ISO 27001 – 9: Performance Evaluation

Section 9 – Performance evaluation

  • 9.1 Monitoring, measurement, analysis and evaluation
  • 9.2 Internal audit
  • 9.3 Management review
Read our free guide to achieving ISO 27001 first time

ISO 27001 Section 9.1 – Monitoring, measurement, analysis and evaluation

The ISO 27001 requires organisations to evaluate how the ISMS is performing and how effective the information security management system is.

For this you will need to:

  1. decide what needs to be monitored;
  2. agree on the methods you will use for monitoring and analysing;
  3. when you will conduct the monitoring and measuring;
  4. decide who will conduct the measurement;
  5. decide when you will analyse the results of the measurement; and
  6. who will be responsible for evaluating the results.

ISO 27001 Section 9.2 – Internal audit

The International Standardisation Organisation will expect you to have carried out a number of planned internal audits of your information security management system. These audits will be reviewed independently by an external auditor at stage 2 of the accreditation.

These audits should ensure that the information security management system meets the goals and objectives of the business, as well as the requirements of ISO 27001.

  • Plan, establish, implement and maintain an audit programme
  • Define the scope and criteria
  • Appoint the internal auditors, ensuring objectivity and impartiality
  • Report results to the previously agreed staff member
  • Ensure all results and comments are documented in the information security management system

ISO 27001 Section 9.3 – Management review

It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and often enough to ensure that the information security management system continues to be effective and achieves the aims of the business.

Management reviews should include:

  • Details of past management reviews with updated actions
  • Any changes to internal and external issues that concern information security
  • Feedback on any corrective actions, audit and measurement results
  • Interested parties
  • Risk assessment results
  • Continual improvements opportunities for the ISMS
ISO 27001 certification made easy

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.