27001itself does not require to measure each process (they can be monitored)
Examples of measures are:
if the risk assessment has been reviewed at the scheduled times,
if the risk treatment actions have been closed at scheduled times,
if the risk treatment actions have been effective.
Making distinct measurements for each control is not useful (and, moreover, it can require too much effort, reducing resources for other information security activities).
Auditors should also be aware that ISO 27001 requires to “monitor and measure”, not only to “measure”. For many controls, a monitoring activity can be sufficient for evaluating their effectiveness.
Comments