ISO 27001 - Non-Conformities in Clause 9
Since Annex SL (and indeed before then), evaluating performance has been common across all management system standards. These findings are also found in other Annex SL standards audits, the only difference being the audit and performance of Annex A controls which are unique to ISO 27001:2013.
Section 9 Performance Evaluation is the 'Check' step of the Plan Do Check Act (PDCA) cycle. This infographic shows the clauses of various Annex SL standards aligned to the PDCA steps. This is when the organisation checks the two most important factors:
- The performance of its information security
- The effectiveness of its ISMS
It is the time when the organisation gazes inward to check itself, and it needs to be as objective and as impartial as possible to get the most value from it. All organisations carry out checks on various business functions, such as sales targets and customer service, so security should be similarly scrutinised.
There are 3 parts to the clause which I examine in order.
9.1 Monitoring, Measurement, Analysis and Evaluation
Annex SL are process and risk-based standards. This means that the performance monitoring of the information security must be:
- Based on the interacting processes within the scope of the management system
- Biased towards those processes and information assets which matter most to the organisation e.g. are higher risk.
The standard requires the organisation to consider what needs to be monitored and measured, how it's going to be monitored, when and who shall do the monitoring and when and who shall do the results evaluation. In some cases major non-conformities have been raised because there is no evidence that 9.1 has been adhered to.
But typically non-conformities arise because there are very few measurement requirements defined. Coupled with this our auditors often see that the items identified have inappropriate metrics or KPIS. This may also suggest that information security objectives have not been fully defined, because there is a requirement to measure progress towards them (6.3).
Because this is risk-based there should be a link between the risks identified in Clause 6 and the information security controls and processes to be monitored. For example, if there are some security controls that are important for mitigating a high risk then it's in the organisation's interest to be closely monitoring the performance of those controls. Whereas it might reasonably choose not to closely monitor controls that address lower risks.
We also see cases where management system performance measurement has been defined but nothing for the security controls, and vice versa. And finally, we often see that comprehensive performance measurement metrics are in place but there is no measurement taking place.
9.2 Internal Audit
More non-conformities are raised against internal auditing than against any other clause in ISO 27001:2013. Not carrying out internal auditing or missing out in-scope locations raises major non-conformities. This can be due to the organisation not planning any audits or has planned them but not carried them out. A lack of internal audits can prevent an organisation progressing from a Stage 1 to a Stage 2 and prevent certification being awarded after a Stage 2.
The standard states that internal audits shall be conducted at planned intervals, but it doesn't suggest an appropriate frequency. However, management system certification operates in a three year cycle so we expect all the management system requirements covered and the Statement of Applicability controls sampled on a risk basis.
Minor non-conformities arise when the audit programme is not appropriate to the risks or lacks sufficient coverage for the scope. In particular, all the physical locations in scope must be audited and it's not unknown for remote facilities to be missed off the programme. We sometimes see audit programmes for all the management system but without the Annex A controls and vice versa. Missing out elements of the programme without rescheduling them within the three year cycle can also raise findings.
Quite often the audit records are inadequate, in that they don't adequately record the audit observations and any findings that arose. Finally, we sometimes find that the impartiality of the auditor is inappropriate. Finding an impartial auditor in a small organisation can be difficult, but the principle is someone shouldn't be marking their own homework, so more than one auditor might be required to ensure there's no conflict of interest.
The standard lists all the mandatory items to be considered during the management review. The biggest cause of non-conformities is due to some of the mandatory items not being discussed. Having them as standing agenda items will ensure they are always discussed.
Major non-conformities arise when no management reviews have taken place.
The quality and accuracy of the minutes are very important. If our auditor can't determine what was discussed and the outcome of the discussion then they don't have objective evidence. For example, simply recording 'N/A' against a mandatory item will raise a non-conformity.
Auditors will usually review the internal audit programme before the management review. They will expect to see the internal audit discussed at the management review where it will be fresh in memory.
The status of actions and their traceability or progress to closure is important. Long term unclosed actions may be indicative of a lack of continual improvement. Therefore it's important to manage actions - some may be long term projects and so require less frequent review or even moved out of actions altogether, but these decisions need to be recorded.
In my next blog I'll look at Clause 10.
Read the previous blog on this series, ISO 27001 - Non-Conformities in Clause 7, here.
Authored by: Tim Pinnell, NQA Information Security Assurance Manager