# Clause 9: Performance and Evaluation ### Monitoring, measurement, analysis and evaluation 9.1 > Monitor controls > Measure impact/effectiveness The organisation needs to monitor and measure all information security processes and controls, and should also determine if anything else needs to be monitored and measured in their context (9.1a), this allows the organisation to then evaluate the IS performance, and the ISMS effectiveness. Methods of monitoring and measurement, alongside analysis and evaluation also need to be determined - and as with all assessment or evaluative processes, need to be able to produce comparable and reproducible results (9.1b). Thinking practically, we need to determine the following: - When will monitoring and measuring be performed, and by who? (9.1cd) - When will the subsequent results be analysed and evaluated, and by who? (9.1ef) >💡 **Evidence of the results is required as documentation.** ### Internal Audit 9.2 > Develop an audit programme > Maintain > Document use Internal audits are useful (and necessary) as they inform on whether the ISMS is meeting the requirements set out both by the organisation and by the standard (9.21a). It also makes sure the ISMS has been effectively implemented and maintained (9.2.1b) >💡 The output of the internal audit programme should be an input for the planning of changes. Think of systems, not of lines. Everything is an input, a process, an output - or some combination of these options. Audits need to be planned, implemented, and maintained as programmes in an organisation - and things such as the frequency, methods of audit, responsibility and reporting need to be available as documented information (9.2.2). >💡 An Audit Programme is not an Audit Plan. The former is the set of processes and commitments that meet with the scheduling, and produce the latter: > - **Audit plan** - day to day hourly prescribed activities for an audit > - **Audit programme** - the ongoing systematised processes and procedures related to the auditing function of the ISMS. Audits need to have defined auditing criteria and scope, and auditing needs to be conducted in a way that assures objectivity and impartiality (9.2.2ab). Results must be reported to relevant management (9.2.2c). This too needs to be documented. ### Management Review 9.3 > Review ISMS > Assess effectiveness Top management has an obligation to review the ISMS at planned intervals - both to ensure its continuing suitability, adequacy and effectiveness (9.3.1) and to oblige by the requirements of top management in Clause 5. >✏️ **Check out 9.3.2** - This section reads like an agenda, so take advantage of this and use it to plan your management review! ### Management Review Inputs (9.3.2) This review needs to consider the status of actions from previous reviews, any changes in issues that are relevant to the ISMS, and any changes in expectations from interested parties relevant to the ISMS (This is what we set up in section 4) (9.3.2abc). They’ll also consider any feedback on performance, focusing particularly on trends in (9.3.2d): - Nonconformities and corrective actions - Monitoring and measurement results - Audit results - Fulfilment of information security objectives Also to be considered is feedback from interested parties, results of risk assessments and treatment plans, and opportunities for continual improvement (9.3.2efg). ### Management Review Results (9.3.3) >Review the Review > Hunt for opportunities for improvement The results of the management review inform decisions related to continual improvement opportunities and any needs for changes to the ISMS (9.3.3)