Build or upgrade your ISMS on our platform

ISO 27001 – 9: Performance Evaluation

Section 9 – Performance evaluation

  • 9.1 Monitoring, measurement, analysis and evaluation
  • 9.2 Internal audit
  • 9.3 Management review
Read our free guide to achieving ISO 27001 first time

ISO 27001 Section 9.1 – Monitoring, measurement, analysis and evaluation

The ISO 27001 requires organisations to evaluate how the ISMS is performing and how effective the information security management system is.

For this you will need to:

  1. decide what needs to be monitored;
  2. agree on the methods you will use for monitoring and analysing;
  3. when you will conduct the monitoring and measuring;
  4. decide who will conduct the measurement;
  5. decide when you will analyse the results of the measurement; and
  6. who will be responsible for evaluating the results.

ISO 27001 Section 9.2 – Internal audit

The International Standardisation Organisation will expect you to have carried out a number of planned internal audits of your information security management system. These audits will be reviewed independently by an external auditor at stage 2 of the accreditation.

These audits should ensure that the information security management system meets the goals and objectives of the business, as well as the requirements of ISO 27001.

  • Plan, establish, implement and maintain an audit programme
  • Define the scope and criteria
  • Appoint the internal auditors, ensuring objectivity and impartiality
  • Report results to the previously agreed staff member
  • Ensure all results and comments are documented in the information security management system

ISO 27001 Section 9.3 – Management review

It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and often enough to ensure that the information security management system continues to be effective and achieves the aims of the business.

Management reviews should include:

  • Details of past management reviews with updated actions
  • Any changes to internal and external issues that concern information security
  • Feedback on any corrective actions, audit and measurement results
  • Interested parties
  • Risk assessment results
  • Continual improvements opportunities for the ISMS
ISO 27001 certification made easy