SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

ISO 27001 measurement and Monitoring

  Quote
Guest
Guest user Created:   Apr 23, 2022 Last commented:   Apr 28, 2022

ISO 27001 measurement and Monitoring

I  have some thoughts around the measurement and monitoring part of the ISO 27001 framework. 1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard? 2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure? 3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 23, 2022

1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard?

Answer:  Not only do the controls from Annex A need to be measured and monitored but also other parts of the standard, like information security objectives, competencies, nonconformities, etc.  

For further information, see:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/


2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure?

Answer: The standard does not prescribe measurement of all controls. It only requires measuring and monitoring of elements that can allow evaluation of information security performance and evaluation of the ISMS effectiveness.

For example, if information security performance is related to an information system uptime, you do not need to monitor and measure each applied control to ensure this objective, only the system’s uptime itself.

Of course, if you can monitor and measure specific controls it will be much easier and faster to identify potential and real problems.

3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific?

Answer:  The standard does not prescribe detailed levels for measurement, so organizations can define the levels that bring them the confidence that the information security and the ISMS are working properly.

Regarding internal audit, it is not enough as a method of measurement, because measuring and monitoring need to be part of regular activities, and the purpose of the internal audit is to provide an independent view of the process compliance at planned intervals that will probably be much greater than the time required for proper monitoring and measuring.

For example, monitoring and measuring the success of the backup process may need to be performed on a weekly or monthly basis, and the internal audit of this process, in general, occurs only once or twice a year.  

Quote
0 0
Guest
Linish Kalbande Apr 26, 2022

Does the auditee incorrect response to the auditor question impact the internal audit?

Quote
0 0
Guest
Linish Kalbande Apr 26, 2022

Does the internal audit planning will be same for small, mid and large organization?

 

Quote
0 0
Expert
Rhand Leal Apr 28, 2022

Does the auditee incorrect response to the auditor question impact the internal audit?

 An incorrect response by the auditee may lead the internal auditor to raise a nonconformity.

Based on the responses of other auditees, and other audit techniques, like document review, field observation, an experienced internal auditor can identify if the situation is based on auditee nervousness, lack of needed knowledge, or a real failure in following policies and procedures (the last two would be considered situations for raising a nonconformity).

Does the internal audit planning will be same for small, mid and large organization?

Most probably not, because the audit planning needs to take into account the size and complexity of the audit scope.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 23, 2022

Apr 28, 2022