Monitoring, Measurement, Analysis and Evaluation

00:02

module seven

00:04

During this module will cover Clause nine performance evaluation.

00:11

Listen 7.1

00:13

monitoring, measurement, analysis and evaluation.

00:20

During this lesson, we will cover the requirements regarding measurement and evaluation.

00:26

We'll also look at what needs to be established

00:30

and what the documented information for this clause would be.

00:40

So monitoring, measurement,

00:42

analysis and evaluation.

00:46

This is what Clause nine is made up of

00:49

and close nine has three sub clauses being 9.1

00:53

monitoring, measurement, analysis and evaluation,

00:57

9.2 internal orders

01:00

and 9.3 management review.

01:03

These clauses are quite important with regards to instilling the isthmus culture off continual improvement.

01:10

You can only improve on something when you know how it is performing,

01:12

and that's what this is. This close is all about

01:17

to ensure that you have an effective monitoring process in place. Your organization must decide what it needs to monitor

01:23

who and how monitoring will be performed,

01:26

how often monitoring will be done,

01:29

who and when results are analyzed and evaluated,

01:34

as well as the methods used to ensure that the results from these processes will be valid and reproducible

01:42

because of how intricate and involved this process can become.

01:45

There is a whole guidance document dedicated to it.

01:49

I sold 27,000 and four.

01:52

So if you feel stuck in this process,

01:55

have a look at this document.

01:57

We'll cover some of the basics

01:59

to decide on the types of measurements. It is often easier to define the information need.

02:05

For example,

02:06

you want to know how many end user devices have out of date virus signatures.

02:13

You can monitor and measure pretty much anything and everything,

02:15

so it helps to define what you will be monitoring.

02:20

It's even better if he's monitoring Activities are linked to the information security objectives and the icy mess processes,

02:28

so that the effectiveness and progress of these can be monitored and measured.

02:32

There are two main types off measurements that we can look at.

02:37

The first one is performance measurements.

02:39

Thes expressed the planned results in terms of the characteristics of the planned activities,

02:46

such as headcounts, milestone accomplishments,

02:49

all the degree to which information security controls have been put into place.

02:54

We then have effectiveness measurements.

02:58

These express the planned results in terms of the effect

03:01

that realization of the planned activities have on achieving the organization's information security objectives.

03:13

There are also two aspect of evaluation,

03:16

the first one being information security performance,

03:21

which determines how well processes within the SMEs are meeting their specifications.

03:27

We also then evaluate the effectiveness of the ice mess itself,

03:30

which includes determining the extent to which information security objectives are being achieved.

03:43

So what do we need to establish to ensure that we have appropriate monitoring, evaluation and analysis in place?

03:52

Your organization needs to make the decision around monitoring and should consider these three points

03:58

what needs to be monitored,

04:00

who will be doing the monitoring and how often does this need to be done?

04:06

What methods are going to be used for monitoring

04:10

to ensure that valid and repeatable results are produced?

04:15

Another point to consider

04:16

is once these three factors have been determined,

04:19

the audience that this information needs to be presented to must also be established

04:26

Well. All of the monitoring information be pulled into one overall report and presented to the key ice mess stakeholders and interested parties,

04:34

or will a copy be made securely available?

04:38

Will there be evidence to show the auditors that this information has been communicated and acted upon?

04:45

There is a lot to consider within each of the eye. So 27,001 closes.

04:50

But things can be kept simple in the beginning.

04:54

But as your eyes miss grows and matures, there will invariably be more to look after and manage,

05:00

which shouldn't present an issue. If the foundations you've implemented are solid,

05:13

so again,

05:15

9.1 is quite an important close,

05:17

and having tangible evidence to show your auditors during your certification audit is pretty important.

05:24

These are just some examples of what can count as evidence in this regard.

05:29

Security metrics in various reports,

05:32

security metrics in various dashboards.

05:35

These can be dashboards on your existing security

05:39

technologies.

05:41

Such a seem i ps and so forth

05:45

existing presentations where metrics and analysis thereof were presented to various stakeholders

05:53

and proved that metrics are communicated and acted upon.

05:57

This can include emails,

05:59

memos,

06:00

attendance, registers off meetings to discuss the metrics,

06:04

meeting minutes of the above meetings which detailed what was discussed, as well as the agreed upon actions,

06:12

emails from management, congratulating teams on good performance

06:15

and any action plans that have arised

06:25

to recap.

06:27

In this lesson, we covered the requirements pertaining to measurement and evaluation or clause 9.1,

06:34

we looked at what should be established to support monitoring efforts.