Monitoring, measurement, analysis and evaluation of the ISMS is a requirement of ISO 27001:2013 that many organisations can become stuck on. The standard requires the organisation to measure ISMS processes to ensure it’s effective performance of managing security.
But how would an organisation go about measuring ISO 27001 ISMS processes? What should be measured? How can this be used to improve the system? And what evidence will auditors be looking for to demonstrate this?
Let’s begin by examining what the standard says about measuring ISO 27001 ISMS processes.
Essentially, ISO 27001:2013 requires the organisation to determine the following:
- What needs to be monitored and measured;
- The methods for monitoring and measurement;
- When the monitoring and measurement shall be undertaken; and
- Who shall undertake the monitoring and measurement results.
This is essentially the what, how, when and who of measuring ISO 27001 ISMS processes. The organisation should firstly determine what measurements can be monitored to provide some value feedback of how the system is performing. At a control level, these measurements can be easily defined.
For example, the organisation may wish to monitor security incident levels and the effect of controls on these, or the number of open/closed vulnerabilities and whether the control is supporting effective remediation of these.
The measurements described above can be thought of as Key Performance Indicators, or KPI’s for controls. These are separate from how the system is performing – although both are inter-related. Clause 9.1 is concerned with measuring ISO 27001 ISMS processes to ensure the system is operating effectively, in a similar way to controls.
Examples of these system-based KPI’s may include the below:
- Number of business strategic goals supported by information security goals
- Percentage of business services covered by the risk assessment process
- Number of new threats and vulnerabilities compared to previous risk assessments
- Number of security roles and responsibilities defined compared to before the ISMS was established
- Number of non-compliance issues compared to before the ISMS was implemented.
The above is provided just as an example, but provide a good indication as to whether or not the ISMS is operating successfully. These should of course be aligned to business objectives.
For example, the organisation may define an objective that all compliance requirements will be managed on a continuous cycle. By monitoring the number of compliance issues the organisation can gauge whether the ISMS is performing effectively to manage compliance. This is a perfect example of measuring ISO 27001 ISMS processes.
So, now we have defined what measurements are for the ISMS and what these may look like, how do we identify these? Let’s look at our 5 step guide to measuring ISO 27001 ISMS processes.
1. Define and align business and security objectives
This relates to our previous post on information security objectives in ISO 27001, where we described the benefits of aligning tactical requirements with the overall business strategy. If this stage is performed correctly, then measurements should fall out of that process.
The simple example below may help to highlight this further:
- Strategic Objective: “To ensure our organisation remains complaint with all legal and regulatory requirements”
- Tactical Objective: “Maintain 100% compliance at all times with all compliance requirements”
- Measurement/KPI: “Number of non-compliance’s left unmanaged pre and post-ISMS implementation”
The above is obviously a very simple example, and in reality the strategic and tactical objectives will not be as similar, but this demonstrates how measurements can help to show that an ISMS is working as planned.
2. Ensure measurements provide a realistic view of the system
ISO 27001:2013 does not provide guidance on how measurements should be selected, this is left to the discretion of the business, however, measurements must provide tangible results that can be used to improve the system.
Some organisations may be tempted to select very basic measurements that will show the ISMS in a good light, but this defeats the object of the process. It is much better to define measurements that will show where the system is not performing well to aide improvement than to be selective in order to show the ISMS in a good light. Remember, the PDCA lifecycle!
3. Ensure measurements can be collected and analysed easily
As reviewing measurements will form one of a number of tasks for the ISMS owner, measurements should be relatively easy to track, obtain and analyse. Wherever metrics can be automatically tracked the better!
4. Ensure KPI owners are defined
Ensuring KPI owners are aware of their responsibilities and the importance to the system is key. While it may look like another tick box exercise, the metrics provide real, tangible evidence that the system is performing effectively – and can be used to demonstrate ROI to management! Therefore, responsibilities must be defined for who is going to collect measurements, how often and by what means.
5. Document, Document, Document
It is a mandatory requirement that these measurements are documented so draw up a measurement plan and get this signed off by management. This enables the organisation to effectively understand measurement requirements, timeframes and owners. This can also be updated as new metrics are identified, and enable management to see how the ISMS is performing. Ensure the document is version controlled, owned and periodically reviewed for relevancy.
So there we have it, our thoughts on measuring ISO 27001 ISMS processes in accordance with ISO 27001:2013. The key points to remember are that the system must be measured not just the controls, which is often where organisation like to focus.