The final principle of information security is to continually assess your information security, modifying and possibly improving it over time. The constant assessment and reassessment of your information security will provide evidence it is operating well and providing value to your organisation.
There are always newer and newer vulnerabilities to your systems and networks. Plus the threats to your systems won’t go away.
Reassessing your system and making modifications ensures you are keeping up-to-date with latest changes whether they be legislated externally or just through your internal requirements.
One of the best ways to reassess your information security is to implement a formal internal audit programme. This involves having trained internal auditors. They then follow a planned audit schedule. Then they will audit your information security at regular intervals to ensure everything is being managed effectively. It’s best to have a team of auditors that include at least one Technical Expert. The Technical Expert must have knowledge in the area under audit. They should be independent and impartial, i.e. they must not audit their own work.
Another process that helps reassess your information security is conducting a regular Management Review. This is typically a meeting with a formal agenda. Attendees to your Management Review will be your top management and your Information Security Officer. I believe it’s best that the review is held monthly.
So you need to be in a constant state of analysing, evaluating and updating your information security. You need to continuously improve the information security. Use tools like internal auditing and management review to ensure your processes remain efficient and effective.