ISO 27001:2022 Clause 9 Performance evaluation

This clause is all about monitoring, measuring, analyzing, and evaluating your ISMS to ensure that it is effective and remains so. This clause helps organizations to continually assess how they are performing in relation to the objectives of the standard to continually improve. You will need to consider what information you need to evaluate the information security effectiveness, the methods employed, and when it should be analyzed and reported. Internal audits will need to be carried out as well as management reviews. Both of these must be performed at planned intervals and the findings will need to be retained as documented information. It should be noted that management reviews are also an opportunity to identify areas for improvement.

This clause of the standard provides the requirements for the assessment of the performance of the ISMS. It includes the requirements for:

9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review

ISO 27001 does not require you to measure everything. An organization must determine the following:
a) what needs to be monitored and measured, including processes and controls;
b) the methods for monitoring, measurement, analysis, and evaluation, to ensure valid results;
c) when the monitoring will happen;
d) who shall perform the activity;
e) when the results will be analyzed; and
f) who shall do this.
Clause 9.2 of the standard specifies the requirements for ISMS Internal Audit. Key considerations are:

  • They occur at planned intervals;
  • That the auditor selected will be objective and impartial. Generally, this means the ISMS cannot be audited by persons involved in its implementation or operations.

ISMS internal audits must be conducted to determine the status of the system. The organization needs to plan audits, taking into account the most important aspects of the business, then conduct the audits using the competent staff. The ISMS audit does not need to cover off all elements of the ISMS during the audit. An ISMS audit program is produced which may contain a number of audits. The audit program must ensure that all elements of the system are reviewed.
Clause 9.3 addresses the need for a Management Review. This occurs at planned intervals, generally after the completion of the ISMS Internal Audit. The standard explicitly defines the minimum inputs into the Management Review. These include:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:

1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfilment of information security objectives;

d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plans; and
f) opportunities for continual improvement.

Outputs include recommendations for improvements and any identified changes to the ISMS. These reviews by management are conducted for the purposes of ensuring the ISMS is operating as expected. These reviews are often performed by the governance forum of the ISMS.

9.1 Monitoring, measurement, analysis and evaluation

The organization must determine what needs to be monitored and measured, including information security processes and controls. It must also determine the methods for monitoring, measurement, analysis, and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid. The organization must determine when the monitoring and measuring should be performed, who shall monitor & measure, when the results from monitoring and measurement shall be analyzed and evaluated, and who will analyze and evaluate these results. The organization must retain appropriate documented information as evidence of the monitoring and measurement results.The organization must evaluate the performance of information security and the effectiveness of the information security management system.

The organization not only has to establish and evaluate performance metrics regarding the effectiveness and efficiency of processes, procedures, and functions that protect the information, but should also consider metrics for the ISMS performance, regarding compliance with the standard, preventive actions in response to adverse trends, and the degree by which the information security policy, objectives, and goals are being achieved. The methods established should take into consideration what needs to be monitored and measured, how to ensure the accuracy of results, and at what frequency to perform the monitoring, measurement, analysis, and evaluation of ISMS data and results. It should also be noted that performance results should be properly retained as evidence of compliance and as a source to facilitate subsequent corrective actions. Your organization will need to decide what needs to be monitored to be assured that your ISMS process and information security controls are operating as intended. It is impractical for an organization to monitor everything all the time; if you attempt to do so, it is likely that the volume of data would be so great that it would be virtually impossible to use it effectively. Therefore, in practice, you will need to make an informed decision about what to monitor. The following considerations will be important:

  • Which processes and activities are subject to the most frequent and significant threats?
  • Which processes and activities have the most significantly inherent vulnerabilities?
  • What is practical to monitor and generate meaningful and timely information from?
  • With each monitoring process, you put in place, for it to be effective you must clearly define how the monitoring is undertaken (e.g. is this defined in a procedure);
    • when it is undertaken;
    • who is responsible for undertaking it;
    • how are the results reported, when to whom and what do they do with them; and
    • if the monitoring results identify unacceptable performance,
    • what is the escalation process or procedure to deal with this situation?

To demonstrate to an auditor that you have appropriate monitoring processing in place, you will need to retain records of monitoring results, analysis, evaluation reviews, and any escalation activities.

There are several ways of monitoring an ISMS. Measuring the effectiveness of various components of the ISMS is one of the key mechanisms to assess the performance of the ISMS and drive improvements. ISO 27001 does not require you to measure everything. It is up to the organization to determine what metrics are important and how these will be collected and presented. Measurements can include specific measures of control effectiveness. These could be a bounded range, a trending measure, or an absolute value. Again, it is the organization’s choice. Qualitative assessment of control effectiveness (e.g. marginal, strong, etc) does not in itself provide enough detail in terms of the measurements required to drive improvements. More mature management systems tend to have more metrics available than systems in the early days of operations. An annual Security Calendar assists in ensuring timely collection and reporting of metrics. Agencies should not try to “reinvent the wheel”. Most agencies already accumulate some data or information about information security and how certain controls are functioning. This is a good place to start. The expansion of the measurement regime should be based on the importance or relevance of the control or system component being measured. The more important or sensitive the control area, the more focus should be applied to defining an appropriate metric. One strategy commonly used is to select controls based on the types or levels of risks that they are mitigating. The more risks a control is mitigating, the more likely it that control is important and should be measured. Another approach suggests measuring the effectiveness of the controls managing higher-rated risks. Again, the choice is with the organization. Remember that the Internal Audit and Management Review are also both improvement vehicles.

9.2 Internal audit

The organization must conduct internal audits at planned intervals to provide information on whether the information security management system conforms to the requirements of ISO 27001 standard, the organization’s own requirements for its information security management system and is effectively implemented and maintained. The organization must plan, establish, implement and maintain an audit program, including the frequency, methods, responsibilities, planning requirements, and reporting. The audit program must take into consideration the importance of the processes concerned and the results of previous audits. It must define the audit criteria and scope for each audit. It must select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. It must ensure that the results of the audits are reported to relevant management. The organization must maintain the record of the audit program and the audit results as evidence

Internal audits should be performed at planned intervals, considering the processes’ relevance and results of previous audits, to ensure effective implementation and maintenance, as well as compliance with the standard’s requirements and any requirements defined by the organization itself. The criteria and scope of each audit must be defined.
Auditors should be independent and have no conflict of interest over the audit subject. Auditors also must report the audit results to relevant management and ensure that non-conformity are subject to the responsible managers, who in turn must ensure that any corrective measures needed are implemented in a timely manner. Finally, the auditor must also verify the effectiveness of corrective actions taken. The purpose of internal audits is to test your ISMS processes for weaknesses and identify opportunities for improvement. They are also an opportunity to provide a reality check to Top Management on how strongly the ISMS is performing. When done well, internal audits can ensure that there are no surprises at your external audits. The internal audits you perform should check:

  • how consistently processes, procedures, and controls are followed and applied;
  • how successful your processes, procedures, and controls are at generating the intended results; and
  • whether your ISMS remains compliant with ISO 27001 and the requirements of interested parties.

To ensure that audits are undertaken to a high standard and in a way that is seen to add value, they need to be undertaken by individuals who:

  • are respected;
  • competent
  • understand the requirements of ISO 27001; and
  • can quickly interpret your documentation and are well-practised in sound auditing techniques and behaviours.

Most importantly, they need to be allocated sufficient time to do the audit and be assured of cooperation from
relevant employees. You must maintain a plan for carrying out your internal audits. An external auditor will expect this plan to ensure that all of your ISMS processes are audited over a three-year cycle and that processes which:

  • have shown evidence of poor performance (i.e. through previous audits, or monitoring results or information security incidents); and/or
  • manage the most significant information security risks
  • are audited at a higher frequency.

The external auditor will also expect that any actions identified from audits are recorded, reviewed by appropriate employees, and actions implemented in a timely manner to rectify any significant issues. They should make an allowance in the close-out time for any improvement opportunities identified that require significant investment in resources.

The objective of an ISMS Internal Audit is twofold. First, it seeks to assess the conformance of the ISMS with the requirements of the standard, the organization’s own policies and procedures, and the legal and regulatory environment under which the organization operates. The outcome of this element of the ISMS audit includes statements of conformance and non-conformance with those criteria. The second objective of the ISMS Internal Audit is the opportunity to identify improvements to the ISMS. Internal audits are conducted under the banner of the ISMS audit program. This program tends to span a period of several years and outlines the scope of each of the planned audits within the program. Audits need to occur at planned intervals. This does not mean regular intervals. The audit program must address all mandatory clauses and all controls specified within the SoA. Each individual ISMS audit may only be focused on certain clauses and control domains. The auditor for each of these audits cannot audit outside the scope of that specific audit without approval. The focus on any ISMS audit is on the system and NOT the people. If any resource weaknesses are identified it must always be related to a system weakness. It could be mistakes introduced because of a lack of awareness of their responsibilities, a competency gap, or poor supporting policies and procedures. These are the deficiencies that need to be addressed. An ISMS audit is more than a control assessment. The management system is key. Failure of controls usually means a failure in one of the core ISMS components. Fixing the underlying issue will generally address control failures.

As with all roles within the ISMS, ISMS Auditors need to be competent and have the necessary skills to conduct an ISMS audit. Whilst the general ICT auditor has the necessary skills to audit the control elements, it is important that the auditor has sufficient skills to audit the management system components. ISMS auditors add value to the ISMS.

ISMS Internal Auditors must:

  • be competent to audit the management system
  • be non-judgmental, objective
  • reference is the ISO 27001, not own opinions
  • be able to provide an objective assessment of ISMS effectiveness, focusing on the system, not the people
  • be able to report fairly and without bias
  • be selected to ensure impartial and objective results

Some of the personal attributes of good ISMS auditors are:

  • ethical, fair and truthful;
  •  objective and audit against the criteria (ISO 27001) rather than their opinion;
  •  diplomatic;
  •  observant;
  •  culturally sensitive;
  •  collaborative.

An ISMS audit should not be adversarial.

9.3 Management review

Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review must take into consideration the status of actions from previous management reviews, changes in external & internal issues relevant to ISMS , feedback from interested parties, opportunities for continual improvement, result of risk assessment& status of risk treatment plan. The input to the management representative must also take into consideration the feedback on the information security performance, including trends in nonconformity & corrective actions, monitoring & measurement results, audit results and audit results fulfillment of information security objectives.
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews.

The management review exists so that the ISMS can be kept continuously suitable, adequate, and effective to support information security. It must be performed at planned intervals, in a strategic manner, and at the top management level, covering the required aspects all at once or by parts, in a way that is best suitable to business needs. The status of actions defined in previous reviews, significant internal and external factors that may impact the ISMS, information security performance, and opportunities for improvement should be reviewed by top management, so relevant adjustments and improvement opportunities can be implemented. The management review is the most relevant function to the continuity of an ISMS, because of the top management’s direct involvement, and all details and data from the management review must be documented and recorded to ensure that the ISMS can follow the specific requirements and general strategic direction for the organization detailed there. Management Review is an essential element of an ISMS. It is the formal point at which Top Management reviews the effectiveness of the ISMS and ensures its alignment to the organization’s strategic direction. Management Reviews must take place at planned intervals and the overall review program (i.e. one meeting or several meetings) must at a minimum cover a list of core areas specified within clause 9.3 of the standard. It is not essential for one single Management Review meeting to take place covering the full agenda. If you currently hold a range of meetings that cover the inputs between them, there is no specific need to duplicate them.
You will need to retain documented information on your Management Reviews. These would normally be minutes of
meetings or perhaps call recordings if you carry out conference calls. These do not need to be extensive notes, but they must contain a record of any decisions made and actions agreed, ideally with responsibilities and timescales. If you decide to adapt your existing schedule of management meetings and these meetings cover a number of areas, you may want to consider summarizing the areas that these meetings cover in the form of a table or procedure so that it is clear to you and an auditor which meetings cover each of the required review areas.

The objective of the Management Review is to assess the performance of the ISMS, taking into account a number of inputs, and to determine any necessary changes or improvements to the system. Management Reviews are conducted at planned intervals and are performed by senior management. Generally, this is the ISMS governance forum. Management Reviews must consider the following mandatory inputs as defined by ISO 27001:

  • the status of actions from previous management reviews;
  • changes in external and internal issues that are relevant to the information security management system;
  • feedback on the information security performance, including trends in
    1. nonconformity and corrective actions;
    2. monitoring and measurement results;
    3. audit results; and
    4. fulfillment of information security objectives;
    5. feedback from interested parties;
  • results of risk assessment and status of the risk treatment plan; and
  • opportunities for continual improvement.

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.

Leave a Reply