CHAPTER 8: MEASURE, MONITOR AND REVIEW
A useful ISMS is one that helps an organisation achieve its information security objectives – those objectives should be linked to its business, regulatory and contractual objectives and should be delegated to appropriate levels within the organisation.
ISO 27001 requires the organisation “to continually improve the suitability, adequacy and effectiveness of the ISMS”. The corrective action requirements of the Standard are met by an effective ISMS audit plan, competent review of non-conformities (part of the responsibility of the information security manager), the incident response procedures and the related documentation.
The combination of effective monitoring, measuring, and corrective action processes ...