If the organisation is seeking certification for ISO 27001 the independent auditor working in a certification body associated to UKAS (or a similar accredited body internationally for ISO certification) will be looking closely at the following areas:
- what it has decided to monitor and measure, not just the objectives but the processes and controls as well
- how it will ensure valid results in the measuring, monitoring, analysis and evaluation
- when that measurement, monitoring, evaluation and analysis takes place and who does it
- how the results get used
Like everything else with ISO IEC international standards including ISO 27001 the documented information is all important - so describing it then demonstrating it is happening is the key to success!
How to meet the requirements of clause 9.1 for ISO 27001
As with much of clause 8 for the operation of the information security management system, clause 9.1 gets taken care of by looking at the whole ISMS and the other parts that contribute to this requirement. For example:
- The work completed in 4.1, 4.2 and 4.3 identifies the issues (including the information assets), the interested parties and the scope
- 6.1 then highlights the risk identification, evaluation and treatment in a structured fashion to help address this requirement
- 6.2 actually documents the objectives for the ISMS and if done well will include the measurement, monitoring, frequency, source management and evidence
- 9.2 helps with internal audits of the whole system, showing what is working and what can be improved upon
- 9.3 brings much of that requirements work together for management reviews and analysis with the strategic decision making from the agenda it covers off
- Clause 10.1 then looks at the non conformity and 10.2 the broader continual improvement opportunities in the information security management system
- Many of the Annex A controls also drive evaluation and reviews of performance including Annex A.5.1, Annex A.5.36 both for compliance with policies, rules and stadards.
So assuming these parts of the ISMS have been implemented with clause 7.5 robustness of documentation in mind you can breathe easy. There is nothing else to do except document that 9.1 is met by the points above and join up the management system so an auditor can see that all working in practice.