What is covered under ISO 27001 Clause 10.2?
A large part of running an information security management system is to see it as a living and breathing system. Organisations that take improvement seriously will be assessing, testing, reviewing and measuring the performance of the ISMS as part of the broader business-led strategy, going beyond a ‘tick box’ regime.
There are several mechanisms already covered within ISO 27001 for the continual evaluation and improvement of the ISMS including:
- 6.1 risk assessment and treatment – ongoing
- 6.2 objectives monitoring, measurement and evaluation – ongoing
- 9.2 Internal audits – ongoing
- 9.3 management reviews – ongoing
- 10.1 nonconformities and corrective actions – ongoing
- Annex A 5 – reviews of policies – ongoing
- Annex A 7 – human resource engagement and awareness
- Annex A 16 – security incidents, events and weaknesses – ongoing
- Annex A 18– compliance reviews – ongoing
- General external audits (eg for UKAS certification by ISO certified bodies)
Most of these above will typically happen without needing to be put on an improvement list per se (so be clear about that in the policy) and can be demonstrated as part of the continual improvement of taking the ISMS operation seriously.
Improvements can also come from many other places and it is to be encouraged that they get documented within the ISMS improvement process. These include:
- Customers requests or concerns
- Trending data from other operational systems
- Other observations e.g. from suppliers or other interested parties
It is also useful to determine what is not an improvement in the information security management system. For example in running a service desk that receives product questions it would be painful to treat every ticket as an opportunity for improvement, whereas repeated issues might be a nonconformity or a general area for improvement – so make sure that it is clear what is and what isn’t considered.
How to demonstrate the organisation is continually improving the suitability, adequacy, and effectiveness of the ISMS
This is a great example of how the ISMS.online solution brings everything together so there is no need to duplicate effort. Simply reiterate the work that is going on in the wider system, joining it up holistically and through the powerful linking feature.
ISMS.online comes with a Policy for 10.2 to adopt and the toolset integrated with 10.1 requirements, and includes links to the ISMS areas that quickly demonstrate continual improvement is effectively practiced and managed.
How to easily demonstrate 10.2 Continual Improvement
The ISMS.online platform makes it easy for you to continually improve the suitability, adequacy and effectiveness of the information security management system.
- Step 1 : Adopt, adapt and add
- Step 2 : Demonstrate to your auditors
- Step 3 : A time-saving path to certification
- Step 4 : Extra support whenever you need it
Step 1 : Adopt, adapt and add
- Regular management reviews per (9.3)
- Internal Audits per (9.2) including ISMS scope and specific policy reviews
- Corrective Actions per (10.1)
Evidence of continual improvement is documented in the Corrective Actions and Improvements Track and the respective audit and incident management areas.
You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.
This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.
Step 2 : Demonstrate to your auditors
Step 3 : A time-saving path to certification
Requirement 10.2 is part of the third section that ARM will guide you on, where once the foundations of your ISMS have been paid, and Annex A controls have been described, you’ll detail how you comply with the remaining core requirements.
Step 4 : Extra support whenever you need it
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement