In ISO 27001:2013 point 9.1 is said org shall evaluate IS performance and effectiveness of ISMS and shall determine point a to f. In toolkit, can you give us specific what information or docs that can be as evidence and compliance about that points?
Answer: We intentionally didn't develop a special document in the toolkit for the measurement results because in most cases companies already have some system of reporting their results – e.g. they use automatic reporting from their systems (e.g. fault logs from their servers), they use their regular reports (e.g. in the reports about monthly performance they include also the security results), or in some cases they have a Balanced Scorecard system in place where they simply add the security measurement.
If you have none of these, a simple report with stated objectives, date of measurement and the measurement results will be enough – you have to decide whether this report will be sent only to the mid-level management, or to the top management during the Management review.
Considering these, the re are two documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan – in the column “Method for evaluation of results” you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column “Status” you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.
By the way, to perform the measurement first you need to develop a set of measurable objectives, and you can use our Statement of Applicability template to document the objectives for your controls (or groups of controls), and you can document the top-level objectives in your Information security policy.