Three conformity components and the mechanism for those
Conformity with ISMS standards is the prerequisite for effectiveness in the management system. What then, constitutes being in compliance with standards and having effective results? The figure below illustrates that.
Internal audits assess whether or not rules are established, measures are implemented, and monitoring of the situation is performed; and a mechanism maintains those.
Auditing from a perspective of effectiveness
Another important role of internal audits is to audit whether or not the objectives of introducing the management system are fulfilled on an ongoing basis—in other words, whether or not the management system is effective.
Definition of effectiveness of a management system:
The extent to which planned activities are implemented and planned results are achieved
On the other hand, what constitutes a situation where planned activity results are not delivered?
This is not limited just to management systems. If the expected results cannot be obtained in day-to-day operations or in a project, it means they are not effective. Business therefore cannot be expected to be maintained nor advance.
Audits of the maintenance and advancement of business are required to assess whether events that threaten business security (in the three areas of confidentiality, integrity, and availability) are appropriately controlled. Without knowledge of what an “appropriately controlled” state is, auditing from a perspective of effectiveness cannot be done.
Effectiveness of an ISMS
Now let us take look at the effectiveness of an ISMS from the perspective of a process-based approach.
1. “Planned activities are...”
“Planned activities” refers to the control measures employed based on risk assessment results, taken as specific measures against risks. Therefore, at the time they are planned, control measures are expected to reduce risks once implemented. In light of this, planning is advisable.
2. “Implemented, and”
“Implemented” means that control measures are implemented as measures employed against risks. Implementation should be conducted with a planned reasonable budget and schedule.
3. “Planned results are achieved.”
The purpose of control measures is to reduce risks. Reducing risks means preventing incidents from occurring. Achievement is measured by using a planned evaluation method.
The effectiveness of the ISMS and the control measures of an organization can be evaluated when the achievement levels of ISMS objectives and goals and the number of incident occurrences fall within acceptable levels.
Whether or not control measures selected as outputs are appropriate cannot be judged from the control measures themselves. Rather, the appropriateness can be evaluated indirectly by checking inputs and process.
Evaluation of one of the three process-based approach components (inputs, processes, and outputs) can be conducted by checking the other two.
An effective ISMS must start with selection and introduction of appropriate control measures by risk assessment. Then, the selected control measures are implemented and the effectiveness of the ISMS is indicated by achievement of the objectives and goals.
As they are conducted within a limited period of time, internal audits are unable to confirm compliance of all information assets of all departments. Internal auditing always involves uncertainties. To assess whether an organization’s management system is effective, conformity of some of the organization’s information assets and mechanisms for ensuring the conformity are checked.
If the organization’s management system (i.e., the PCDA cycle) is operated appropriately and the system delivers effective results, the organization’s ISMS objectives and goals can be assumed to have been achieved and that an unacceptable level of incidents is not likely to occur.