ISO 27001 - 9: Performance Evaluation

Section 9 – Performance evaluation

  • 9.1 Monitoring, measurement, analysis and evaluation
  • 9.2 Internal audit
  • 9.3 Management review

ISO 27001 Section 9.1 – Monitoring, measurement, analysis and evaluation

The ISO 27001 requires organisations to evaluate how the ISMS is performing and how effective the information security management system is.

For this you will need to:

  1. decide what needs to be monitored;
  2. agree on the methods you will use for monitoring and analysing;
  3. when you will conduct the monitoring and measuring;
  4. decide who will conduct the measurement;
  5. decide when you will analyse the results of the measurement; and
  6. who will be responsible for evaluating the results.

ISO 27001 Section 9.2 – Internal audit

The International Standardisation Organisation will expect you to have carried out a number of planned internal audits of your information security management system. These audits will be reviewed independently by an external auditor at stage 2 of the accreditation.

These audits should ensure that the information security management system meets the goals and objectives of the business, as well as the requirements of ISO 27001.

  • Plan, establish, implement and maintain an audit programme
  • Define the scope and criteria
  • Appoint the internal auditors, ensuring objectivity and impartiality
  • Report results to the previously agreed staff member
  • Ensure all results and comments are documented in the information security management system

ISO 27001 Section 9.3 – Management review

It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and often enough to ensure that the information security management system continues to be effective and achieves the aims of the business.

Management reviews should include:

  • Details of past management reviews with updated actions
  • Any changes to internal and external issues that concern information security
  • Feedback on any corrective actions, audit and measurement results
  • Interested parties
  • Risk assessment results
  • Continual improvements opportunities for the ISMS

Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS

Need ISO 27001 policies and controls for your ISMS?

ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 

Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS

ISMS Online Rating: 5 out of 5
Share This