ISO 27001 Controls Effectivenes Measurement

Hi Kaoutar

You only have to implement the controls that are required by the risk assessment/treatment. (ISO27001:2013 only list 114 controls).
However, ISO 27001 doesn’t require to measure and monitor all controls. You have to decide which are important to you to achieve your business objectives and control your risks (your security objectives).

2. The selected controls should

- be activated

- reach the objective they are aiming to (perform and action, reduce a risk, etc.)

- the objectives you set should always be measurable otherwise you never know they are effective.

The metrics depend on the control. Would you provide us with a pair of examples we can give a closer answer.

Refer to our post: https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Best regards

Thank you Jean-Luc for your answer,

We are now working to be certified against ISO 27001:2005, and intend to go throught transition to 2013 this year, so we are still working on the 2005 version, and so far we have 131 controls selected in our SOA.

Shall we measure all the 131 controls selected in the SOA or only some of them

(for example: 5.12. Review of Information Seucrity Policy,  

                    6.1.2. Information Security Coordination,

                    7.1.1 Inventory of assets ...)

Thank you Jean-Luc for your answer,

We are actually working to be certified against the 2005 version, and intending to go through transition to 2013 this year, so we are still working on 133 controls, and we do have 131 selected controls in our SOA, shall we measure all the 131 seleted controls?

For example how to define metrics and measure:

                 ( 5.1.2. Review of information security policy

                   6.1.2. Information Security Coordination

                   7.1.1. Asset Inventory )

Hi Kaoutar,

You have selected 131 controls in your SOA, it’s OK.

Have you defined SMART objectives that are easy to measure and how you will control the conformity? Then is may seem simpler.

Examples of metrics:

5.1.2 : Policy Review: Did you indicate at what frequency you wanted to review the policies (I suppose you have a series of them)? If yes, you can try : number of documents with planned review; % of actually reviewed documents.

6.1.2 : Coordination: Did you declare a list of coordination activities (internal and external). If yes, state how many you actually did with regards to what was planned.

7.1.1 : Asset Inventory: the question is more complex.

- how far are you in your inventory with regards to what is defined in your policy? The metric is a %

- what did you include in your inventory: only IT assets or also information, business processes? A second indicator could be how far you moved from IT to ‘information’ (meaning the protection of the business activities and goals).

Don't hesitate to ask…

Best regards

Jean-Luc

Hello Jean-Luc,

So far we do have the ISMS objectives satated in the ISMS policy, shall we measure the effectiveness against these objectives and all the selected controls, I've read in some documents that we can group the controls and instead of measuring each control separately we can measure for example "physical security", "access control", "internal audit", is this the right way to do it?

One more question, shall we measure the effectiveness of the ISMS before stagfe 2 audit, or it can be audited next year during the surveillance audit (N.B we passed only stage 1 audit; we didn't pass the stage 2 yet)

Thank you very much!

Kaoutar,

Here are the answers:

1) You should measure the fulfillment of all the objectives - both those specified in your ISMS Policy, and the objectives specified for your controls.

2) If you wish, you can set the objectives for group of controls - it will make you measurement easier.

3) You must measure the effectiveness before the certification audit (Stage 2 audit), because this is one of the mandatory requirements of ISO 27001. Of course, during the surveillance audit, the auditor will check again whether you have measured the fulfillment of these objectives.