Clause 9 Performance evaluation

Clause 9 Performance evaluation

Version: 3.0

Valid until: 2025-03-11

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2022-05-20

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to Clause 9 Performance evaluation from B07 Internal Audit. 

2022-12-13

2.0Edward RobinsonAdditions/changes as part of the annual review.

No changes have been made.
2023-05-15
3.0
Edward Robinson
Additions/changes as part of the annual review.

Updated link for effectiveness criteria under 9.1.

Updated link for internal audit planning under 9.2 and Administrations.

Added that internal audit management summaries will be publicly published on the KB including a link to previous ones.

Added link to overview of public management reports.

Purpose & background


anDREa B.V. (hereafter called anDREa) is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2017, the international standard for information security.


The purpose of this document is to describe how anDREa ensures performance evaluation of the ISMS.


This document will be updated at least annually and when significant change happens.

Objective


The objective of this control is:


  • To ensure the evaluation of the performance and effectiveness of the ISMS (9.1).

  • To ensure that internal audits are planned and performed (9.2)

  • To ensure that top management reviews the ISMS (9.3).

Scope

The scope of this document is according to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

9.1 Monitoring, measurement, analysis and evaluation


“The organisation shall evaluate the information security performance and the effectiveness of the information security management system.

The organisation shall determine:

a) what needs to be monitored and measured, including information security processes and controls;

b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;

c) when the monitoring and measuring shall be performed;

d) who shall monitor and measure;

e) when the results from monitoring and measurement shall be analysed and evaluated; and 

f) who shall analyse and evaluate these results.

The organisation shall retain appropriate documented information as evidence of monitoring and measurement results.”



anDREa has determined effectiveness criteria per policy document. The effectiveness criteria are monitored, measured, analysed and evaluated by the asset responsible(s). The Security Officer will gather and document the results in the ticket corresponding to the policy document.

9.2 Internal audit


“The organisation shall conduct internal audits at planned intervals to provide information on whether the information security management system:

a) conforms to (1) the organisation’s own requirements for its own information security management system and (2) the requirements of the International Standard;

b) is effectively implemented and maintained.

The organisation shall:

c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits;

d) define the audit criteria and the scope for each audit;

e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process;

f) ensure that the results of the audits are reported to relevant management;

g) retain documented information as evidence of the audit programme(s) and the audit results.”



anDREa has contracted an external party to conduct internal audits. The internal auditor must at least adhere to the following requirements:
  • Have knowledge of information and communication technology (preferably cloud technology), to an extent in which they can comprehend the functioning and purpose of separate information systems and security related aspects.

  • To ensure the appropriate knowledge level and skill of an internal auditor, an auditor should show his/her familiarity with auditing by means of a certificate (Lead auditor) or other courses for information security, or 3 years of experience in auditing.

  • Independent and objective working.


anDREa:

  • requires all employees to aid and support the auditor in carrying out the work.

  • will provide access to policy documents, procedures, guidelines, and other administrations needed to carry out the internal audit.


The internal audit consists of three components:

  • Design: is there a documented procedure/policy?

  • Existence: has the procedure/policy been implemented?

  • Functioning: is the implemented procedure/policy effective and has evidence of the functioning been collected? 


Audit planning


The three-year provisional planning for the internal audit on the ISMS of anDREa is presented in Internal audit planning. In the first year, the entire ISMS is audited. The provisional planning can be adjusted based on the results of internal and external audits. For each internal audit it can be decided to deviate from these subjects based on newly identified risks, incident reports, results of previous audits and importance of certain processes within the organisation. 


Audit plan 


The internal auditor writes a plan outlining:

  • The scope and target areas.

  • Who will be involved as auditors (such as subject specific experts) for which part of the audit.

  • Who will be involved in the interviews for which part of the audit.

  • The internal auditor will discuss the plan with the management team and Security Officer and adjust where appropriate.

  • The Security Officer communicates the final audit plan to the involved employees.


Preparation


  • The internal auditor and the Security Officer will set-up an internal audit Microsoft Teams/Google Meet meeting.

  • The Security Officer invites the additional interviewees. 


Carrying out an audit


The internal auditor is bound by the guidelines stated below when carrying out the internal audit:

  • Assessment of existence and functioning of the ISMS takes place based on the audit criteria in the norm. The internal auditor and the Security Officer decide what the points of interest are. Because of this, it might be decided to have more/less/no attention to subjects based on information security incidents, developments in the field of information security, results of previous audits, risk assessment and the importance of processes within the organisation. Decisions and explanations will be put in the internal audit report.

  • The internal auditor manages his/her audit trail during the audit itself. The audit trail stands for all evidence that has been used during the audit. The internal auditor makes a consideration of what he/she finds relevant to be used as evidence. The Security Officer will safeguard the audit trail once the audit session has terminated.


Audit report


The internal auditor reports findings per subject:

  • The assessed criteria.

  • The assessment results.

  • Who was interviewed.

  • The audit trail.

  • The findings with explanation and evidence.


The internal auditor delivers the audit report to the Security Officer. The Security Officer will take charge of the report and communicate the results to management.


Follow-up


If nonconformities arise during the internal audit, the Security Officer will create a follow up report. In this report the Security Officer assesses:

  • the nonconformity.

  • the root cause.

  • the size.

  • the immediate corrective steps.

  • the long-term corrective steps.


This is done in accordance with Clause 10 Improvement. The follow-up is tracked in a ticket and reviewed by management. 


Recording


All of the above will be recorded in the ticket system such that there is demonstrable proof that the audits took place, what the findings were, and how these were addressed. All relevant tickets have been tagged with ‘internal audit’.


The Security Officer will draw up an internal audit management summary for publication on the Knowledge Base.

9.3 Management review


“Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the information security management system;

c) feedback on the information security performance, including trends in (1) nonconformities and corrective actions; (2) monitoring and measurement results; (3) audit results; and (4) fulfilment of information security objectives.

d) feedback from interested parties;

e) results of risk assessment and status of risk treatment plan; and

f) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. 

The organisation shall retain documented information as evidence of the results of management reviews.”



Top management will review the ISMS periodically in the following ways:
  • The CTO approves (changes in the) documented information of the ISMS.

  • Management is attending the monthly Information Security Management Board (ISMB) meetings.

  • Based on the annual Security Management Report delivered by the Security Officer.

    • All actions are tracked in the appropriate tickets.

  • Management representatives will participate in internal (and external) audits.


Administrations


    • Related Articles

    • Clause 5 Leadership

      Version: 3.0 Valid until: 2025-03-14 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 6 Planning

      Version: 3.0 Valid until: 2025-04-16 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 7 Support

      Version: 3.0 Valid until: 2025-03-11 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 4 Context of the organisation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-23 1.1 Edward Robinson Additions/changes as part of the periodic ...
    • Clause 8 Operation

      Version: 3.0 Valid until: 2025-04-12 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Initiation document 2022-05-20 1.1 Edward Robinson Additions/changes as part of the periodic ...