ISO 27001 measurement and Monitoring
Assign topic to the user
1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard?
Answer: Not only do the controls from Annex A need to be measured and monitored but also other parts of the standard, like information security objectives, competencies, nonconformities, etc.
For further information, see:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure?
Answer: The standard does not prescribe measurement of all controls. It only requires measuring and monitoring of elements that can allow evaluation of information security performance and evaluation of the ISMS effectiveness.
For example, if information security performance is related to an information system uptime, you do not need to monitor and measure each applied control to ensure this objective, only the system’s uptime itself.
Of course, if you can monitor and measure specific controls it will be much easier and faster to identify potential and real problems.
3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific?
Answer: The standard does not prescribe detailed levels for measurement, so organizations can define the levels that bring them the confidence that the information security and the ISMS are working properly.
Regarding internal audit, it is not enough as a method of measurement, because measuring and monitoring need to be part of regular activities, and the purpose of the internal audit is to provide an independent view of the process compliance at planned intervals that will probably be much greater than the time required for proper monitoring and measuring.
For example, monitoring and measuring the success of the backup process may need to be performed on a weekly or monthly basis, and the internal audit of this process, in general, occurs only once or twice a year.
Does the auditee incorrect response to the auditor question impact the internal audit?
Does the internal audit planning will be same for small, mid and large organization?
Does the auditee incorrect response to the auditor question impact the internal audit?
An incorrect response by the auditee may lead the internal auditor to raise a nonconformity.
Based on the responses of other auditees, and other audit techniques, like document review, field observation, an experienced internal auditor can identify if the situation is based on auditee nervousness, lack of needed knowledge, or a real failure in following policies and procedures (the last two would be considered situations for raising a nonconformity).
Does the internal audit planning will be same for small, mid and large organization?
Most probably not, because the audit planning needs to take into account the size and complexity of the audit scope.
For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
Comment as guest or Sign in
Apr 28, 2022