ISO 27001 Clause 9 Clause 9.1

ISO 27001 clause 9.1 Monitoring, measurement, analysis and evaluation

The basics

ISO 27001 sub-clause 9.1 is called “Monitoring, measurement, analysis and evaluation” — it requires establishing and evaluating performance metrics regarding the effectiveness and efficiency of processes, procedures, and functions that protect the information, but also defining metrics for the ISMS performance.

Documentation

ISO 27001 clause 9.1 Monitoring, measurement, analysis and evaluation requires writing the following document:

The following document is not mandatory, and companies can decide whether to write it:

  • Procedure for measurement and monitoring

Implementation

To comply with clause 9.1 Monitoring, measurement, analysis and evaluation, a company must start these activities by following these steps:

  1. Define what needs to be monitored and measured – mainly, what is measured are the controls and the security processes. For example, the incident management process in a company can be monitored. A measurement for the effectiveness of incident management can be the average time for solving incidents.
  2. Define the methods for monitoring, measurement, analysis, and evaluation should be defined in order to get suitable results – for example, one method for monitoring could be generating a report from the incident management software that gives an overview of all of the incidents and relevant details, and a method for measuring could be generating reports with numerical and statistical information related to the incidents.
  3. Define the frequency and timing of the monitoring and measuring – for example, the monitoring of the incidents is done in real-time, and reports with detailed measurements can be generated weekly.
  4. Define the persons responsible for conducting monitoring and the corresponding measurements – this can be, for example, the system administrator as the person who is responsible for dealing with IT-related incidents.
  5. Define when will the results be analyzed and evaluated, and who will be responsible for that – detailed analyses of the weekly reports may be conducted weekly by the Chief Information Security Officer, and the evaluations can be conducted during the regular monthly meeting.

Audit evidence

During the audit, an auditor might ask for the following evidence regarding ISO 27001 clause 9.1 Monitoring, measurement, analysis and evaluation:

  1. If you have a document where you have written what needs to be monitored and measured.
  2. If the methods for monitoring, measurement, analysis, and evaluation ensure comparable, reproducible, and valid results.
  3. If results monitoring, measuring, analysis, and evaluation are performed at planned intervals.
  4. If responsible personnel for monitoring, measuring, analysis, and evaluation is defined.
  5. If you have documents where you have written achieved results.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.