What is covered under ISO 27001 Clause 9.1?
ISO 27001 clause 9.1 requires organisations to evaluate how the ISMS is performing and look at the effectiveness of the information security management system.
If the organisation is seeking certification for ISO 27001 the independent auditor working in a certification body associated to UKAS (or a similar accredited body internationally for ISO certification) will be looking closely at the following areas:
- what it has decided to monitor and measure, not just the objectives but the processes and controls as well
- how it will ensure valid results in the measuring, monitoring, analysis and evaluation
- when that measurement, monitoring, evaluation and analysis takes place and who does it
- how the results get used
Like everything else with ISO IEC international standards including ISO 27001 the documented information is all important – so describing it then demonstrating it is happening is the key to success!
How to meet the requirements of clause 9.1 for ISO 27001
As with much of clause 8 for the operation of the information security management system, clause 9.1 gets taken care of by looking at the whole ISMS and the other parts that contribute to this requirement. For example:
- The work completed in 4.1, 4.2 and 4.3 identifies the issues (including the information assets), the interested parties and the scope
- 6.1 then highlights the risk identification, evaluation and treatment in a structured fashion to help address this requirement
- 6.2 actually documents the objectives for the ISMS and if done well will include the measurement, monitoring, frequency, source management and evidence
- 9.2 helps with internal audits of the whole system, showing what is working and what can be improved upon
- 9.3 brings much of that requirements work together for management reviews and analysis with the strategic decision making from the agenda it covers off
- Clause 10.1 then looks at the non conformity and 10.2 the broader continual improvement opportunities in the information security management system
- Many of the Annex A controls also drive evaluation and reviews of performance including Annex A.5.1, Annex A.18 both for compliance with legislation and independent reviews of information security
So assuming these parts of the ISMS have been implemented with clause 7.5 robustness of documentation in mind you can breathe easy. There is nothing else to do except document that 9.1 is met by the points above and join up the management system so an auditor can see that all working in practice. It’s easy to do with ISMS.online.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement