Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Questions for ISMS

  Quote
Guest
Guest user Created:   Nov 26, 2020 Last commented:   Nov 26, 2020

Questions for ISMS

1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?

2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 26, 2020

1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?

ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so there is no such thing as an ideal KPI, and organizations must define them according to their needs and objectives. Some common issues organizations should take into account when defining KPIs are:

  • Business relevant: indicator aligned to clear business objectives or legal requirements
  • Process integrated: a KPI should add the least amount of work possible into business processes.
  • Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

As general examples we have:

  • Percent of business initiatives supported by the ISMS
  • Number of security-related service downtimes
  • Percent of controls assessment performed
  • Number of improvement initiatives

These articles will provide you a further explanation about performance indicators and security objectives: 

2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc

I'm assuming that by "standards" you mean "procedures".

Considering that, in case you only have one internal auditor, he should not participate in the ISMS activities and take responsibility for its implementation and operation, because this would cause a conflict of interest during the audit (an auditor should not audit his own work). In case you have more than one internal auditor available, they can perform some activities, provided that during the audit they do not audit their own work.

This article will provide you a further explanation about internal audit:

These materials will also help you regarding internal audit:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 26, 2020

Nov 26, 2020

Suggested Topics