M6.3.2 - CONTINUAL IMPROVEMENT Implementation Guidance
The entity shall continually improve the information security program in place.
Back to M6.3.2 - P2 - CONTINUAL IMPROVEMENT
Based on results of monitoring and reviews, decisions should be made on how the information security in place, the controls, processes, policies and procedures can be improved. These decisions should lead to improvements in the entity’s management of information security and its risk management culture.
Continual improvement of information security can be done through the entity’s performance indicators and measurements, incident reports, training, reviews and audits (refer to M6.1) and the subsequent modification of the entity’s processes, systems, resources, capability and skills.
Continual improvement is a very powerful concept and can help the entity to ensure that its information security is up to date and suitable for its needs.
