Performance evaluation Performance evaluation

B.9. Performance evaluation

B.9.1

B.9.1 Monitoring, mMonitoring, measurement, aeasurement, analysis and evanalysis and evaluationluation

(How) does management monitor the ISMS to ensure that the (How) does management monitor the ISMS to ensure that the security controls identified in the RTP, SoA, policies

security controls identified in the RTP, SoA, policies etc.etc.  are  are effectively implemented, in operation and achieving effectively implemented, in operation and achieving objectives?

objectives? How How does does management management promote promote and sand supportupport continual improvement of information risk and security continual improvement of information risk and security management, driving the maturity of the

management, driving the maturity of the ISMS while remainingISMS while remaining aligned with business objectives?

aligned with business objectives? Review the ISMS

Review the ISMS monitoring and measurement activities usingmonitoring and measurement activities using evidence gleaned from: security metrics; minutes of meetings evidence gleaned from: security metrics; minutes of meetings and actions arising; management review and internal audit and actions arising; management review and internal audit reports; breach/incident reports; security investment or reports; breach/incident reports; security investment or project proposals, business cases

project proposals, business cases etc.etc.

Check how the metrics are specified/defined and used

Check how the metrics are specified/defined and used e.ge.g. data. data sources; data collection, analysis and reporting frequencies; sources; data collection, analysis and reporting frequencies; who collects, analyses and present/reports the data, and to who collects, analyses and present/reports the data, and to whom.

whom. Consider the Consider the purpose, quality, purpose, quality, utility and utility and value of thevalue of the metrics

metrics e.ge.g. using the. using the PRAGMATIC criteriaPRAGMATIC criteria.. Taken Taken as as a whole,a whole, do the metrics present a reasonably comprehensive, accurate do the metrics present a reasonably comprehensive, accurate and timely perspecti

and timely perspective to management? ve to management? Are key manaAre key managementgement decisions driven by the metrics, in fact?

decisions driven by the metrics, in fact?

[How] do the metrics drive continuous improvements? [How] do the metrics drive continuous improvements?

Metrics support decisions by Metrics support decisions by addressing questions relating to or addressing questions relating to or arising from

arising from goals and goals and objectives. objectives. High-High- level metrics concerning the ISMS itself level metrics concerning the ISMS itself typically measure its effectiveness and typically measure its effectiveness and value to the organization, its value to the organization, its compliance with and achievement of compliance with and achievement of various requirements, mid- to long- various requirements, mid- to long- term trends, resourcing and priorities, term trends, resourcing and priorities, its implementation status and

its implementation status and maturitymaturity etc

etc.. in the organization’s broaderin the organization’s broader business

business context. context. Low-level Low-level detaileddetailed metrics used within the ISMS to metrics used within the ISMS to manage information risks, security manage information risks, security controls, incidents

controls, incidents etcetc. depend heavily. depend heavily on the particular situation, and tend to on the particular situation, and tend to be more operational/short-term in be more operational/short-term in nature.

nature. See ISO/IEC 27004:2016 forSee ISO/IEC 27004:2016 for

more

B.9.2 Internal audit

B.9.2 Internal audit

Review the organization's internal audits of the ISMS as Review the organization's internal audits of the ISMS as documented in ISMS internal audit

documented in ISMS internal audit scopes, plans, reports,scopes, plans, reports, action plans

action plans etcetc. . Is Is there there an an ISMS ISMS internal internal auditaudit programme, showing a planned set or series of audits? programme, showing a planned set or series of audits? Are responsibilities for conducting ISMS internal audits Are responsibilities for conducting ISMS internal audits formally assigned to competent, adequately trained formally assigned to competent, adequately trained auditors (contractors or consultants if no suitable auditors (contractors or consultants if no suitable employees are available)?

employees are available)?

To what extent to internal audits confirm that the ISMS To what extent to internal audits confirm that the ISMS meets its requirements defined in ISO/IEC 27001 plus meets its requirements defined in ISO/IEC 27001 plus relevant legal, regulatory or contractual obligations, and relevant legal, regulatory or contractual obligations, and organizational ISMS requirements specified through the organizational ISMS requirements specified through the risk assessment process?

risk assessment process?

Check that recommendations, action plans, corrective Check that recommendations, action plans, corrective actions

actions etcetc. are generally being addressed and verified within . are generally being addressed and verified within agreed timescales, paying particular attentioagreed timescales, paying particular attentionn to any currently overdue actions for topical examples.

to any currently overdue actions for topical examples.

B.9.3 Management review

B.9.3 Management review

Management reviews of the ISMS should occur at least biannually Management reviews of the ISMS should occur at least biannually or whenever there is

or whenever there is a significant a significant change to tchange to the ISMS. he ISMS. Is thisIs this defined

defined e.ge.g. . in in policy? policy? When When has has management management previouslypreviously reviewed the ISMS, and when doe

reviewed the ISMS, and when does it next plan to do so?s it next plan to do so?

By reviewing management reports and other records, and/or by By reviewing management reports and other records, and/or by interviewing those who were involved, check what went in to the interviewing those who were involved, check what went in to the previous management review/s (ISO/IEC 27001 identifies nine previous management review/s (ISO/IEC 27001 identifies nine items such as the results of other audits/reviews, feedback and items such as the results of other audits/reviews, feedback and improvement suggestions, information on vulnerabilities and improvement suggestions, information on vulnerabilities and threats

threats etcetc.). .). Assess the extent Assess the extent to which management to which management played anplayed an active part and was fully engaged in the review/s.

active part and was fully engaged in the review/s.

Check the outputs of any previous management review/s including key management decisions, action plans Check the outputs of any previous management review/s including key management decisions, action plans and records relating to the confirma

and records relating to the confirmation that agreed actions were duly action that agreed actions were duly actioned. tioned. If necessary, confirm thaIf necessary, confirm thatt closed actions have in fact been properly completed, focusing perhaps on any that were not completed on closed actions have in fact been properly completed, focusing perhaps on any that were not completed on time.

time.

B.10. Improvement

B.10. Improvement

B.10.1

B.10.1 NonconformiNonconformity and correty and corrective actictive actionon

Review a sample of records to evaluate what actually happens when a nonconformity is detected Review a sample of records to evaluate what actually happens when a nonconformity is detected e.g

e.g. through a review, audit, near. through a review, audit, near-miss or incident. -miss or incident. Are they routinely and consisAre they routinely and consistently documented in thetently documented in the form of

form ofNNon-on-CConformanceonformanceRReports (eports (NCRNCRs) including:s) including:

It is not uncommon for some agreed actions It is not uncommon for some agreed actions to remain incomplete at the planned to remain incomplete at the planned completion dates, especially if they are completion dates, especially if they are complex, cos

complex, costly or itly or involve other nvolve other parties. parties. TheThe point is not that everything must be done point is not that everything must be done exactly as planned so much as that exactly as planned so much as that management remains on top

management remains on top of the situation,of the situation, proactively managing the work and allocating proactively managing the work and allocating sufficient resources to achieve a sensible rate sufficient resources to achieve a sensible rate of progress, with a reasonable proportion of of progress, with a reasonable proportion of agreed actions being completed on time. agreed actions being completed on time. Continuous improvement and positive Continuous improvement and positive business outcomes are more important than business outcomes are more important than strict adherence to plans

strict adherence to plans – – see also see also section 8section 8..

Whether an ISMS certification audit, Whether an ISMS certification audit, performed at management's request, performed at management's request, could be considered a “management could be considered a “management review”

review” strictly within the terms ofstrictly within the terms of the ISO/IEC standard is unclear, but the ISO/IEC standard is unclear, but that

that was was not not the the intent. intent. TheirTheir objectives and processes differ objectives and processes differ e.g

e.g. . audits audits are are formalized,formalized, independent assessments, whereas independent assessments, whereas management reviews may not be. management reviews may not be.



 Explicit details of the non-conformance including which obligations, requirements or Explicit details of the non-conformance including which obligations, requirements or controls it relatescontrols it relates

to (

to (e.ge.g. . clauses of ISO/IEC 27001; policies; laws clauses of ISO/IEC 27001; policies; laws and regulations; contractual terms; insurance conditions;and regulations; contractual terms; insurance conditions; good practices);

good practices);



 Root cause analysis, digging into the underlying reasons, gaps,Root cause analysis, digging into the underlying reasons, gaps,

issues or failures that allowed the situation to occur; issues or failures that allowed the situation to occur;



 Actions planned to address root causes, including any changes toActions planned to address root causes, including any changes to

ISMS strategies, policies, procedures, priorities, resourcing, ISMS strategies, policies, procedures, priorities, resourcing, controls, metrics, oversight

controls, metrics, oversight etcetc.;.;



 Specification, prioritization, scheduling/planning and resourcingSpecification, prioritization, scheduling/planning and resourcing

of the actions arising; of the actions arising;



 Evidence demonstrating that the NCR has in Evidence demonstrating that the NCR has in fact been addressedfact been addressed

and resolved; and resolved;



 Independent confirmation that the NCR has been resolved and hence Independent confirmation that the NCR has been resolved and hence can be closed?can be closed?

Are appropriate correct

Are appropriate corrective actions fully imive actions fully implemented and their effectiveplemented and their effectiveness reviewed, routinely? ness reviewed, routinely? DoesDoes anyone make the effort to determining whether similar nonconformities exist, or may occur, elsewhere? anyone make the effort to determining whether similar nonconformities exist, or may occur, elsewhere? Are nonconformities and corrective actions considered in

Are nonconformities and corrective actions considered in management reviews (B.9.3)? management reviews (B.9.3)?

B.10.2 Continual improvement

B.10.2 Continual improvement

In addition to making ISMS improvements in response to reported nonconformities, does the organization In addition to making ISMS improvements in response to reported nonconformities, does the organization takes a more proactive stance towards addressing potential improvements, emerging or projected new takes a more proactive stance towards addressing potential improvements, emerging or projected new requirements

requirements etc.etc.? ? How How are are potential potential ISMS ISMS improvementsimprovements identified, assessed and (if applicable)identified, assessed and (if applicable) implemented?

implemented? Obtain and rObtain and review records relating to correview records relating to corrective actions sucective actions such as reports and ach as reports and action planstion plans from ISMS management review/s or audits (see 9.2 and 9.3), ISMS change requests, budget/investment from ISMS management review/s or audits (see 9.2 and 9.3), ISMS change requests, budget/investment proposals and business cases

proposals and business cases etcetc. . Seek evidence that Seek evidence that the ISMS is, in fthe ISMS is, in fact, being maact, being materially improved interially improved in response to emerging or

response to emerging or projected new requirements, emerging good security practicesprojected new requirements, emerging good security practices etcetc. . Seek Seek evidenceevidence of ISMS changes (such as adding, changing or removing information security controls) corresponding to of ISMS changes (such as adding, changing or removing information security controls) corresponding to significantly changed information risks.

significantly changed information risks.

Aside from the obvious but often Aside from the obvious but often superficial symptoms and superficial symptoms and reactive aspects (such as reactive aspects (such as compliance for the sake of it), it is compliance for the sake of it), it is worthwhile diagnosing and worthwhile diagnosing and proactively treating any proactively treating any underlying root causes in order to underlying root causes in order to prevent issues from recurring and prevent issues from recurring and perhaps worsening, like a cancer. perhaps worsening, like a cancer.