Continual Improvement For ISO 27001 Requirement 10.2

What is covered under ISO 27001 Clause 10.2? 

A large part of running an information security management system is to see it as a living and breathing system.  Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business led strategy, going beyond a ‘tick box’ regime.

There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:

• 6.1 risk assessment and treatment – ongoing 
• 6.2 objectives monitoring, measurement and evaluation – ongoing
• 9.2 Internal audits – ongoing
• 9.3 management reviews – ongoing
• 10.1 nonconformities and corrective actions – ongoing
• Annex A 5 – reviews of policies – ongoing 
• Annex A 7 – human resource engagement and awareness 
• Annex A 16 – security incidents, events and weaknesses – ongoing
• Annex A 18– compliance reviews – ongoing
• General external audits (eg for UKAS certification by ISO certified bodies) 

Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.

Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process.  These include:

• Customers requests or concerns 
• Trending data from other operational systems 
• Other observations e.g. from suppliers or other interested parties

It is also useful to determine what is not an improvement in the information security management system.  For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.

How to demonstrate the organisation is continually improving the suitability, adequacy, and effectiveness of the ISMS

This is a great example of how the ISMS.online solution brings everything together so there is no need to duplicate effort. Simply reiterate the work that is going on in the wider system, joining it up holistically and through the powerful linking feature.

ISMS.online comes with a Policy for 10.2 to adopt and the toolset integrated with 10.1 requirements, and includes links to the ISMS areas that quickly demonstrate continual improvement is effectively practiced and managed.