ISO 27001 Clause 9.1 is about checking how well your company’s security system works. This is known as “monitoring, measurement, analysis, and evaluation.” This rule means you must watch and check your security system to see if it is doing a good job.
What is ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation?
The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).
In the ISO/IEC 27001:2022 Standard the control is titled “Monitoring, Measurement, Analysis, Evaluation”.
What is the ISO 27001 Clause 9.1 control objective?
The formal definition and control objective in the standard is: “The organisation shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
Documented information shall be available as evidence of the results.
The organisation shall evaluate the information security performance and effectiveness of the information security management system.“
What is the purpose of ISO 27001 Clause 9.1?
The purpose of ISO 27001 Clause 9.1 is “To implement measures and monitors to evaluate the effectiveness of the information security management system.“
Is ISO 27001 Clause 9.1 Mandatory?
ISO 27001 Clause 9.1 (Monitoring, Measurement, Analysis, Evaluation in the 2022 standard) is a mandatory clause in the main body of the standard.
Key Parts of the Rule
To follow this rule, you should have clear plans and policies. Here are some important steps:
- What to check? You need to know what parts of your security system you will watch. This includes your plans and rules.
- How to check? You must find good ways to check your system. The ways you choose should give results that are real and can be checked again.
- When to check? You must decide when to check things. It could be once a day, once a week, or once a month.
- Who will check? You need to say who is in charge of checking and looking at the results.
After you have these answers, you need to keep records of what you find. This shows that you are checking your security system and that it is working.
What an Auditor Will Check
An auditor will want to see proof that you are following these rules. They will:
- Want to see proof that you are checking your system.
- Ask to see your reports and records.
- Make sure that your methods for checking the system are appropriate.
You can learn more about Monitoring, Measurement, Analysis, Evaluation and ISO 27001 by watching this video: ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis and Evaluation Explained.
