Monitoring and measurement results

Answer:

We intentionally didn't develop a special document in the toolkit for the measurement results because in most cases companies already have some system of reporting their results - e.g. they use automatic reporting from their systems (e.g. fault logs from their servers), they use their regular reports (e.g. in the reports about monthly performance they include also the security results), or in some cases they have a Balanced Scorecard system in place where they simply add the security measurement.

If you have none of these, a simple report with stated objectives, date of measurement and the measurement results will be enough - you have to decide whether this report will be sent only to the mid-level management, or to the top management during the Management review.

By the way, to perform the measurement first you need to develop a set of measurable objectives, and you can use our Statement of Applicability template to document the objectives for your controls (or groups of controls), and you can document the top-level objectives in your Information security policy.

These articles will also help you:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

There are two more documents in the documentation toolkit that will be helpful regarding the measurement and monitoring:
- In the top-level Information Security Policy, in the section 4.1 you need to specify the responsibilities for measurement and monitoring.
- Risk Treatment Plan - in the column "Method for evaluation of results" you need to specify how you will evaluate whether the implementation plan of the controls has been complied with, while in the column "Status" you need to specify whether particular control is implemented or not, which you can use for monitoring the implementation plan.