ISO 27001 Monitoring, Measurement, Analysis, Evaluation is an ISO 27001 clause and a requirement of ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems to get ISO 27001 certification.
What is ISO 27001 Clause 9.1?
The organisation shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated;
f) who shall analyse and evaluate these results.
Documented information shall be available as evidence of the results.
The organisation shall evaluate the information security performance and effectiveness of the information security management system.
ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation