M6.1.1 - PERFORMANCE EVALUATION POLICY Implementation Guidance
The entity shall have a policy for performance evaluation that sets the framework for all performance evaluations that take place in the entity.
Back to M6.1.1 - P3 - PERFORMANCE EVALUATION POLICY
Ongoing performance monitoring and evaluation is one of the major contributors to overall effective and success information security operation within any entity. Therefore, the entity should have an overall framework for its monitoring and performance measurement activities. These activities can have several sources of input:
- A. High level performance evaluation activities, such as the performance indictors suggested for sub-families in this Standard
- B. Detailed performance evaluation activities, such as the performance indictors suggested for “risk-based applicable” controls
- C. Ongoing monitoring, which detects deviations and necessary corrections
- D. Incident reports, which indicate that one or more of the controls are not working as intended
The performance evaluation policy should define how these different performance indicators are integrated within the entity to provide an overall picture of information security performance to management, and how the results of these performance measurement activities can be presented to management for decision-making.
