Maintenance and operation of an ISO 27001 ISMS

Successfully completing an ISO 27001 certification places great demands on an organisation.  The announcement of success is normally treated as the end of a difficult journey, and can be a time when attention turns to other pressing matters.  However the real job, the real value generating part of ISO 27001 now starts.  This is where the organisation reaps the rewards of a well thought out Information Security Management System (ISMS) which addresses the issues that face that specific organisation.  The use the ISMS effectively which can be broken down into 6 actions.
1.     Operate the ISMS
2.     Update the documentation
3.     Review the risk assessment
4.     Monitor and measure the ISMS
5.     Perform internal audits
6.     Perform corrective actions

1) Operate the ISMS.

As part of the certification processes the organisation generated its own policies and procedures.  These need to be used, on a day to day basis otherwise one should simplify the documents or delete some documents that are not mandatory or even create a new document that matches the way the organisation acts.  If the employees of the organisation see the value in using the ISMS it will make all future actions so much easier.

2) Update the documentation.

Circumstances change, this is an inevitable part of business – new products are created, new software is deployed, organization change, etc. This means documentation and procedures must evolve or they will become useless. Best practice is to nominate an owner for each document, and that person will have to review his or her document periodically (usually once a year), and recommend possible changes.

3) Review the risk assessment.

Again, because of the inevitability of change, what you want to protect evolves and the threats to and vulnerabilities of your core assets will evolve. This needs to be relected on the risk register along with updated controls. The results of the last risk assessment must be reviewed and updated periodically by the risk owners so that they can review them and update if necessary – once this is done,  new controls may have to implemented based on those results. This review must be done at least once a year, or more often if some significant change has occurred.

4) Monitor and measure the ISMS.

Management of an ISMS

All organisations involve processes and the management of those processes, ISMS is no different.  Kaizan and various other management philosophies suggest ways to constanly improve the processes.  Once the organisation sets out to improve then monitoring and measuring become inevitable. How would you know whether you’re doing a better job than before without benchmarks?
Monitoring is subtle different from measurement in this context. Monitoring means an organisation has to keep an eye on various security-related events like incidents, errors, exceptions, etc. Based on this information, the organisation evolves, can learn what to do better and how to prevent future incidents from happening. Measurement is about whether the ISMS achieves the intended results or not. To do this, the organisation has to measure if it has achieved the objectives – for example, if the objective was to decrease the number of incidents by 50{50014743ff77ab038b8a2ebc6fc06f111abb6321cce8b6e01f357325e187dc8e} in the current year, that needs a factual basis to evaluate the outcome.

5) Perform internal audits.

When done properly and honestly, an internal audit can reveal many more security weaknesses than most of the other activities together. An organisation can either train some of its own employees to do this job, or hire an external auditor. No matter which option chosen, the person should be empowered to do the job thoroughly and organisation needs to act upon the audit results.

6) Perform management review.

This is a crucial activity, since it actively involves top management in information security. Good corporate governance practice means that management must be aware of the status of an ISMS. To achieve that end practitioners have to inform them about the key issues related to their ISMS, and ask them to make and document crucial decisions – for example, changes in organization, providing the budget, eliminating obstacles, etc.

7) Perform corrective actions.

This could be regarded as implied in each of the prvious 6 actions, but its worth calling out explicity.  Corrective actions should be regarded positively and not as a failure in a previous phase, no system will ever be perfect from the get go and so corrective actions need to be highlighted in a positive light to ensure they are encouraged.


Typically the certification body will perform surveillance visits at least once a year – they will check all the seven actions listed above.  In so doing they may ask for documentation and records that these seven actions have been performed in practice and not just as a simulacrum of action
In addition they will follow up on all the non-conformities from their last visit, and the organisation needs to stand-over any actions or inactions taken in regards of these non-conformities.
These steps, to secure the maintenance and operation of an organisation’s ISMS comes down to this: A secure ISMS helps an organisation to achieve its strategic objectives and should be prioritised accordingly.


Thanks to our colleagues at for contributing this content.

Leave a Reply