The ISO 27001 Monitoring & Review Phase Key Steps
ISO 27001 Monitoring & Review Phase Overview
< Back to the Implementation Phase of the project
The Monitoring & Review phase of ISO 27001 implementation focuses on continuously evaluating the ISMS to ensure its effectiveness and alignment with organisational objectives.
This phase involves regular monitoring, measurement, and auditing activities to identify areas for improvement and ensure compliance with the established policies and controls.
Each step is crucial in ensuring a comprehensive and systematic implementation of an Information Security Management System (ISMS). Let’s take a look at each one in turn.
Everything I discuss here is based on the utilisation of my toolkit and the templates therein, so I encourage you to download my ISO 27001 toolkit and use that as the basis of your ISMS’ foundations.
DIY ISO 27001 – Online Training & Toolkit
Take my online course and learn how to implement 27001
The Quality Cycle
The PDCA (Plan-Do-Check-Act) cycle is a continuous improvement methodology that involves four key stages: planning an objective and the necessary processes, implementing the plan, monitoring and evaluating the results, and acting on the findings to make necessary adjustments.
The cycle ensures that processes are continually reviewed and improved over time.
In the context of ISO 27001, the PDCA cycle is integral to implementing and maintaining your Information Security Management System (ISMS).
It helps systematically manage and improve their information security practices by ensuring that security policies and controls are planned, implemented, monitored, and continuously enhanced.
My FREE Information Security Toolkit
Every mandatory document template
ISO 27001 Compliant
The reason I’m mentioning it is that it’s a very commonly understood model in business, but underpins the latter stages of the ISO 27001 implementation; specifically the “Check” – “Act” part as the “Monitoring & Review” of Clause 9, and the “Improvement” requirements of Clause 10.
Step 1: Monitor & Measure ISMS Performance
Regular monitoring and measurement of the ISMS performance is needed to ensure that the system meets its objectives and operates effectively.
Activities involve tracking specific metrics and indicators to identify trends, deviations, and areas needing attention.
Activities
Define Metrics and Indicators
Identify key performance indicators (KPIs) that align with the ISMS objectives. Examples of KPIs include the number of security incidents, incident response times, compliance levels, user awareness scores, and the effectiveness of implemented controls.
Ensure that the selected metrics are measurable, relevant, and provide a clear picture of the ISMS performance.
Determine the frequency of monitoring activities based on the criticality of the metrics. Daily, weekly, monthly, or quarterly checks can be implemented depending on the specific needs of the organisation.
Assign responsibilities for monitoring activities to ensure consistency and accountability.
Utilise automated tools for logging and analysing security events, such as Security Information and Event Management (SIEM) systems.
Incorporate manual data collection methods where automation is not feasible. This may include surveys, interviews, and physical inspections.
Tips
- Keep it simple to begin with. You can always add things in at a later date. Maybe even choose the top 5 metrics that would really make a difference when you are starting your ISMS.
- The temptation can be to measure and report on everything. I refer back to the previous point about keeping it simple, and only metrics / KPIs that can be acted upon.
- Don’t get too operationally focused. Look for trends and anything that might indicate if processes are working well, or otherwise.
Compile Performance Reports
Aggregate the collected data into comprehensive performance reports. These reports should highlight key findings, trends, deviations, and areas requiring attention.
Utilise visual aids, such as charts and graphs, to enhance the clarity and impact of the reports.
Conduct Regular Reviews and Analysis
Regularly review the performance reports with relevant stakeholders, including ISMS managers and senior management.
Analyse the data to assess the ISMS’s effectiveness, identify any areas needing improvement, and determine the root causes of any deviations.
Implement Corrective Actions
Develop and implement corrective actions to address identified issues. This may involve updating policies, enhancing controls, or providing supplementary training.
Track the implementation and effectiveness of corrective actions to ensure that they achieve the desired outcomes.
Step 2: Management Reviews
Periodic management reviews are essential for assessing the overall performance of the ISMS and are a requirement of clause 9.3.
Reviews provide an opportunity for senior management to evaluate the system’s effectiveness, ensure it remains aligned with organisational objectives, and make strategic decisions. Management reviews also help in ensuring the continual improvement of the ISMS.
Activities
Schedule Reviews
Plan regular management review meetings, typically on a quarterly or semi-annual basis, to maintain a consistent review cycle. However, ISO 27001 does not specify the minimum requirement, but auditors will insist on ‘annually’.
Ensure that all relevant stakeholders, including senior management, ISMS managers, and key department heads, are invited to the review meetings.
Prepare Review Agenda
Develop a comprehensive agenda for each management review meeting. The agenda should cover:
- Performance metrics and key performance indicators (KPIs).
- Results of internal audits and previous management reviews.
- Status of corrective and preventive actions.
- Results of risk assessments and risk treatment plans.
- Feedback from interested parties, including employees, customers, and regulatory bodies.
- Any changes in external and internal issues that may impact the ISMS.
- Opportunities for continual improvement.
Conduct Reviews
During the review meetings, discuss each agenda item in detail. Evaluate the ISMS’s performance, considering any significant changes in the organisational context or the scope of the ISMS.
Assess the adequacy of resources allocated for the ISMS and determine if additional resources are required.
Review the effectiveness of the ISMS in achieving its objectives and meeting compliance requirements.
Document Minutes
Document the minutes of each management review meeting. Ensure that all decisions made, action items assigned, and any adjustments to the ISMS are recorded. You will need to provide evidence of these in any audit you undergo.
Distribute the minutes to all relevant stakeholders and ensure that they are archived for future reference.
Follow-Up on Action Items
Ensure that all action items from the review meetings are followed up on and completed. Assign responsibilities and set deadlines for each action item.
Monitor the progress of action items and provide regular updates during subsequent management review meetings.
Step 3: Internal Audits
Internal audits are a requirement under section 9.2.2 of ISO 27001:2022, and therefore a critical component of the Monitoring & Review phase.
These audits assess the ISMS’s compliance with ISO 27001 requirements and organisational policies. Internal audits help identify non-conformities and areas for improvement, ensuring that the ISMS is effectively implemented and maintained.
Activities
Audit Planning
Develop an internal audit plan that encompasses all aspects of the Information Security Management System (ISMS). This plan should detail the audit scope, objectives, schedule, and audit criteria.
Due to the scope of ISO 27001 and the controls outlined in Annex A, I strongly recommend breaking your audit into parts, focusing on one clause or control set every month. Little and often has been a better approach in my experience. It’s certainly better than rushing it 2 days before your external audit. They know.
Ensure that the audit plan is approved by senior management and communicated to all relevant stakeholders.
Assign Auditors
Select auditors with the necessary skills, knowledge, and independence to conduct the audits. Auditors should be impartial and not responsible for the areas they are auditing.
Provide auditors with adequate training on ISO 27001 requirements and internal audit procedures.
Conduct Audits
Conduct internal audits per the audit plan. Use a systematic approach to evaluate the ISMS’s compliance, including reviewing documentation, conducting staff interviews, and inspecting processes and controls.
Focus on key areas, including risk assessment and treatment, control implementation, incident response, and continuous improvement.
Document Findings
Document all audit findings in an audit report. Highlight any non-conformities, observations, and recommendations for improvement.
Ensure that the audit report is clear, concise, and provides actionable insights for the ISMS managers and senior management.
Findings tend to come in two ways;
- Nonconformance – something that is outright noncompliance to the ISO standard or your own ISMS policies and procedures.
- Opportunities for Improvement – Whereby you recognise something isn’t working as well as you’d like and could do with a little attention.
Develop & Implement Corrective Actions
Based on the audit findings, develop corrective actions to address identified non-conformities and areas for improvement.
Ensure that corrective actions are specific, measurable, achievable, relevant, and time-bound (SMART).
Assign responsibilities for implementing corrective actions and set deadlines for completion.
Monitor the progress of corrective actions to ensure they are effectively implemented.
Alignment with ISO 27001:2022 Clause 9
Clause 9 of ISO 27001:2022 focuses on evaluating ISMS performance through systematic monitoring, measurement, internal audits, and management reviews. These components ensure the ISMS remains effective and aligned with business objectives, while driving continual improvement.
The Monitoring & Review phase supports Clause 9 through structured activities that directly fulfil its subclasses.
Monitoring, Measurement, Analysis and Evaluation (Clause 9.1)
The Monitoring & Review phase ensures the ISMS is continuously observed and assessed using relevant performance metrics and indicators.
Defined Metrics and KPIs – We established measurable performance indicators such as incident counts, response times, and user awareness levels, ensuring they align with ISMS objectives.
Automated and Manual Data Collection – Deployed tools like SIEM systems and supplemented with manual methods (e.g., surveys and inspections) to gather accurate data.
Performance Reports – Compiled regular performance reports featuring trend analysis, deviations, and improvement opportunities, presented using visual aids to enhance clarity.
Review and Corrective Actions – Conducted reviews with stakeholders and implemented corrective actions where performance did not meet expectations, ensuring continual improvement.
Internal Audit (Clause 9.2)
Internal audits verify whether the Information Security Management System (ISMS) conforms to ISO 27001 requirements and is effectively implemented and maintained.
Internal Audit Planning – Developed a detailed audit schedule covering all ISMS areas, focusing on control sets and clause groups monthly for manageable, consistent reviews.
Independent Auditors – Selected auditors with relevant training and ensured independence by excluding them from auditing their own areas.
Systematic Execution – Carried out audits via documentation review, interviews, and process inspections to evaluate compliance and control effectiveness.
Audit Findings and Actions – Documented nonconformities and improvement opportunities, and tracked corrective actions using a SMART approach.
Management Review (Clause 9.3)
Management reviews ensure senior leadership is actively involved in ISMS oversight, assessing its effectiveness and strategic alignment.
Scheduled Reviews – Held management review meetings on a routine basis (e.g., quarterly), ensuring senior leaders and key stakeholders were engaged.
Structured Agendas – Covered all required inputs, including audit results, performance data, risk assessments, and feedback from interested parties.
Decision Documentation – Recorded and distributed meeting minutes, including action items and decisions, to maintain transparency and drive accountability.
Follow-Up on Actions – Assigned ownership and timelines for action items arising from reviews and monitored their completion to ensure follow-through.
Next Step: The Continuous Improvement Phase
