Documenting the measurement of controls
Assign topic to the user
Answer:
The easiest way to document the measurement is to define the information security objectives for each control (or group of controls) through the Statement of Applicability, and then regularly review if those objectives are achieved - this can be done through the Management meeting minutes, and no other documents are needed. For a smaller company, this approach is the best because it doesn't require too many documents.
There materials will also help you:
- article How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- a rticle ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- article Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security? https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
Comment as guest or Sign in
Feb 04, 2016