evaluated<\/strong>: To add value to the business, the monitoring \/ measurement results must be considered on decisions and actions at proper times. Considering them too soon or too late may result in unnecessary effort, wasted resources, or loss of opportunities.<\/li>\n<li><strong>Who must analyze and evaluate monitoring \/ measurement results<\/strong>: As important as <em>when<\/em> the data is analyzed \/ evaluated is <em>who<\/em> does this. In general, the operational level should perform analysis (e.g., technicians and administrators), while management staff performs evaluations.<\/li>\n<\/ol>\n<p>Additionally, there is a specific requirement related to preservation of evidence of monitoring and measurement results, to fulfill the standard\u2019s clause 7.5 (documented information). Control charts, checklists, and analysis reports reviewed by management are good examples of proper documentation to be preserved. Besides ensuring compliance with the standard, by doing that you are also building a monitoring \/ measurement history that can help you better track the organization\u2019s results, as well as learn from past problems.<\/p>\n<h2>Achieve better results through good monitoring and measurement<\/h2>\n<p>Change is the only constant in life, so your organization should be prepared for it. Monitor closely what has more impact on your results, and measure what can bring you more advantages in avoiding threats and seizing opportunities. Your results will benefit.<\/p>\n<p><em>To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy,\u00a0<\/em><a href=\"https:\/\/advisera.com\/conformio\/\" rel=\"noopener noreferrer\" target=\"_blank\">sign up for a 14-day free trial<\/a><em> of Conformio, the leading ISO 27001 compliance software.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Performance monitoring and measurement are key actions in the maintenance and improvement of any system. (See this article for more information: Achieving continual improvement through the use of maturity models.) ISO 27001\u00a0recognizes their importance in clause 9.1 (Monitoring, measurement, analysis and evaluation), defining requirements to be observed when implementing such practices. This article will present &#8230;<\/p>\n","protected":false},"author":41,"featured_media":92472,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[191,223,235,381,387],"class_list":["post-4350","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-process","tag-monitoring","tag-measurement","tag-iso-27001","tag-control"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4350"}],"version-history":[{"count":1,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4350\/revisions"}],"predecessor-version":[{"id":104370,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4350\/revisions\/104370"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/92472"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}