During this module will cover Clause nine performance evaluation.
monitoring, measurement, analysis and evaluation.
During this lesson, we will cover the requirements regarding measurement and evaluation.
We'll also look at what needs to be established
and what the documented information for this clause would be.
So monitoring, measurement,
analysis and evaluation.
This is what Clause nine is made up of
and close nine has three sub clauses being 9.1
monitoring, measurement, analysis and evaluation,
and 9.3 management review.
These clauses are quite important with regards to instilling the isthmus culture off continual improvement.
You can only improve on something when you know how it is performing,
and that's what this is. This close is all about
to ensure that you have an effective monitoring process in place. Your organization must decide what it needs to monitor
who and how monitoring will be performed,
how often monitoring will be done,
who and when results are analyzed and evaluated,
as well as the methods used to ensure that the results from these processes will be valid and reproducible
because of how intricate and involved this process can become.
There is a whole guidance document dedicated to it.
I sold 27,000 and four.
So if you feel stuck in this process,
have a look at this document.
We'll cover some of the basics
to decide on the types of measurements. It is often easier to define the information need.
you want to know how many end user devices have out of date virus signatures.
You can monitor and measure pretty much anything and everything,
so it helps to define what you will be monitoring.
It's even better if he's monitoring Activities are linked to the information security objectives and the icy mess processes,
so that the effectiveness and progress of these can be monitored and measured.
There are two main types off measurements that we can look at.
The first one is performance measurements.
Thes expressed the planned results in terms of the characteristics of the planned activities,
such as headcounts, milestone accomplishments,
all the degree to which information security controls have been put into place.
We then have effectiveness measurements.
These express the planned results in terms of the effect
that realization of the planned activities have on achieving the organization's information security objectives.
There are also two aspect of evaluation,
the first one being information security performance,
which determines how well processes within the SMEs are meeting their specifications.
We also then evaluate the effectiveness of the ice mess itself,
which includes determining the extent to which information security objectives are being achieved.
So what do we need to establish to ensure that we have appropriate monitoring, evaluation and analysis in place?
Your organization needs to make the decision around monitoring and should consider these three points
what needs to be monitored,
who will be doing the monitoring and how often does this need to be done?
What methods are going to be used for monitoring
to ensure that valid and repeatable results are produced?
Another point to consider
is once these three factors have been determined,
the audience that this information needs to be presented to must also be established
Well. All of the monitoring information be pulled into one overall report and presented to the key ice mess stakeholders and interested parties,
or will a copy be made securely available?
Will there be evidence to show the auditors that this information has been communicated and acted upon?
There is a lot to consider within each of the eye. So 27,001 closes.
But things can be kept simple in the beginning.
But as your eyes miss grows and matures, there will invariably be more to look after and manage,
which shouldn't present an issue. If the foundations you've implemented are solid,
9.1 is quite an important close,
and having tangible evidence to show your auditors during your certification audit is pretty important.
These are just some examples of what can count as evidence in this regard.
Security metrics in various reports,
security metrics in various dashboards.
These can be dashboards on your existing security
Such a seem i ps and so forth
existing presentations where metrics and analysis thereof were presented to various stakeholders
and proved that metrics are communicated and acted upon.
This can include emails,
attendance, registers off meetings to discuss the metrics,
meeting minutes of the above meetings which detailed what was discussed, as well as the agreed upon actions,
emails from management, congratulating teams on good performance
and any action plans that have arised
In this lesson, we covered the requirements pertaining to measurement and evaluation or clause 9.1,
we looked at what should be established to support monitoring efforts.
We also examined the required documentation to support this clause.