ISO 27001 is a widely recognized international standard that provides a framework for managing information security risks. One of the key requirements of ISO 27001 is to implement a monitoring, measurement, analysis and evaluation (MMAE) program.
The MMAE program helps organisations to ensure that their information security controls are effective and that their information security risks are being managed appropriately.
What is ISO 27001 9.1 1 Monitoring, Measurement, Analysis and Evaluation?
ISO 27001 9.1 MMAE is a process for monitoring, measuring, analyzing and evaluating the performance of an organisation’s information security management system (ISMS). It involves the following steps:
- Monitoring: Collecting data on the performance of the ISMS and its controls.
- Measurement: Quantifying the data collected in step 1.
- Analysis: Interpreting the data collected in step 2 to identify trends and patterns.
- Evaluation: Assessing the effectiveness of the ISMS and its controls based on the analysis performed in step 3.
What needs to be monitored and measured ISO 27001?
The following items need to be monitored and measured to evaluate the performance of an ISMS in accordance with ISO 27001 9.1:
- Information security performance: This includes monitoring and measuring the effectiveness of the ISMS in protecting the organisation's information assets. Examples of information security performance metrics include:
- Number of information security incidents
- Time to detect and respond to information security incidents
- Cost of information security incidents
- Compliance with information security regulations and standards
- ISMS effectiveness: This includes monitoring and measuring the effectiveness of the ISMS itself. Examples of ISMS effectiveness metrics include:
- Percentage of information security controls that are implemented and effective
- Percentage of ISMS processes that are completed on time and to budget
- Level of employee satisfaction with the ISMS
The specific items that need to be monitored and measured will vary depending on the organisation's size, industry, and risk profile; however, all organisations should monitor and measure the items listed above to ensure the effectiveness of their ISMS.
In addition to the above, organisations may also want to monitor and measure the following:
- Information security risks: This includes monitoring and measuring the organisation’s information security risks to identify any new or emerging risks.
- Information security controls: This includes monitoring and measuring the effectiveness of the organisation’s information security controls to ensure that they are operating as intended.
- Information security awareness and training: This includes monitoring and measuring the effectiveness of the organisation’s information security awareness and training programs to ensure that employees are aware of the organisation’s information security risks and policies.
By monitoring and measuring these items, organisations can identify and address weaknesses in their ISMS, reduce the risk of information security incidents, and improve their overall information security posture.