ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9.

EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

9.1 MONITOR, MEASURE, ANALYZE, AND EVALUATE YOUR INFORMATION SECURITY

1

Figure out how youre going to assess the performance of your information security and determine the effectiveness of your ISMS. Figure out how youre going to monitor the performance of your organization`s information security and the effectiveness of its ISMS. Determine what needs to be monitored. Figure out which information security processes need to be monitored. Figure out which information security controls need to be monitored. Select your monitoring methods. Make sure that your monitoring methods are capable of producing valid results. Figure out how you`re going to ensure that your monitoring methods will produce results that are comparable and reproducible. Establish when monitoring should be performed. Decide who should carry out the monitoring. Maintain a record of your monitoring results. Control your monitoring records. Figure out how youre going to measure the performance of your organization`s information security and the effectiveness of its ISMS. Determine what needs to be measured. Figure out which information security processes need to be measured.

TODO

DONE

TODO

DONE

3 4

TODO

DONE

TODO

DONE

The purpose of information security is to protect and preserve information. Its central purpose is to protect and preserve the confidentiality, integrity, and availability of information. It may also involve protecting and preserving the authenticity and reliability of information and ensuring that entities can be held accountable. An ISMS (information security management system) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that organizations use to protect and preserve information and to manage and control information security risks. An ISMS is part of your larger management system.

TODO

DONE

6 7

TODO

DONE

TODO

DONE

TODO

DONE

9 10 11 12 13

TODO

DONE

TODO

DONE

TODO

DONE

These records are "documented information". Therefore they must be controlled (per 7.5.3).

TODO

DONE

TODO

DONE

14 15

TODO

DONE

TODO

DONE

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 56

ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9. EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

16

Figure out which information security controls need to be measured. Select your measurement methods. Make sure that your measurement methods are capable of producing valid results. Figure out how you`re going to ensure that your measurement methods will produce results that are comparable and reproducible. Establish when measurements should be performed. Decide who should carry out measurements. Maintain a record of your measurement results. Control your measurement records. Figure out how youre going to analyze the performance of your organization`s information security and the effectiveness of its ISMS. Select your analytical methods. Make sure that your analytical methods are capable of producing valid results. Figure out how you`re going to ensure that your analytical methods will produce results that are comparable and reproducible. Decide when your monitoring and measurement results should be analyzed. Determine who should analyze your monitoring and measurement results. Figure out how youre going to evaluate the performance of your organization`s information security and the effectiveness of its ISMS.

TODO

DONE

17 18

TODO

DONE

TODO

DONE

19

TODO

DONE

20 21 22 23 24

TODO

DONE

TODO

DONE

TODO

DONE

These records are "documented information". Therefore they must be controlled (per 7.5.3).

TODO

DONE

TODO

DONE

25 26

TODO

DONE

TODO

DONE

27

TODO

DONE

28

TODO

DONE

29

TODO

DONE

30

TODO

DONE

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 57

ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9. EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

31 32

Select your evaluation methods. Make sure that your evaluation methods are capable of producing valid results. Figure out how you`re going to ensure that your evaluation methods will produce results that are comparable and reproducible. Establish when your monitoring and measurement results should be evaluated. Decide who should evaluate your monitoring and measurement results. Assess the performance of your information security and determine the effectiveness of your ISMS. Monitor the performance of your organizations information security and the effectiveness of its ISMS. Measure the performance of your organizations information security and the effectiveness of its ISMS. Analyze the performance of your organizations information security and the effectiveness of its ISMS. Evaluate the performance of your organizations information security and the effectiveness of its ISMS.

TODO

DONE

TODO

DONE

33

TODO

DONE

34

TODO

DONE

35

TODO

DONE

36

TODO

DONE

37

TODO

DONE

38

TODO

DONE

39

TODO

DONE

40

TODO

DONE

9.2 SET UP AN INTERNAL AUDIT PROGRAM AND USE IT TO EVALUATE YOUR ISMS
41

Plan the development of an internal ISMS audit program for your organization. Make sure that your audit program is capable of determining whether or not your ISMS conforms to requirements. Make sure that your audit program is capable of determining whether or not your organization's ISMS conforms to its own ISMS requirements.

TODO

DONE

42

TODO

DONE

An audit is an evidence gathering process. Evidence is used to evaluate how well audit criteria are being met. Audits must be objective, impartial, and independent, and the audit process must be systematic and documented. Use the ISO 19011 2011 auditing standard to help establish your internal audit program. See http://www.praxiom.com/19011.htm

43

TODO

DONE

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 58

ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9. EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

44

Make sure that your audit program is capable of determining whether or not your ISMS conforms to the ISO IEC 27001 2013 information security requirements. Make sure that your audit program is capable of determining whether or not your ISMS has been implemented effectively. Make sure that your program is capable of determining whether or not your ISMS is being properly maintained. Establish your internal ISMS audit program. Establish your internal audit methods. Establish internal audit responsibilities. Establish internal audit planning requirements. Make sure that each internal audit studies the results of previous audits. Make sure that each internal audit considers the importance of the processes being audited. Make sure that each internal audit preserves the objectivity and impartiality of the audit process. Establish your internal audit schedules. Specify how often internal audits should be done. Conduct internal audits at planned intervals. Consider the results of previous audits when you schedule your organization's internal audits. Establish internal audit reporting requirements. Make sure that internal audit results are reported to the appropriate members of management.

TODO

DONE

45

TODO

DONE

46

TODO

DONE

47 48 49 50 51

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

52

TODO

DONE

53

TODO

DONE

54 55 56 57

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

58 59

TODO

DONE

TODO

DONE

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 59

ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9. EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

60 61 62 63 64 65 66 67

Implement your internal ISMS audit program. Define the scope for each internal audit. Specify audit criteria for each internal audit. Select impartial and objective internal auditors. Carry out regular internal information security audits. Report your internal audit results to management. Maintain your internal ISMS audit program. Maintain documents that can prove that you've implemented your internal ISMS audit program. Maintain a record of internal audit implementation. Control records that show audits are being done. Maintain a record of internal audit results. Control your record of internal audit results.

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

68 69 70 71

TODO

DONE

These records are "documented information". Therefore they must be controlled (per 7.5.3).

TODO

DONE

TODO

DONE

These records are "documented information". Therefore they must be controlled (per 7.5.3).

TODO

DONE

9.3 REVIEW PERFORMANCE OF YOUR ORGANIZATION'S ISMS AT PLANNED INTERVALS

72 73 74 75 76 77 78 79

Establish a management review process. Use reviews to ensure that your ISMS is still suitable. Use reviews to ensure that your ISMS is still adequate. Use reviews to ensure that your ISMS is still effective. Plan your organizations ISMS review process. Schedule ISMS reviews at planned intervals. Review the performance of your ISMS. Review your risk assessment results.

TODO

DONE

TODO

DONE

TODO

DONE

A review is an activity. Its purpose is to figure out how well the thing being reviewed is capable of achieving established objectives. Reviews ask the following question: is the subject of the review a suitable, adequate, effective, and efficient way of achieving your organizations objectives?

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 60

ISO IEC 270 01 20 1 3 TR ANSL ATED INTO PL AIN ENGLI SH 9. EVALUATION R E Q U I R E M E N T S I N P L A I N E N G L I S H

80 81

Review that status of risk treatment plans. Review the status of actions that were taken after previous management reviews. Review security performance feedback. Review information security objectives and achievements. Review monitoring and measurement results, evaluations, and analyses. Review previous nonconformities and the corrective actions that were taken. Review information security audit results. Review information security performance trends. Review feedback from interested parties. Review continual improvement opportunities. Generate management review outputs. Make decisions which take advantage of continual improvement opportunities or which address the need to change your organizations ISMS. Retain a record of management review results. Use your records to prove that reviews were actually carried out and results were achieved. Control your management review records.

TODO

DONE

TODO

DONE

82 83

TODO

DONE

TODO

DONE

84

TODO

DONE

85

TODO

DONE

86 87 88 89 90 91

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

TODO

DONE

92 93

TODO

DONE

TODO

DONE

These records are "documented information". Therefore they must be controlled (per 7.5.3).

94

TODO

DONE

Consider each task and select a response. If you havent done it, select TODO. If youve already done it, select DONE. In the spaces below, enter the name and location of your organization, who completed this section, who reviewed it, and the dates.

ORGANIZATION: COMPLETED BY: REVIEWED BY: NOV 2013 PART 9

YOUR LOCATION: DATE COMPLETED: DATE REVIEWED: PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT STANDARD COPYRIGHT 2013 BY PRAXIOM RESEARCH GROUP LIMITED. ALL RIGHTS RESERVED. EDITION 1.0 PAGE 61