Part 11 - Continual reassessment of information security and making of modifications as appropriate
The final principle of ISO 27001 is to continually assess your information security management system (ISMS) and modifying and possibly improving it over time.
The constant assessment and reassessment of your ISMS will provide evidence it is operating well and providing value to your organisation.
There are always newer and newer vulnerabilities to your systems and networks. Plus the threats to your systems won’t go away.
Let’s not forget that if the companies affected by the WannaCry ransomware attack in May 2017 had reassessed the effectiveness of their ISMS, then perhaps it may have been prevented. A fix (patch) to the problem had been available from Microsoft for 2 months prior to the attack. The fix to this serious issue may have been highlighted during the reassessment process.
On the other hand though, sometimes these attacks are almost indefensible. A case in point is the recent 2017 Petya virus that hugely affected major organisations like Maersk. It was a new type of malware that went undetected. A Maersk spokeman said: “This virus attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and our antivirus were not an effective protection in this particular case.” Therefore, your reassessment needs to comprehensive enough to ensure you cover as many vulnerabilities as you can.
Reassessing your system and making modifications ensures you are keeping up-to-date with latest changes whether they be legislated externally or just through your internal requirements.
One of the best ways to reassess your ISMS is to implement a formal internal audit programme. This involves having trained internal auditors. They then follow a planned audit schedule. Then they will audit your ISMS at regular intervals to ensure the ISMS is being managed effectively. It’s best to have a team of auditors that include at least one Technical Expert. The Technical Expert must have knowledge in the area under audit. They should be independent and impartial, i.e. they must not audit their own work.
I have written many blogs on the processes around internal auditing.
Another process that helps reassess your ISMS is conducting a regular Management Review. This is typically a meeting with a formal agenda. The agenda should cover the items listed in ISO 27001. There are:
- the status of actions from previous management reviews;
- changes in external and internal issues that are relevant to the ISMS;
- feedback on the information security performance, including trends in:
- non-conformities and corrective actions;
- monitoring and measurement results;
- audit results; and
- fulfillment of information security objectives;
- feedback from interested parties;
- results of risk assessment and status of risk treatment plan; and
- opportunities for continual improvement.
Attendees to your Management Review will be your top management and your Information Security Officer. I believe it’s best that the review is held monthly. I have alos written many blogs on the processes around Management Review:
So you need to be in a constant state of analysing, evaluating and updating your ISMS. You need to continuously improve the ISMS. Use tools like internal auditing and management review to ensure your processes remain efficient and effective. Start these processes now.
View previous blogs in this series "ISO 27001 Information Security Management Standard":