This blog is about Clauses 9.1, 9.2, 9.3 Performance Evaluation - Monitoring, measurement, analysis & evaluation, Internal audit, Management review
If you have been keeping up with the Plan-Do-Check-Act cycle of improvement, then clause 9 is the “Check” part of the cycle.
Clause 9 is a great clause to use to check how well things are working. You’ll ask yourself valuable questions like, “are we making progress?”, “are we getting any better?” and “is this information security risk under control?”.
9.1 Monitoring, measurement, analysis and evaluation
Let’s start with the first clause, 9.1 Monitoring, measurement, analysis and evaluation.
To see how effective your information security management system (ISMS) really is, you’re going to have to carry out an evaluation.
You need to work out
- what you will measure,
- who will measure and analyse it,
- and how you will produce valid results.
To work out what you will measure, first go back to the information needs of your interested parties. Then determine the most important needs and create a statement of those needs. For example, here at Mango one of the most important needs our customers have is for Mango to be available whenever the customer wants to use it. Our statement is that “we want the product to be available to customers 100% of the time”. Therefore, we monitor and measure the server up-time to ensure that the product is available for the customer to use anytime they need it.
A word of warning here though: great care should be taken to not have too many attributes to measure. Here at Mango we only have about 5 high-level measures that we monitor to ensure that the system is working well and our performance is high.
9.2 Internal Audit
The next clause is 9.2 Internal Audit.
Start this process by scheduling your audits based on risk. Procedures that are high risk should be audited frequently. Maybe once or twice a year. Those areas of the business that are lower risk can be audited every 2-3 years.
Now that you have scheduled them, it’s time to conduct the audit. The over-riding principles of audit are:
- Have integrity;
- Show a fair presentation;
- Have professional care;
- Be confidential;
- Ensure you are independent; and
- Take an evidence-based approach.
The internal audit needs to identify non-conformities, risks and opportunities. I have written many times on how to conduct an internal audit. Follow that advice and you can’t go wrong.
Next you must keep records of the audit. Highlight the non-conformances, risks and opportunities.
9.3 Management Review
Finally, the section is completed with 9.3 Management Review.
Your management review is there to ensure the continuing suitability, adequacy and effectiveness of your ISMS.
So what does this mean? You should continually review your business and your ISMS to ensure:
- Your ISMS aligns with the objectives of the business, and
- Your processes and controls, that are driven by your ISMS, are implemented and embedded in your business
It doesn’t mean that you need to have a review meeting but I think that is the best forum to review your systems.
Once again I have written lots of times about Management Review.
That advice still stands. Just do it.
- Work out the information needs of your interested parties
- Create measures to check that the needs are being met (like up-time)
- Schedule your internal audits based on risk
- Conduct the audit using best practise.
- Conduct Management Reviews to ensure all areas of the business are checked against the stated performance. Discuss any abnormalities.
View previous blogs in this series "ISO 27001 Information Security Management Standard":