ISO 27001 clause 9 is called “Performance evaluation” — this clause defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.
This clause is important because it defines how companies need to find out if their ISMS is performing as expected.
Clause 9 has three sub-clauses:
- Clause 9.1 — Monitoring, measurement, analysis and evaluation — it requires establishing and evaluating performance metrics regarding the effectiveness and efficiency of processes, procedures, and functions that protect the information, but also defining metrics for the ISMS performance.
- Clause 9.2 — Internal audit — it requires that internal audits are performed at planned intervals, to assess how effective ISMS is implemented and maintained, and whether it complies with ISO 27001 and the company’s own policies and procedures.
- Clause 9.3 — Management review — it requires the management to regularly review the ISMS so that is continuously suitable, adequate, and effective to support the information security objectives.
