Knowing your ISMS effectiveness and information security performance

  
  Want to know how to transition your ISMS from ISO/IEC 27001:2013 to ISO/IEC 27001:2022/Amd 1:2024 — read David Brewer’s new book
 

Measuring ISMS performance and effectiveness

There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not. Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, is still risk assessment and the SOA, but that can easily be mastered.

Another challenging and perplexing aspect of ISO/IEC 27001, particularly for small organisations, is the requirement for monitoring, measurement, analysis and evaluation. Clause 9.1 of the new edition of ISO/IEC 27001 starts with the requirement to determine “what needs to be monitored and measured”, but how should this be done? Indeed, how, in practice, should one set about the fulfilment of this whole clause? Here is how to can fulfil these requirements with ease. You might also like to learn how you can optimise the rest of your ISMS, showcase and exploit your ISMS.

Book cover for An introduction to ISO/IEC 27001:2022/Amd 1:2024 by David Brewer

David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024.There is a detailed section on monitoring, measurement, analysis and evaluation. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

Derive IS objectives from business objectives

Diagram showing how information security objectives can be derived from business objectives

In ISO/IEC 27001:2022/Amd 1:2024 there is a link between clauses 6.2 and 9.1, as Clause 6.2 d) requires the IS objectives to be monitored. A principle of corporate governance is that the exploitation of opportunities to fulfil the business objectives encounters risks, which must be managed. The process is illustrated in the figure to the left of this text. As an example, a business objective of an ISMS consultancy is to make a profit. Its ability to produce quality software could be exploited to “increase productivity through self-developed SAAS”. This opportunity exploitation is accompanied by two principle risks:

  • The SAAS fails to produce ISMS that conform to ISO/IEC 27001.
  • The SAAS is insecure.

If any of these risks is not an an IS risk, it would be discounted from further consideration at this point. However, both are IS risks. Treatment is straightforward:

  • Gain experience of using the SAAS in the consultancy’s own ISMS and its client’s ISMS.
  • Gain confidence in SAAS security through testing and live operations.

These two treatment plans give rise, respectively to two IS objectives.

  • Use the SAAS to establish consultancy’s own ISMS.
  • Assure SAAS security.

Thus, we have determined two essential inputs to Clause 9.1.

Determine what else you want to know

The intent of Clause 9.1 is to determine the extent to which planned activities are realised and planned results are achieved. For the fulfilment of the first IS objective there are several relevant measures:

  • progress of the ISMS build against its project plan
  • fulfilment of planned risk assessments, internal audits and management reviews
  • timely achievement of ISMS-relevant actions
  • achievement of certification

and for the second:

  • client bug reports and incidents
  • security anomaly reports and attempted attacks
  • results of OWASP testing
  • SAAS bugs and enhancements
  • ICT performance measurements (for botnet detection).
Example measurement construct proforma (see ISO/IEC 27004)

It should be evident from this list, that the measurements include the organisation’s IS processes and controls.

Create measurement constructs

ISO/IEC 27004 (Monitoring, measurement, analysis and evaluation) advocates the use of measurement constructs to detail the how, what, who and when for each measure. An example is shown in the diagram above and further information is given on our measurement page.

Create a programme

The measurement constructs specify when the measurements are to take place. Putting these together creates a measurement programme.

Review, learn and update

As the measurements progress, you will learn about your IS performance and ISMS effectiveness. Since business objectives are traditionally set on an annual basis, reformation of those objectives should herald a review and reformation of your measurement programme.

Want to know more or need some help?

David Brewer’s book “An introduction to ISO/IEC 27001:2022/Amd 1:2024”, gives a detailed explanation of the whole of ISO/IEC 27001:2022/Amd 1:2024.There is a detailed section on monitoring, measurement, analysis and evaluation. It is available on Amazon in e-book (£36.00) and paperback formats (price £42.25).

IMS-Smart also provides ISMS consultancy and we can help you to better your measurement programmes and increase the value of your ISMS to your organisation. Use the facility to enquire. We will be pleased to assist.