M6.2.1 - MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION Implementation Guidance
The entity shall monitor and evaluate the information security performance and the effectiveness of the information security management system.
Back to M6.2.1 - P2 - MONITORING, MEASURMENT, ANALYSIS AND EVALUATION
The continual improvement the entity needs to apply to its information security controls (see also M6.3.2) needs to make use of the monitoring and performance measurement results to identify which areas do require improvement. Therefore, these activities are key to keeping information security up to date, and fit for purpose of the entity’s requirements.
The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the information security risk management policy (refer to M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY ).
The entity should develop a plan to execute the monitoring and performance measurement activities, including all of the topics mentioned in the sub-controls above. It can be helpful to have clear responsibilities and schedule to carry out the monitoring and measuring, and there should be an independent review function that ensures that this monitoring takes place.
In addition to executing the monitoring and measurement activities, there is also a need to keep these activities up to date and effective, so all monitoring and performance evaluation activities should be subject periodical reviews, as well as immediate updates if the situation requires that.
The results of the monitoring and performance evaluation activities should be put into context with respect to:
- A. The information security policy (refer to M1.2.1 - P1 - INFORMATION SECURITY POLICY )
- B. The information security risk management policy (refer to M2.1.1 - P1 - INFORMATION SECURITY RISK MANAGEMENT POLICY)
- C. Management expectations with regards to information security and the overall internal context (refer to M1.1.1 - P1 - UNDERSTANDING THE ENTITY AND ITS CONTEXT)
- D. external requirements for information security, e.g. by the sector, regional or national
The methods selected for the monitoring and performance measurement should produce consistent and comparable results to assist the entity in measuring performance over time.
Back to M6.2.1 - P2 - MONITORING, MEASURMENT, ANALYSIS AND EVALUATION