ISO/IEC 27001 Clause 9: Performance Evaluation

Requirements of ISO/IEC 27001 Clause 9 “Performance Evaluation” require organizations to monitor, measure, analyze and evaluate its Information Security Management System.

Key Requirements:

• Determine what, how, when and by whom results will be measured and evaluated
• Determine the methods for obtaining, monitoring and reviewing customer satisfaction
• Have an objective, planned and effectively implemented internal audit program
• Top management is to review the ISMS at planned intervals

Clause 9.1: Monitoring, Measurement, Analysis and Evaluation

Clause 9.1 requires organizations to evaluate how the ISMS is performing and look at the effectiveness of the ISMS. The standard determines what data needs to be collected, how that data is collected and interpreted, and what results should be acted upon from a variety of inputs at various points in the quality management process. For organizations seeking certification, registrars (certification bodies) will be looking closely at the following:

• What the organization has decided to monitor and measure (including the processes and controls)
• How it ensures valid results in the measuring, monitoring, analysis and evaluation
• When that measurement, monitoring, evaluation and analysis takes place and who is responsible to perform these tasks
• How the results are implemented and used

Clause 9.2: Internal Audit

In order to confirm that the ISMS conforms to the ISO/IEC 27001:2022 standard, internal audits must be conducted at planned intervals. A formal internal audit program needs to be established which defines the methods used, scope and frequency as well as assigning responsibility to objective and impartial auditors. Overall the audits need to ensure that the ISMS conforms to the organization’s own requirements for the ISMS, and the requirements of the standard. The results of internal audits are used to make corrections and improvements (discussed further in Clause 10) to the ISMS.

Clause 9.3: Management Review

Clause 9.3 Management Review must be the responsibility of senior management. Data collected on the ISMS performance (i.e. customer input, internal audits, key quality performance indicators) and determination of any support, changes, or improvements must be reviewed and discussed by top management at planned intervals (usually annually and within an external audit surveillance period). Actions generated from the review must be recorded and implemented as they will be followed-up on during the next management review.

Please note that certain text from the ISO 27001 standard is only used for instructional purposes. Standard Stores recognizes and respects the International Organization for Standardization (ISO) copyright and intellectual property guidelines.