Clause 9: Performance Evaluation

Overview

Clause 9 is the “check” phase of the Plan-Do-Check-Act cycle. It requires you to evaluate whether your ISMS is working as intended — are the controls effective, are objectives being met, and is the management system as a whole delivering the desired outcomes? This clause covers three critical activities: monitoring and measurement, internal audits, and management reviews.

9.1 Monitoring, Measurement, Analysis, and Evaluation

You must determine what needs to be monitored and measured, including information security processes and controls. For each item, you need to establish:

• What will be monitored and measured — specific controls, processes, or objectives.
• Methods for monitoring, measurement, analysis, and evaluation — how you will collect and interpret data.
• When monitoring and measuring will be performed — frequency and triggers.
• Who will monitor and measure — assigned responsibilities.
• When and who will analyse and evaluate the results.

Common metrics include the number of security incidents, time to resolve incidents, percentage of controls implemented, training completion rates, vulnerability scan results, and patch management compliance.

9.2 Internal Audit

Internal audits must be conducted at planned intervals to determine whether the ISMS conforms to the organisation's own requirements and the requirements of ISO 27001, and whether it is effectively implemented and maintained. Key requirements include:

1. Audit programme — plan a series of audits considering the importance of the processes concerned and the results of previous audits.
2. Audit criteria and scope — define what each audit will cover and against what criteria it will be assessed.
3. Auditor independence — auditors must be objective and impartial (cannot audit their own work).
4. Reporting — audit results must be reported to relevant management.
5. Documented information — retain evidence of the audit programme and audit results.

9.3 Management Review

Top management must review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness. The management review must consider:

• Status of actions from previous management reviews.
• Changes in external and internal issues relevant to the ISMS.
• Feedback on information security performance, including trends in nonconformities, monitoring results, audit results, and fulfilment of objectives.
• Feedback from interested parties.
• Results of risk assessment and status of risk treatment plan.
• Opportunities for continual improvement.

How Standardise Helps

• Dashboard metrics — the Standardise dashboard provides real-time metrics including compliance readiness (percentage of Annex A controls implemented), risk heat map, open incidents, and module completion stats.
• Audits module — create and manage internal audits with findings tracking, severity levels, and corrective action workflows. The Internal Audit Programme template helps you plan your audit cycle.
• Management Review template — a document template for recording management review inputs, discussions, and decisions with full version control.
• CSV export — export data from any module for reporting, analysis, or presentation to management and auditors.