Information Security Management

ISO 27001 Clause 9: Performance Evaluation

ISO 27001 Clause 9 concerns checking the ISMS performance—monitoring, internal auditing, and management reviewing—to ensure it is functioning well and improving.

Read my guide to learn what it means and how to implement it.

Written By: Alan Parker
Last Updated: 29/4/26

Explore Each ISO 27001 Clause in More Detail by Selecting One to View

Clause 4
Context of the
Organisation
Clause 5
Leadership
Clause 6
Planning
Clause 7
Support
Clause 8
Operation
Clause 9
Performance
Evaluation
Clause 10
Improvement

View my video below for a 3 minute summary of Clause 9 – Performance

What is ISO 27001? – An Introduction

Clause 9.1 – Monitoring, Measurement, Analysis and Evaluation

Alan Parker
Written by Alan Parker – ISO 27001 Consultant

ISO 27001 Clause 9.1 requires you to evaluate the ISMS performance by determining:

  • What needs to be monitored and measured,
  • The methods for monitoring, measurement, analysis, and evaluation (basically, how you’ll do it to ensure valid results),
  • When should monitoring and measuring be done (frequency),
  • Who shall analyse and evaluate the results?

In practice, you should have a set of ISMS metrics or performance indicators, along with a process for reviewing them.

When I’m consulting with people, I suggest that as they move through 27001, they should consider how to measure what they are implementing, and certainly whether, as stated in a policy or procedure, they are. So, I advise people to take notes on potential KPIs and obligations as they go.

Process Flow of Monitoring and Measurement (Clause 9.1)
Process Flow of Monitoring and Measurement (Clause 9.1)

We touched on this in the overview: Clause 9.1 often involves defining a few key performance indicators (KPIs) or security metrics.

Common examples:

  • Number of information security incidents (perhaps categorised by severity) per quarter.
  • Average time to resolve incidents.
  • Percentage of staff who have completed training.
  • Number of audit findings (internal or external).
  • System uptime for critical systems (if availability is a key concern).
  • Compliance rates with key security processes (e.g., the percentage of new hires who received accounts within the SLA or the percentage of systems with the latest patches).
  • Results of phishing test (e.g., % of employees who clicked a test phishing email).
  • It could even be financial, like security spending as a percentage of IT spending (though not as useful for effectiveness).

ISO 27001 doesn’t dictate which metrics—you choose the ones that make sense for your risks and objectives. But whatever you choose, I recommend that you ensure you are actually measuring and evaluating it. For example, if you set an objective to reduce incidents, you must track incidents. An auditor will specifically look at things like that.

Analysis and evaluation mean you don’t just collect data; you interpret it. As an example, if you had 5 incidents this year vs 2 last year, what does that mean? Possibly, more incidents could mean improved detection (if previously you weren’t catching them) or worse security. This analysis would inform decisions during the management review.

Documentation

Many organisations maintain a metrics dashboard or report that they update periodically (monthly, quarterly). Some integrate into management review presentations.

Also, Clause 9.1 encompasses evaluating ISMS effectiveness overall, not only metrics. It could include tasks such as compliance checks (ensuring procedures are followed) outside formal audits, and reviewing the achievement of objectives. But much is already covered by audits and reviews.

The output of Clause 9.1 is typically documented as the result of the analysis. At minimum:

  • Have defined metrics (maybe in a procedure or the objectives document).
  • Keep records of measurements (logs, reports).
  • Summaries or analysis reports (could be part of management review minutes or a standalone “ISMS performance report”).

The auditor will check that you have identified some measurements and that you provide evidence that you carry them out. They might see a report or ask, “How do you measure the effectiveness of your ISMS?”

Clause 9.1 — Measuring What Matters, Not What's Easy

Activity metrics tell you what you did. Effectiveness metrics tell you whether it worked.

⚠️
The beginner's trap: Most early ISMS monitoring programmes count activities — phishing tests run, training sessions delivered, scans completed. These measure effort, not impact. ISO 27001 Clause 9.1 asks whether your controls are working; auditors will push back on activity metrics that can't answer that question.
Area
Activity metric (counts effort)
Effectiveness metric (measures outcome)
Phishing awareness 4 phishing simulations run this year Tells you the programme ran. Says nothing about whether it worked. 87% of staff reported the test; click rate fell from 23% to 8% year-on-year Shows the control is changing behaviour — which is the actual objective.
Security training 2 all-staff training sessions delivered Completion tells you attendance. Not whether staff understood or retained anything. 94% pass rate on post-training quiz; 100% completion within 30 days of joining Measures comprehension and timeliness — the outcomes that matter for Clause 7.3.
Vulnerability management 12 vulnerability scans completed Running scans is the activity. What happened to what you found? 98% of critical vulnerabilities remediated within the 72-hour SLA Measures whether the scanning programme is actually reducing exposure.
Access control Quarterly access reviews completed on schedule Completing the review is not the same as finding and fixing problems. 3 inappropriate access rights found and removed in Q3; 0 active leavers with system access Shows the review process is effective at catching real issues.
Incident management 7 incidents logged and closed this quarter Logging incidents is the process. Speed and quality of response is the control. Mean time to detect: 2.4 hours; mean time to contain: 6.1 hours; 0 incidents escalated to breach Measures the capability of the response, not just that incidents were recorded.
Policy management 100% of policies reviewed on their annual review date Review without substance — rubber-stamping with no changes — is not continual improvement. 2 policies updated following review with documented rationale; 1 new policy created in response to risk finding Shows the review process is substantive and connected to the risk picture.
💡
Auditor's view: When an auditor asks "how do you know your controls are working?", citing completion numbers is not a sufficient answer. A good monitoring programme answers three questions for each control: what are we measuring, what does good look like, and what happens when we fall below that threshold? If you can't answer all three, you're measuring activity — not effectiveness.

Grab my ISO 27001 Toolkit, which includes all the Clause 9 document templates you need.

ISO 27001 Full Document Toolkit

Every document your auditor
expects to see.

130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.

130 templates

Instant download

Written by practising consultant

ISO 27001:2022

Clause 9.2 – Internal Audit

Clause 9.2 requires you to conduct internal audits of the ISMS at planned intervals.

It has two sub-clauses in 2022:

9.2.1 General

You must conduct internal audits to ensure the ISMS meets ISO 27001 and your own requirements and is effectively implemented and maintained.

9.2.2 Internal Audit Programme

This gets into the specifics: You need to plan the audits, considering the importance of processes and past audit results, define the audit criteria and scope for each audit, select competent auditors (who are impartial to the area being audited), and ensure audit results are reported to management.

What this means practically:

Internal Audit Process (Clause 9.2)
Internal Audit Process (Clause 9.2)

  • You should create an internal audit plan/schedule. Often it’s annual: e.g., “We will audit the entire ISMS (clauses 4-10 and Annex A controls) once a year.” Some bigger orgs do partial audits quarterly, etc. For SMEs, a yearly audit covering everything is typical.
  • You might audit different areas separately. For instance, audit Clause 4-8 in one session, Clause 9-10 in another, and Annex A controls by domain. Or do it all in one marathon. Just plan it out.
  • Make sure the auditor is not auditing their own work. If you only have 3 people, you might outsource the internal audit or swap with another trained person in another department. Auditors must be objective.
  • Create an audit checklist or criteria referencing the ISO clauses and your policies. This helps ensure you check each requirement.
  • Conduct the audit: interview folks, review documents, etc., similar to how a certification auditor would, but internal. Identify any nonconformities or observations.
  • Report the results. Typically, an internal audit report lists what was audited, who conducted the audit, findings (nonconformities, observations), and perhaps positives or a general assessment. Nonconformities from the internal audit feed into Clause 10 (corrective actions).
  • Ensure the report goes to relevant management so they know and can act.

The required documentation includes the internal audit program (schedule) and internal audit reports (and records of any findings). ISO 27001 specifically expects you to keep records of audit results​.

As part of the certification audit, you must have at least one full internal audit cycle completed. If you haven’t audited your ISMS internally, the certification auditor cannot certify you because that’s a requirement.

The auditor (the external one) will review your internal audit process: they might ask for the schedule and the internal auditor’s competency (training cert, perhaps), and they will read the internal audit report(s). They will check that you have addressed any nonconformities found (or plan to).

Also, be honest in internal audits – it’s fine to have findings; if an internal audit report shows zero findings, an external auditor might be sceptical (“Really, a first-time ISMS had no issues?”). It’s normal to have some minor issues and then show how you fixed them.

How to Maintain Objectivity & Impartiality in a Smaller Business

One of the problems my clients, who are often small tech startups, face is: “How do we maintain the standards of objectivity and impartiality that are expected by the standard’s text when we only have a couple of people in the business?”

Good question, glad you asked, it isn’t easy.

So ideally, the person auditing the ISMS isn’t involved in creating it. Or at very least, wasn’t involved in creating or running those aspects (so, you could swap with someone else to audit their area of responsibility), but let’s assume you just don’t have the resource. First thing is, different auditors will look at this differently. Some will be very by the book, and others will understand the problems of impartiality in a small or micro organisation where you just don’t have the options.

There are a few options I’d suggest.

1) Hiring an Internal Auditor via 3rd Party – So, getting someone like me to come in and audit you, so that you are confident the ISMS is working well before you go into your audit. Not all companies have the luxury of the budget for this, so you may have to look at option 2.

My internal audit service explained

2) Self-Auditing, with review – If it’s totally unavoidable due to financial and resource limitations, then you can explain your method in the internal audit approach (you should have something that outlines the who, when and how you approach the audit) and perhaps review the outputs with one other person in the business who may not fully understand 27001, but can review and challenge the audit approach and results, then sign them off.

Internal Audit Schedules

I usually say to clients, “If the question in ISO 27001 is: How often? The answer is: At least annually”, which is true, except when it comes to internal auditing. The standard just says it needs to be at planned intervals, which is a little open to interpretation.

What I’d suggest as a minimum: audit at a similar frequency to your external certification audits, but in front of them. So, if you are audited in depth for certification once every three years, then auditing in depth once every three years (and hey, not two weeks in advance of your external audit, please) is enough. However, I’d also say that, since you have surveillance audits every year, a similar selection of problem areas, or random controls once a year for audits, would be a good idea.

I’ve written more about conducting Internal Audits here.

Clause 9.3 – Management Review

Top management must review the ISMS periodically (usually annually) per Clause 9.3. In ISO 27001:2022, it’s broken into:

9.3.1 General

States that management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction.

9.3.2 Management Review Inputs

Specifies what must be considered in the review. The standard explicitly lists inputs:

  • Status of previous actions from the last reviews.
  • Changes in external and internal issues (remember Clause 4 context – have there been changes in context or scope?).
  • Feedback on information security performance (results from monitoring and measuring (9.1), audit results (9.2), compliance status with requirements, etc.).
  • Incidents and nonconformities, and corrective actions (10.1/10.2 stuff).
  • Results of risk assessment and status of risk treatment plan (so what’s new or changed in risks since last time).
  • Opportunities for continual improvement.

9.3.3 Management Review Results

Specifies the review’s outputs: decisions and actions to improve the ISMS, required changes, and resource needs.

In practical terms, a Management Review is typically a meeting (or series of meetings) held once a year (some do twice a year).

Participants usually include top management (CEO, COO, etc.), the ISMS manager, and, if applicable, key department heads or members of the security committee. They discuss all the above inputs.

To run a management review:

  • Prepare a Management Review Agenda covering all required inputs.
  • Gather relevant data ahead of time, e.g., incident summaries, audit findings, training stats, new risks, changes in the business, etc.
  • In the meeting, go through each item. Discuss and record discussion points and any decisions.
  • Typical decisions: “We need to allocate more budget for new firewall next year,” “We will revise the risk acceptance criteria because of [reason],” “No changes to scope needed at this time,” “Set a new objective to improve incident response speed,” “Management is satisfied with performance, only minor improvements X and Y noted,” etc.
  • After the meeting, produce minutes or a report documenting the review. Note the decisions and actions, and assign owners/deadlines as needed for actions.
  • Follow up on those actions (they become part of continual improvement).

Read more here in my guide on How to run a management review

The required documentation is evidence of the management review and its outputs. Typically, this is meeting minutes or a management review report. It should be dated and list attendees (to show top management was involved). This is a mandatory record​.

Management Review Inputs and Outputs (Clause 9.3)
Management Review Inputs and Outputs (Clause 9.3)

Auditors love to see a thorough management review because it demonstrates top management involvement (Clause 5) and overall control of the ISMS. They will check that the minutes cover all required inputs (they might literally cross-check the list against the minutes’ content). If something wasn’t discussed, they might mark a minor Noncompliance (or “Opportunity for Improvement”).

Also, the auditor will want to see that any action items from the previous management review were addressed in the next one (which’s why “status of previous actions” is an input).

For a first certification, you should have at least one management review done (covering the period since the start of ISMS implementation).

If you finish implementing and immediately call auditors, do a management review meeting before they arrive.

Clause 9.3 — SME Management Review: Worked Example

A realistic 60–90 minute agenda with the evidence that makes each item auditor-ready

Format Annual review (60–90 min)
Frequency At least once per year; ad hoc after major incidents or changes
Output Signed minutes with decisions and action owners
Attendees
CEO / MD (Top Management) ISMS Lead / DPO IT Lead Finance Lead (if in scope) Operations Lead HR Lead (if in scope)
0–5 min Welcome and Purpose
What to cover
Confirm attendance, note apologies. Confirm purpose: a formal review of the ISMS to meet ISO 27001 Clause 9.3. Confirm the review will cover all required inputs. Note that this meeting will be minuted.
Evidence to retain
📋Meeting minutes recording date, attendees, and apologies
📋Agenda distributed in advance (email or attachment)
5–20 min Previous Actions and Changes to External/Internal Context 9.3.2a + 9.3.2b
What to cover
  • Review actions from the previous management review: what was completed, what remains open
  • Any changes in the external environment: new regulations, sector threats, customer requirements
  • Any significant internal changes: staff, systems, processes, locations, acquisitions
  • Confirm whether the ISMS scope still reflects the organisation
Evidence to retain
📋Minutes noting status of each previous action
📋Note of any changes discussed and whether they triggered ISMS updates
20–35 min ISMS Performance: Metrics, Incidents and Audit Results 9.3.2c
What to cover
  • Summary of monitoring and measurement results against defined metrics
  • Security incidents in the period: number, nature, response times, root cause patterns
  • Internal audit results: findings, nonconformities, and their status
  • Nonconformities and corrective actions: open, closed, overdue
  • Results of any external assessments: supplier audits, penetration tests
Evidence to retain
📊Metrics summary (spreadsheet or report) tabled at the meeting
📋Incident log covering the review period
📋Internal audit report referenced in minutes
📋Corrective action register tabled and discussed
35–50 min Risk Register and Treatment Plan Review 9.3.2d
What to cover
  • Summary of the current risk register: new risks identified, risks retired, movement in risk scores
  • Progress against the risk treatment plan: actions completed, in progress, or overdue
  • Confirmation of risk acceptance decisions where residual risk remains above threshold
  • Any risks that require a management decision or resource allocation to treat
Evidence to retain
📋Current risk register tabled or referenced
📋Treatment plan showing status of each action
✍️Minutes noting any risk acceptance decisions taken at the meeting
50–65 min Objectives Review and Continual Improvement Opportunities 9.3.2e + 9.3.2f
What to cover
  • Review of information security objectives set at the last review: were they met?
  • Set or update objectives for the coming period, with owners and target dates
  • Any identified opportunities for improvement to the ISMS — processes, tools, training
  • Feedback from interested parties: customers, auditors, regulators
Evidence to retain
✍️Minutes recording whether each previous objective was met
✍️New or revised objectives documented with owner and target date
📋Improvement opportunities noted with action owner
65–75 min Resource Adequacy 9.3.2g
What to cover
  • Is the ISMS adequately resourced — people, time, tools, budget?
  • Are there gaps in competence or coverage that require investment?
  • Any upcoming regulatory or business changes that will require additional resource?
Evidence to retain
✍️Minutes recording any resource decisions or commitments made by top management
✍️Any budget or headcount approvals noted with owner
75–90 min Actions, Decisions and Close
What to cover
Summarise all actions arising from the meeting. Confirm each action has a named owner and target date. Confirm date of next management review. Chair to sign off minutes within agreed period (typically 2 weeks).
Evidence to retain
✍️Action log embedded in or appended to minutes: owner, description, target date
✍️Minutes dated and signed or approved by the chair
📋Minutes distributed to all attendees and retained as documented information
⚠️
What auditors look for in management review minutes: Not length — completeness. Minutes must show that all seven required inputs in Clause 9.3.2 were considered, not just discussed in passing. Auditors will also check that the outputs — decisions, resource commitments, objectives, actions — are documented with owners and dates. A meeting with no decisions is a red flag. A meeting with decisions but no follow-through is a finding.

Documentation and Outputs for ISO 27001 Clause 9

Clause 9 — What Evidence Is Required?

Five documents every auditor will ask for — and what a small organisation needs to show

Document What it is Minimum acceptable form for an SME
Defined metrics 9.1 Mandatory A documented set of measures that describe how the organisation evaluates information security performance and whether ISMS controls are effective. Must include what is measured, how, by whom, and how results are analysed. Simple table or spreadsheet tab A one-page table listing 5–10 measures with columns for: metric name, data source, collection frequency, owner, and target. Does not need to be sophisticated — it needs to exist and be used. Auditors commonly find this missing entirely in SME audits. Even a basic documented list satisfies the requirement.
Measurement records 9.1 Mandatory The actual results produced by running the measurement programme — the data collected against each defined metric, retained as documented information so auditors can verify that measurement is happening on schedule. Dated spreadsheet entries or report exports A running log of metric results — even a simple spreadsheet with one row per reporting period per metric. What matters is that results are timestamped, attributable, and show trends over time. Screenshots, exported tool reports, and email summaries all count as records if dated and retained.
Internal audit programme 9.2 Mandatory A planned schedule of internal audits covering the full ISMS scope over a defined period. Must document audit frequency, scope, methods, and the criteria against which audits are conducted. The programme must ensure all areas are audited at planned intervals. Annual schedule document A simple document or calendar entry showing which clauses and controls will be audited, by whom, and when. For most SMEs, one or two internal audits per year covering the full ISMS scope is sufficient — provided the programme is documented and followed. The auditor conducting internal audits must be objective and impartial — typically meaning they don't audit their own work.
Internal audit reports 9.2 Mandatory Documented results from each completed internal audit, confirming what was reviewed, what was found, and what corrective actions were raised. The standard explicitly requires results to be reported to relevant management. Written audit report with findings log A dated report for each completed audit noting: scope, what was checked, conformities, nonconformities, and observations. Nonconformities should link to a corrective action record. Length is not the measure — completeness is. An audit with no findings is not inherently suspect, but auditors will probe whether the audit was rigorous enough to surface real issues.
Management review minutes 9.3 Mandatory A record of each management review meeting showing that top management reviewed the ISMS, considered the required inputs (audit results, metrics, risks, objectives), and made decisions or allocated resources where needed. Outputs must include any decisions and actions arising. Dated meeting minutes with attendees and decisions Minutes do not need to be lengthy — they need to show that each required Clause 9.3 input was discussed and that decisions or action owners were assigned where needed. A structured agenda template helps ensure nothing is missed. The most common finding is minutes that record attendance but not decisions — or that don't cover all the required inputs.
💡
The SME principle: Clause 9 does not require elaborate systems. It requires evidence that measurement is happening, audits are being conducted, and management is genuinely reviewing the ISMS — not just signing off a document once a year. A simple spreadsheet, a short audit report, and a set of meeting minutes with real decisions are more auditor-proof than a sophisticated GRC tool with no data in it.

What Auditors Look For in ISO 27001 Clause 9

Defined Metrics and Data

The auditor will ask, “How do you measure your ISMS performance?” Expect to show them your list of metrics or KPIs. If you have none, that’s a nonconformity. They will then look at data – e.g., if you say incidents are tracked, they might say, “How many incidents occurred last year?” You should have that number readily. If you achieved improvements, mention them. The auditor is checking that you are actively monitoring and that you know whether you’re improving.

Internal Audit Process

The auditor will do an audit of your internal audit. They’ll check:

  • The independence of the internal auditor (e.g., if your IT manager audited IT processes, that’s not independent; it’s better if someone else or an external auditor did).
  • The competence – “Who did the audit and have they been trained?” Show evidence as discussed.
  • The scope and frequency—“When do you conduct internal audits? Let me see the plan.” They’ll ensure you’re covered the full standard (maybe in one go or over time). If some parts weren’t audited, that’s a gap.
  • Findings and actions – They will read the internal audit report. If it lists nonconformities, they’ll ask “What did you do about these?” (which should tie into Clause 10 corrective actions – they might follow a particular finding to see if you resolved it). If your internal audit found nothing, they might carefully look themselves for something to see if you missed it, as a test of audit effectiveness.
  • They might also check that results were reported to management (evidence could be found in management review minutes that reference the internal audit).
  • Records retention: Ensure those reports are retained. (ISO expects them to be kept, obviously at least until the next cycle.)

Management Review thoroughness

Auditors will typically request the management review minutes and any accompanying reports. They will verify that:

All required inputs (as per 9.3.2) are covered. They might, for example, highlight: “I don’t see anything about changes in external/internal issues in these minutes – did you discuss that?” If not, they’ll issue a minor NC requiring you to include that next time.

  • Top management presence: If no executives attended, they may question compliance with Clause 5/9.3. Ideally, an executive or two is on the attendee list.
  • Decisions made: If the minutes show no decisions or actions, just a perfunctory meeting, they may suggest that it should be more insightful. But if everything were perfect, no significant action may be needed; still, typically something comes up (even “continue current course” is a decision).
  • Follow-up from last review: If this is not your first ever, they’ll check that last year’s actions were reviewed. For initial certification, it is not applicable, but in the surveillance year, they will definitely check.

They might ask the management present: “What’s your impression of the ISMS effectiveness? Are there any areas you see needing improvement?” The answer should align with what’s in the review records.

Resource decisions

If any resource needs were identified but not addressed, they might flag that leadership didn’t provide resources (tying back to Clause 5 and 7.1). So management review should identify and resolve resource issues, or at least have a plan.

Continual Improvement evidence

Clause 9 is about checking, but through internal audit findings and management review, they’ll naturally see if you are improving.

For example, if the internal audit last year had 5 findings and this year only 1, that’s an improvement. Or the management review might note that the “risk level overall reduced.” They won’t explicitly mark Clause 9 for improvement (that’s Clause 10), but they will see if Clause 9 processes drive Clause 10.

Example

A company’s management review minutes discussed a recent change: a new data privacy law. However, the minutes didn’t note any action about it.

The auditor might ask in the interview, “I see you noted a new privacy law in the review; what did you decide to do about it?” The team realised they had missed recording the decision to plan a compliance assessment for that law. They explained this verbally to the auditor and later provided an email in which management had tasked legal counsel.

The auditor observed that the documentation of actions should be improved next time. This highlights how auditors focus on the logic: was the issue addressed if it was raised? They want management review not to be a checkbox but a meaningful analysis that leads to action.

ISO 27001 Clause 9 FAQs

What’s the difference between internal audit and management review in ISO 27001 Clause 9?

Internal audit (Clause 9.2) is a structured review to assess whether your ISMS is compliant and functioning as intended, typically conducted by a trained, independent individual. The management review (Clause 9.3) is where senior leadership evaluates the overall performance of the ISMS, based on inputs like audit results, metrics, incidents, and changes. One checks operational compliance; the other steers strategic oversight and improvement.

How often should I conduct internal audits and management reviews?

ISO 27001 doesn’t set a specific frequency, but internal audits must be done at planned intervals—typically annually, though some organisations audit parts of the ISMS more frequently. Management reviews are usually conducted once a year, but more frequent reviews are fine if needed. The key is that both happen regularly and cover all required areas.

What happens if I find nonconformities during the internal audit?

Finding nonconformities is normal—even expected. The important thing is to document them clearly, assess the root cause, and create corrective actions (which links to Clause 10). You’ll also need to follow up to ensure those actions were implemented and effective. Auditors will want to see how you manage these findings, not that your system is flawless.

Which metrics should I track for Clause 9.1?

You should track metrics relevant to your ISMS objectives and risks. Common examples include:

Number of security incidents
Time to resolve incidents
Percentage of completed staff training
Results of internal audits
Phishing test results
The percentage of people who have read and accepted the policies.

Choose metrics that help you measure effectiveness, not just activity. What you track should support management decisions and show whether your ISMS is improving.

Continue Reading – Go to Clause 10: Improvement

Author Background

This article was written by Alan Parker, an ISO 27001 consultant and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less, often without a dedicated security team or a large budget.

With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally.

Qualifications: ITIL v3 Expert, ITIL v4 Bridge, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done.

Connect on LinkedIn or Bluesky, or explore his free ISO 27001 tools and templates at iseoblue.com. B.Sc (Hons) Information Systems, CISMP certified.

Further Reading

ISO 27001:2022 standard

Start with the free templates

Includes all the mandatory document templates — free, no commitment

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG