ISO 27001 Clause 9.1

This sub-clause requires the organisation to determine what to monitor and measure, when, and how, and to evaluate the information security performance and effectiveness of the ISMS.

ISO 27001 Clause 9.1 - Monitoring, Measurement, Analysis and Evaluation

Clause 9.1 is one of the most flexible clauses in the standard. It does not specify what the organisation must measure. It requires the organisation to decide what is worth measuring, how to measure it, and what to do with the results. Get this clause right and the management system tells you when it is working and when it is not.

What ISO 27001 Clause 9.1 Requires

The organisation must determine: what needs to be monitored and measured, including information security processes and controls; the methods for monitoring, measurement, analysis and evaluation, as applicable, to give valid results; when the monitoring and measuring will be performed; who will perform them; when the results will be analysed and evaluated; and who will analyse and evaluate the results.

Documented information must be available as evidence of the monitoring and measurement results. The results must be evaluated for the information security performance and the effectiveness of the ISMS.

What to Monitor and Measure

The standard does not prescribe metrics. Useful information security metrics typically fall into a few categories. Coverage metrics show how widely controls are deployed - the proportion of systems with multi-factor authentication, the proportion of staff who have completed awareness training. Performance metrics show how well controls are operating - average time to patch critical vulnerabilities, time to detect and contain incidents, percentage of access reviews completed on time. Outcome metrics show what the controls are actually preventing - number of confirmed phishing attempts blocked, incidents avoided through detection.

The right mix depends on what matters to the organisation. A handful of meaningful metrics that are reviewed and acted on is worth more than dozens of metrics that are gathered and ignored.

Analysis and Evaluation

Monitoring is collecting the data. Analysis is making sense of it. Evaluation is deciding what action to take. The clause requires all three. A metric that gets reported but never triggers any decision is monitoring without evaluation, and that does not meet the clause.

The monitoring results feed into the management review under Clause 9.3, the risk reassessment under Clause 8.2, the corrective action process under Clause 10.2 and the objectives review under Clause 6.2. The links between these activities are what turn measurement from a reporting exercise into a management tool.

The trap with metrics is collecting too many because they are easy to count. Useful metrics are often the harder ones to gather - they tell you something you did not already know. A short list of meaningful indicators reviewed monthly is more powerful than a dashboard with fifty numbers nobody reads.

I check that the metrics being collected match what the policy and risk register say is important. If the policy says protecting customer data is the priority and the dashboard tracks helpdesk ticket volumes but nothing about customer data protection, the measurement is not aligned to the management system.

Practical Compliance Guidance

The IT systems monitoring template provides a structured approach to collecting and reporting the technical metrics most ISO 27001 management systems rely on. The management review template incorporates the results into the formal review cycle.

The documents below support the planning, recording and evaluation of information security monitoring and measurement.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the IT monitoring template and management review template.
F-Q25 IT Systems Monitoring	Template for collecting and reporting on IT and information security monitoring metrics, ready for adaptation to the organisation's chosen indicators.
F-Q3 Management Review	Management review template that incorporates monitoring and measurement results as a standard input.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Does ISO 27001 require specific metrics?

No. The standard requires the organisation to decide what to measure based on its priorities. ISO 27004 provides guidance on information security measurement but is not mandatory. Common areas for measurement include patching, access management, awareness, incident response and supplier security.

How often should monitoring results be reviewed?

It depends on the metric. Some metrics need daily monitoring (security alerts, system availability). Others are monthly or quarterly. The management review brings the consolidated picture together at planned intervals - usually annually as a minimum, more often where the system is still maturing.

What is the difference between monitoring and audit?

Monitoring under Clause 9.1 collects ongoing data about the operation of the controls and the system. Audit under Clause 9.2 is a periodic, independent check of whether the system meets the requirements and operates as intended. Monitoring is continuous and operational. Audit is point-in-time and evaluative.

UK Legislation

No UK legislation directly prescribes information security metrics. UK GDPR requires the organisation to demonstrate compliance, which often involves measurement of the technical and organisational measures protecting personal data.

Further Resources