ISO/IEC 27001 | Documents Kit

Management systems for information security

How to establish information security monitoring in the company under ISO / IEC 27001: 2017

You are here: Home / Business Process / How to establish information security monitoring in the company under ISO / IEC 27001: 2017

To monitor the level of information security, we establish indicators that measure the holding of responsibility in the system, the security of assets, the effectiveness of training, the reliability of suppliers and non-compliance management

The establishment of information security monitoring in the company is an operation that must begin with the determination of real \ “security indexes \” which express the level of information security in relation to the various aspects of the management system .

The determination of the safety indices

The suggestion is to monitor the information security level through the establishment of the following security indexes expressly dedicated to specific parts of the system:

  • Safety index in roles and requirements
  • Safety index relating to the holding of responsibility
  • Security index relating to network management and communications
  • Security index relating to software management
  • Safety index relating to the management of processing devices
  • Safety index relating to the management of the headquarters and archives
  • Safety index relating to the management of systems and safety devices
  • Safety index relating to the training carried out
  • Safety index relating to the management of the training provided
  • Safety index relating to the management of the training plan
  • security index relating to communication management (internal and external)
  • Safety index relating to the selection and management of suppliers
  • safety index relating to the management of non-compliant products
  • Safety index relating to the management of audits and non-conformities

Thanks to the indicated safety indexes, it is possible to keep under control all the processes of the management system. The observation of the values ​​assumed by the indices allows to have a clear picture of the general level of information security.

How to organize monitoring

ISO 27001 itself in point 9 explains quite clearly that it is necessary to define what to monitor, when, how and who should do it. Therefore, for the purpose of implementing the information security management system, we suggest creating a real monitoring plan that establishes:

  • The subject of monitoring
  • The performance manager
  • The date on which to perform performance assessments
  • The person in charge of monitoring
  • Indication of the actual completion of the monitoring actions
CLOSE

CLOSE