Effective ISMS Performance and Improvement: Insights on Clauses 9 and 10

Clause 9: Performance Evaluation

Clause 9 is essential for evaluating the performance of your Information Security Management System (ISMS). It involves asking critical questions like, "Are we making progress?", "Are we improving?", and "Is this information security risk under control?"

Monitoring, Measurement, Analysis, and Evaluation

Clause 9.1 emphasises the importance of evaluating the effectiveness of your ISMS. To achieve this, you need to determine:

• What to measure,
• Who will measure and analyse it,
• And how to ensure valid results.

Begin by considering the information needs of your stakeholders and interested parties. Identify the most critical needs and articulate them clearly. For instance, if a key requirement is that your online hosted product must be available 100% of the time, you should monitor and measure server uptime to meet this expectation.

However, be cautious not to measure too many attributes. Focus on about five high-level measures that ensure the system is working as intended and performance is high.

Internal Audit

Clause 9.2 requires scheduling and conducting internal audits based on risk. High-risk procedures should be audited frequently, perhaps once or twice a year, while lower-risk areas can be audited less often.
Key principles of an internal audit include:

1. Integrity,
2. Fair presentation,
3. Professional care
4. Confidentiality
5. Independence
6. Evidence-based approach

Your internal audit should identify non-conformities, risks, and opportunities. Keep detailed records of the audit findings, highlighting non-conformities, risks, and opportunities.

Management Review

Clause 9.3 focuses on management review to ensure your ISMS remains suitable, adequate, and effective. This involves:

1. Ensuring the ISMS aligns with business objectives,
2. Verifying that processes and controls are effectively implemented and embedded.

While a formal review meeting is not mandatory, it is often the best way to evaluate your systems comprehensively.

Key Takeaways from Clause 9

1. Identify the information needs of your stakeholders.
2. Create measures to verify these needs are met (e.g., site/product uptime).
3. Schedule internal audits based on risk.
4. Conduct audits using best practices.
5. Regularly conduct management reviews to assess performance and discuss any anomalies.

Clause 10: Improvement

Clause 10 represents the "Act" phase of the Plan-Do-Check-Act cycle. After evaluating your system's performance (Clause 9), Clause 10 guides you to act on these findings.

Implementing this clause can add significant value to your business. Recording non-conformities, implementing corrective actions, and continually improving your processes can transform your operations.

Continual Improvement

Clause 10.1 requires a commitment to continuous improvement. Embed your ISMS into daily operations by discussing it regularly in meetings and processes, making improvement a core mindset.

Additionally, create forums such as all-staff management review meetings to communicate ISMS improvements. This fosters leadership, communication, participation, and a strong security culture.

Nonconformity and Corrective Action

Clause 10.2 outlines the types of non-conformities you should record in your ISMS, including:

1. Failure to meet ISMS requirements,
2. Non-compliance with legal or contractual obligations,
3. Inadequate behaviour according to procedures,
4. Supplier issues,
5. Project failures,
6. Ineffective controls,
7. Deficient activities within the management system,
8. Unaddressed security incidents,
9. Customer complaints,
10. Alerts from users or suppliers,
11. Unmet monitoring and measurement criteria,
12. Unachieved objectives.

Initially, this may seem overwhelming, but systematically addressing non-conformities with effective corrective actions will make the process easier over time. The key is to record everything.

For example, track every information security incident reported by your country's cyber security agency, such as the Australian Cyber Security Centre or CertNZ in New Zealand. This includes alerts for malware, scams, email vulnerabilities, device misuse, and denial-of-service attacks. Engage with your national cyber security agency to record and respond to these threats.

Steps to Address Non-Conformities:

1. Identify the extent and impact of the non-conformity.
2. Determine corrective actions to limit the impact.
3. Communicate corrections to staff.
4. Implement and monitor corrections.
5. Take further actions if necessary.
6. Communicate with relevant stakeholders.

Long-term Corrective Actions:

1. Assess the need for corrective actions.
2. Review similar non-conformities.
3. Conduct a root cause analysis.
4. Analyse potential impacts on the ISMS.
5. Implement actions to correct the root cause.
6. Prioritise areas with higher recurrence likelihood and significant consequences.
7. Evaluate the effectiveness of corrective actions.

Maintain documented evidence of non-conformities and corrective actions as required by the standard.

Key Takeaways from Clause 10

1. Foster a positive culture of continuous improvement.
2. Encourage proactive reporting of non-conformities.
3. Implement immediate corrections.
4. Identify root causes.
5. Address the most critical root causes with effective actions.
6. Continuously enhance your ISMS.

• View the previous post in the series: From Planning to Action : Insights on Clause 8 Implementation.
• View the next post in the series: Organisational Controls: Crafting Policies and Defining Responsibilities in A.5.1 - A.5.4