Measure your ISMS





		Knowing your ISMS effectiveness and information security performance
		HOME SERVICES Consultancy and training Productised IP-led IMS Service IMS-Smart On-Line Effective ISMS qualities Making the most of your ISMS BOOKS STANDARDS ISO/IEC 27001 ISMS Requirements Statement of Applicabiilty Risks and opportunities Risk treatment plans ISO/IEC 27002 Controls ISO/IEC 27004 Measurements ISO/IEC 27007 Auditing ISO/IEC 27014 Governance PHILOSOPHY Overview Architecture Time theory Opportunity exploitation Risk treatment Taxonomies Alternative ideas lists Effectiveness Continual improvement Auditing Implementation strategies CORPORATE About us IMS-Smart ISMS Customers Papers Enquiries Privacy policy IMS-Smart Suzuki motorcycle ≡
		Need help with implementing ISO/IEC 27001 or want to improve your ISMS? — contact IMS-Smart today for a consultancy quotation

	Measuring ISMS performance and effectiveness There is a new edition of the ISMS standard (ISO/IEC 27001:2022), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered. Another challenging and perplexing aspect of ISO/IEC 27001, particularly for small organisations, is the requirement for monitoring, measurement, analysis and evaluation. Clause 9.1 of the new edition of ISO/IEC 27001 starts with the requirement to determine “what needs to be monitored and measured”, but how should this be done? Indeed, how, in practice, should one set about the fulfilment of this whole clause? Here is how to can fulfil these requirements with ease. You might also like to learn how you can optimise the rest of your ISMS, showcase and exploit your ISMS. David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022.There is a detailed section on monitoring, measurement, analysis and evaluation. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). Derive IS objectives from business objectives In ISO/IEC 27001:2022 there is now a link between clauses 6.2 and 9.1, as Clause 6.2 d) requires the IS objectives to be monitored. A principle of corporate governance is that the exploitation of opportunities to fulfil the business objectives encounters risks, which must be managed. The process is illustrated in the figure to the left of this text. As an example, a business objective of an ISMS consultancy is to make a profit. Its ability to produce quality software could be exploited to “increase productivity through self-developed SAAS”. This opportunity exploitation is accompanied by two principle risks: The SAAS fails to produce ISMS that conform to ISO/IEC 27001. The SAAS is insecure. If any of these risks is not an an IS risk, it would be discounted from further consideration at this point. However, both are IS risks. Treatment is straightforward: Gain experience of using the SAAS in the consultancy’s own ISMS and its client’s ISMS. Gain confidence in SAAS security through testing and live operations. These two treatment plans give rise, respectively to two IS objectives. Use the SAAS to establish consultancy’s own ISMS. Assure SAAS security. Thus, we have determined two essential inputs to Clause 9.1. Determine what else you want to know The intent of Clause 9.1 is to determine the extent to which planned activities are realised and planned results are achieved. For the fulfilment of the first IS objective there are several relevant measures: progress of the ISMS build against its project plan fulfilment of planned risk assessments, internal audits and management reviews timely achievement of ISMS-relevant actions achievement of certification and for the second: client bug reports and incidents security anomaly reports and attempted attacks results of OWASP testing SAAS bugs and enhancements ICT performance measurements (for botnet detection). It should be evident from this list, that the measurements include the organisation’s IS processes and controls. Create measurement constructs ISO/IEC 27004 (Monitoring, measurement, analysis and evaluation) advocates the use of measurement constructs to detail the how, what, who and when for each measure. An example is shown in the diagram above and further information is given on our measurement page. Create a programme The measurement constructs specify when the measurements are to take place. Putting these together creates a measurement programme. Review, learn and update As the measurements progress, you will learn about your IS performance and ISMS effectiveness. Since business objectives are traditionally set on an annual basis, reformation of those objectives should herald a review and reformation of your measurement programme. Want to know more or need some help? David Brewer’s book “An introduction to ISO/IEC 27001:2022”, gives a detailed explanation of the whole of ISO/IEC 27001:2022.There is a detailed section on monitoring, measurement, analysis and evaluation. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25). IMS-Smart also provides ISMS consultancy and we can help you to better your measurement programmes and increase the value of your ISMS to your organisation. Use the facility to enquire. We will be pleased to assist.





This site does not use cookies, but if you logon to an IMS-Smart product you consent to that site setting authentication session cookies
© IMS-Smart Limited, 2022-23
Page last updated: May 22, 2023