What is covered under ISO 27001 Clause 10.2?
A large part of running an information security management system is to see it as a living and breathing system. Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business-led strategy, going beyond a ‘tick box’ regime.
There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:
- 6.1 risk assessment and treatment – ongoing
- 6.2 objectives monitoring, measurement and evaluation – ongoing
- 9.2 Internal audits – ongoing
- 9.3 management reviews – ongoing
- 10.1 nonconformities and corrective actions – ongoing
- Annex A 5 – reviews of policies – ongoing
- Annex A 7 – human resource engagement and awareness
- Annex A 16 – security incidents, events and weaknesses – ongoing
- Annex A 18– compliance reviews – ongoing
- General external audits (eg for UKAS certification by ISO certified bodies)
Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.
Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:
- Customers requests or concerns
- Trending data from other operational systems
- Other observations e.g. from suppliers or other interested parties
It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.
How to demonstrate the organisation is continually improving the suitability, adequacy, and effectiveness of the ISMS
This is a great example of how the ISMS.online solution brings everything together so there is no need to duplicate effort. Simply reiterate the work that is going on in the wider system, joining it up holistically and through the powerful linking feature.
ISMS.online comes with a Policy for 10.2 to adopt and the toolset integrated with 10.1 requirements, and includes links to the ISMS areas that quickly demonstrate continual improvement is effectively practiced and managed.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement