CHAPTER 15: CHECK AND ACT

Clause 9 of the Standard is all about monitoring and review. It contains the requirement for management to be actively involved in the long-term management of the ISMS while recognising the reality that the information security threat environment changes even more quickly than the business environment. This clause deals, broadly, with three types of activity: monitoring, auditing and reviewing.

Monitoring

The purpose of monitoring activity is primarily to detect processing errors and information security events quickly so that immediate corrective action can be taken. Monitoring should be formal, systematic and widespread. Security category A.12.4 (logging and monitoring) contains controls that are specifically related to monitoring IT activity and these are linked to this part of ISO27001. Control area A.16, information security incident management, also recognises that the organisation must monitor for deviations and incidents, respond to them and learn from them.

Auditing

Audits should be planned to ensure that the controls documented in the SoA are effective and are being applied, and to identify non-conformances and opportunities for improvement. Control objectives A.18.1 (compliance with legal and contractual requirements) and A.18.2 (information security reviews) deal specifically with this issue and mandate regular, planned compliance reviews at both the process and the technical levels. Control objective A.12.7 (information systems audit considerations) deals with the security requirements for audit tools. The audit requirement is described in more depth in Clause 9.2 of ISO27001, which lays out two important aspects of the process:

•  The organisation ‘shall plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting’.¹

•  The audit programme ‘shall take into consideration the importance of the processes concerned and the results of previous audits’.²

Management at all levels of the organisation has a role to play in the effective implementation, maintenance and improvement of the ISMS. This must be taken into account in managerial and supervisory job descriptions, employment contracts, induction and other training, and performance reviews.

Reviewing

Reviews of internal and external audit policies, performance reports, exception reports, risk assessment reports and all the associated policies and procedures are undertaken to ensure that the ISMS is continuing to be effective within its changing context.

The Annex A controls that are directly relevant to this stage of the ISMS PDCA cycle are:

•  A.5.1.2: review of the policies for information security

•  A.9.2.5: review of user access rights

•  A.12.4: ‘logging and monitoring’ itself as a single control objective that is related, obviously, to logging and monitoring, and which contains four controls

•  A.14.1: security requirements of information systems, a control objective that in effect deals with monitoring application use and data processing

•  A.15.2.1: monitoring and review of supplier services

•  A.16.1.6: learning from information security incidents

•  A.17.1.3: verify, review and evaluate information security continuity.

•  A.18.2.1: independent review of information security.

All these controls must be addressed in this third phase of the ISMS development and implementation. The findings and outcomes of monitoring and reporting activities must be translated into corrective or improvement action and, for the purposes of the ISMS, the audit trail that demonstrates the decision-making process and the implementation of those decisions should be retained in the ISMS records.

Act – maintain and improve the ISMS

This is a short section, and it reflects the relative brevity of the requirements of section 6.1.1.c of ISO27001. This clause sets out the requirement that the organisation plan to achieve continual improvement of the ISMS. It also links to Section 10 of the Standard, whose two clauses (10.1, nonconformity and corrective action; and 10.2, continual improvement) specify the nature and purpose of the activity that must be part and parcel of the daily actions of everyone involved in the day-to-day management of the ISMS.

¹ ISO/IEC 27001:2013, Clause 9.2.c.

² Ibid.