Expert Advice Community

Guest

ISMS performance evaluation

  Quote
Guest
Guest user Created:   Mar 06, 2017 Last commented:   Mar 06, 2017

ISMS performance evaluation

In ISO 27001:2013 point 9.1 is said org shall evaluate IS performance and effectiveness of ISMS and shall determine point a to f. In toolkit, can you give us specific what information or docs that can be as evidence and compliance about that points?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 06, 2017

Answer: We intentionally didn't develop a special document in the toolkit for the measurement results because in most cases companies already have some system of reporting their results – e.g. they use automatic reporting from their systems (e.g. fault logs from their servers), they use their regular reports (e.g. in the reports about monthly performance they include also the security results), or in some cases they have a Balanced Scorecard system in place where they simply add the security measurement.

If you have none of these, a simple report with stated objectives, date of measurement and the measurement results will be enough – you have to decide whether this report will be sent only to the mid-level management, or to the top management during the Management review.

Considering these, the re are two documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan – in the column “Method for evaluation of results” you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column “Status” you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.

By the way, to perform the measurement first you need to develop a set of measurable objectives, and you can use our Statement of Applicability template to document the objectives for your controls (or groups of controls), and you can document the top-level objectives in your Information security policy.

These articles will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Also, in the video tutorials that came with your toolkit, you can see examples of how to fill out all the data for Risk assessment and Risk treatment.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 06, 2017

Mar 06, 2017