Phase III: Continuous Monitoring & Auditing
It’s important to remember that while obtaining initial ISO/IEC 27001 certification is the present goal, maintaining certification is the long-term, and often, more challenging endeavor. Compliance is a constantly evolving process - a moving target - and neve a one-and-done scenario.
For this reason alone, developing, implementing, and executing on a Continuous Monitoring Program (ConMon) and/or an Internal Audit Program is so critically important. Without a viable and well-developed ConMon or Internal Audit Program program, organizations find themselves unable to successfully keep their ISMS on track for future audits and certifications. Spending thousands of dollars to prepare and hopefully earn ISO/IEC 27001 certification is meaningless if you can’t monitor and improve upon what you’ve built.
Words such as ‘monitoring’, ‘improvement’, ‘continuous’, and other related measures are found all throughout the Annex A 27001:2022 controls, which means organizations should strive to implement either a ConMon program or an Internal Audit Program for their ISMS. And as stated in ISO/IEC 27001: 2022, 10.1 Continual improvement, The organization is to “continually improve the suitability, adequacy and effectiveness of the information security management system.”
Additionally, Per iSO/IEC 27001:2022 - 9.2 Internal audit - The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: a) conforms to 1) the organization’s own requirements for its information security management system; 2) the requirements of this document; b) is effectively implemented and maintained.
For organizations simply working towards ISO/IEC 27001 ‘compliance’, we suggest implementing a ConMon Program. For organizations working towards ISO/IEC 27001 ‘certification’ we highly recommend implementing an Internal Audit Program.
It’s also important to note that to maintain ISO/IEC 27001 certification by an accredited certification body, organizations must continually be assessed. This starts with the initial certification audit, then an internal audit by the organization, followed by a surveillance audit, and finally, a recertification audit. For organizations to have the confidence that they can successfully keep pace and satisfactorily meet such audit requirements, they must put in place effective measures for continuous monitoring.
With MorganHill, we build customized, easy-to-use ConMon and Internal Audit programs for keeping your ISO/IEC 27001 efforts full on track.
We offer industry leading security documentation for helping organizations develop all required Information Security Management System (ISMS) policies, procedures, programs, and plans in accordance with ISO/IEC 27001 & 27002:2022.