This is an explanatory presentation for Management clause 9 of ISO-27001. It focuses majorly on Monitoring, Measurement, Analysis & Evaluation and Management Review for implementation of ISMS.
2. Performance evaluation
o In order to make systematic improvements in Information security controls, processes and management
system
ISO 27001 - Management Clause 9
ISO for Software application development India
Monitor
Evaluate
/Audit/
Review
Measure
Analyse
3. 9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
Performance evaluation
ISO for Software application development India
4. Actions involved:
o Decide what needs to be monitored and measured
o Monitor customer’s satisfaction
o Analyse and evaluate data and information
9.1 Monitoring, measurement, analysis and evaluation
ISO for Software application development India
5. 9.1 Monitoring, measurement, analysis and evaluation
(Contd)
Determine most
appropriate
measurement(s)
Performance
Requirement
Determine what
can be measured
Create measuring
procedure
Measure
Raise
improvement
Escalate to top
management
Report
measurements
Analyse figures
Evaluate
Action
Required
Escalation
Required
https://issuu.com/public-it/docs/isms09005_process_for_monitoring__m?e=7139440/30590160
ISO for Software application development India
Y
N
Y
N
6. Documentation Requirements
o Documents, logs, periodic reports on IS risks, Incidents and changes
Implementation Requirements
o Identifying various IS Metrics to be monitored and measured
o Assigning monitoring responsibilities to the competent staff
Audit Requirements
o Review reports on various ISMS metrics, and measurements
9.1 Monitoring, measurement, analysis and evaluation
(Contd)
ISO for Software application development India
7. Top management reviews the organisation’s management system at regular intervals
Documentation Requirements
o M R meeting minutes / decisions related to ISMS
Implementation Requirements
o Ensuring Management reviews ISMS performance periodically
o Management conducting periodic reviews on ISMS performance, status of previous issues, risk assessments
reports, Audits, NCs, Corrective actions, and feedback
Audit Requirements
o Review ISMS performance reviews
o Review results of MRs (Corrective actions)
9.3 Management review
ISO for Software application development India
8. Evidence of the monitoring and measurement results (9.1)
Evidence of the audit programme(s) and the audit results (9.2)
Evidence of the results of management reviews of the ISMS (9.3)
Requirements for documented information
ISO for Software application development India