Questions for ISMS
1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?
2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc
Assign topic to the user
1. What is the ideal KPI's to measure the effectiveness of ISMS in an organization?
ISO 27001 does not prescribe which performance indicators should be adopted by organizations, so there is no such thing as an ideal KPI, and organizations must define them according to their needs and objectives. Some common issues organizations should take into account when defining KPIs are:
- Business relevant: indicator aligned to clear business objectives or legal requirements
- Process integrated: a KPI should add the least amount of work possible into business processes.
- Assertive: the indicator should be capable of pinpointing relevant issues that need attention.
As general examples we have:
- Percent of business initiatives supported by the ISMS
- Number of security-related service downtimes
- Percent of controls assessment performed
- Number of improvement initiatives
These articles will provide you a further explanation about performance indicators and security objectives:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
2. Can the internal auditor participate in the ISMS activities and take some responsibilities e.g review Policies and standards, develop and create missing documents, be an ISMS Advisor...etc
I'm assuming that by "standards" you mean "procedures".
Considering that, in case you only have one internal auditor, he should not participate in the ISMS activities and take responsibility for its implementation and operation, because this would cause a conflict of interest during the audit (an auditor should not audit his own work). In case you have more than one internal auditor available, they can perform some activities, provided that during the audit they do not audit their own work.
This article will provide you a further explanation about internal audit:
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/
These materials will also help you regarding internal audit:
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
Comment as guest or Sign in
Nov 26, 2020