This page contains the answers to some frequently asked questions about 9.1 Monitoring and measuring:
- Why are not all controls included in the Monitoring Plan?
- How can I determine which controls are included?
- Is it useful to add all controls?
- Do I need to remove the Check details on the controls that are not included?
Why are not all controls included?
Requirement 9.1 reads:
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls;
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results. The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed;
d) who shall monitor and measure;
e) when the results from monitoring and measurement shall be analysed and evaluated; and
f) who shall analyse and evaluate these results.
It does not state that everything needs to be monitored; an organization is free to determine which parts of the management system they deem most useful to monitor.
Typically, these are key element and controls tied to high risks, or controls that have proven to fail in the past. As a result, the contents of the Monitoring plan may vary over time.
Determining the contents of the Monitoring plan
Within Instant 27001 for Confluence, the controls to be monitored are marked with the label MONITORING.
Adding this label to a requirement or control will make it show up on the Monitoring plan (or remove the label if you don’t want the control to show up).
The remaining elements will be left for the internal auditor to check.
Adding all controls to the monitoring plan
As stated before, it is not necessary to monitor the performance of the whole management system (and its controls), it might even prompt some auditors to state that you are mixing up elements 9.1 and 9.2.
But, if you do want to go all the way, you can accomplish this by adding the labels CONTROL and/or ISMS-REQUIREMENT to the Page Properties Report-macro on the Monitoring plan, as follows:
Removing the Check details
The block containing the Check details is visible on all controls, even the ones that are (currently) not in the Monitoring plan.
It is not recommended to remove them, as you will need to add them by hand should you decide to include them in a later stage.
If this is confusing you (or the auditor), you can mark the Frequency as None, or hide the block by marking the Page Properties-macro as hidden: