Before earning your ISO 27001 certification, your organization will undergo a robust internal audit, verifying the strength and quality of your ISMS. In addition to thorough documentation and interviews, you will need to conduct performance monitoring and measuring to maintain and improve your ISMS. Beyond this, a vital component of the ISO 27001 certification happens after receiving your certificate. Once certified, your organization will need to conduct annual audits and performance checks to ensure the continued success of your ISMS, verifying that there are no new risks or nonconformities. Achieving information security is not a one-and-done process. Threats are constantly rising and growing, and your organization needs to grow as well to combat them. This can only be done with continuous maintenance and reevaluating of your information security processes. For this reason, it is crucial that you continuously monitor your ISMS, ensuring that it is working efficiently to protect your information, in addition to guaranteeing readiness for an audit at any time.
Monitoring your ISMS is so critical that it is outlined in Clause 9.1 of the ISO 27001 requirements. This clause details the requirements of monitoring, measurement, analysis, and evaluation. This is to define for organizations what is necessary when observing and implementing information security practices. We will discuss the best methods of monitoring and measuring your ISMS to guarantee the continued success of your organization’s security process and ISO 27001 certification. In addition to this, we will run through the requirements of ISO 27001 Clause 9.1 to ensure that you are efficiently and accurately monitoring your security processes and systems.
Monitoring vs. Measurement
When monitoring their ISMS, many organizations confuse this with measurement, but there is an essential distinction between the two. Monitoring entails the watching of something, in this case, the ISMS. This means that your organization is continuously aware of the state of your ISMS. This is less complex than its alternative but will provide a quicker alert when changes or disruptions arise. Measurement, on the other hand, is assigning value to something based upon predefined dimensions and units. This is much more complex but can provide more detailed information about a situation and how it should be handled.
Aside from being a requirement of ISO 27001, there are several reasons why an organization would benefit from monitoring and measuring their ISMS. An excellent advantage of this would be to validate previous decisions. Following most decisions, management will perform a review and follow-up to determine the effectiveness of the decision at hand. Monitoring and measuring your ISMS will provide you with evidence that the actions you implemented were effective. For example, if you chose to update a firewall or implement cryptography, you will have factual evidence to justify your decision to do so. Both of these actions require strong and consistent data to sell an idea to management as they can be expensive and time-consuming, but with monitoring, it will be apparent that your decision was the right one. Another great benefit of monitoring is that it allows you to set a direction for activities in order to meet set targets. Planning backup activities is an excellent use of monitoring, using data to choose between multiple alternatives. Additionally, monitoring allows you to identify a point of intervention and subsequent changes and corrective actions. The use of cause analysis is significantly beneficial in determining problems and quickly resolving them.
ISO 27001 Requirements
As mentioned, monitoring your ISMS is a practice required by ISO 27001. This guarantees that you will put your certification to good use, continuously ensuring that information is protected and security is maintained. Clause 9.1 establishes two aspects to be monitored and measured; information security performance and ISMS effectiveness. These might seem similar, but there is a difference between the two. Information security performance deals individually with security results viewed as is relevant to the organization. This may be concerning information availability, event response time, protection costs, and more. The ISMS effectiveness, on the other hand, shows you how the interactions between individual security results affect security as a whole, including compliance.
Essentially, the two are not mutually exclusive. Your organization can have good information availability and response time to incidents without translating directly into positive security results. For this reason, you must conduct monitoring and measurement to cultivate good individual security results that add business value. Information security is about more than checking off boxes and fulfilling compliance requirements – everything comes back to business value and the protection of information. To help organizations achieve this balance, Clause 9.1 establishes items that must be set up to ensure proper monitoring.
- What must be monitored. Before monitoring, you must identify all business results and processes that can be affected by variations in information security performance. This may include information security controls and processes, mandatory requirements, and contractual obligations.
- Which methods to use. You should choose the method you feel most comfortable with, whether this is manual, mechanical, or software. This will be individual to each organization, increasing the likelihood that users will correctly conduct monitoring. But, the chosen method must be verifiable to ensure that it can produce comparable and repeatable results.
- When to monitor. This process will also be individual to your organization as different needs require different monitoring times. Your chosen application may have monitoring points at data input, processing, or output, affecting when and how often monitoring will be done.
- When results must be analyzed and evaluated. To ensure the addition of business value, monitoring results must be considered on decisions and actions at proper times. Considering these too soon or too late may result in unnecessary effort, wasted resources, or loss of opportunities.
- Who must analyze and evaluate results. Equally as important as when to analyze and evaluate results is who will do this. Generally speaking, individuals on the operational level will perform the analysis, while management-level individuals will perform evaluations.
As we have learned over the past year, change is inevitable, and we cannot always prepare for it. It is clear that information security should be a significant priority for every organization, which is why so many are looking to earn their ISO 27001 certification. In both the process to achieve this and the time following, it is crucial to monitoring your ISMS to ensure its continued success. Monitoring your information security performance and ISMS effectiveness is key to maintaining the enhanced level of security that your organization has earned and demonstrated. Monitoring and measuring the security process you have implemented will increase their effectiveness and help you avoid threats and seize more significant opportunities.
