ISO 27001 clause 9.1 says that organisations need to check how well their ISMS is working and look at how effective their information security management system is.
ISO 27001 is a well-known standard used around the world that gives a plan for managing risks to information security. One of the main things ISO 27001 requires is putting in place a way to monitor, measure, analyse, and evaluate (MMAE) things.
The MMAE program helps organisations make sure their security measures are working well and that their information security risks are being managed correctly.
What is ISO 27001 Clause 9.1?
The organisation shall determine:
ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
Documented information shall be available as evidence of the results.
The organisation shall evaluate the information security performance and effectiveness of the information security management system.
What is ISO 27001 9.1 1 Monitoring, Measurement, Analysis and Evaluation?
ISO 27001 9.1 is a way of watching, measuring, looking at, and judging how well an organisation’s information security management system (ISMS) is working. It involves these steps:
- Monitoring: Collecting information about how well the ISMS and its security measures are performing.
- Measurement: Putting numbers on the information collected in step 1.
- Analysis: Looking at the numbers from step 2 to find any trends or patterns.
- Evaluation: Deciding how effective the ISMS and its security measures are based on the analysis in step 3.
What needs to be watched and measured in ISO 27001?
To judge how well an ISMS is working according to ISO 27001 9.1, you need to watch and measure these things:
- Information security performance: This means watching and measuring how well the ISMS is protecting the organisation’s important information. Examples of how to measure this include:
- Number of times information security problems happen.
- How long it takes to find and fix information security problems.
- How much money information security problems cost.
- How well the organisation follows information security rules and standards.
- ISMS effectiveness: This means watching and measuring how well the ISMS itself is working. Examples of how to measure this include:
- Percentage of security measures that are in place and working well.
- Percentage of ISMS processes that are finished on time and within budget.
- How happy employees are with the ISMS.
The specific things you need to watch and measure will depend on how big your organisation is, what industry it’s in, and the risks it faces. However, all organisations should watch and measure the things listed above to make sure their ISMS is effective.
Besides the above, organisations might also want to watch and measure:
- Information security risks: This means watching and measuring the organisation’s information security risks to find any new risks that appear.
- Information security controls: This means watching and measuring how well the organisation’s security measures are working to make sure they are doing what they’re supposed to.
- Information security awareness and training: This means watching and measuring how well the organisation’s programs to make employees aware of and train them in information security are working. This helps make sure employees know about the organisation’s information security risks and rules.
By watching and measuring these things, organisations can find and fix weaknesses in their ISMS, lower the chance of information security problems, and make their overall information security stronger.