An ISO 27001:2013 information security management system (ISMS) must be regularly measured to ensure that it is effective. Clause 9.1 of the Standard specifies how to go about measuring the ISMS, but it can prove to be a complex and overwhelming task.
This green paper provides some useful insights into how you can measure the effectiveness of your ISMS.
- Which controls you should measure.
- How to measure controls correctly.
- What does a proactive effectiveness measurement look like?
- How to create a measurement strategy.
- How to measure the overall effectiveness of an ISMS.