3.1. Three conformity components and a mechanism for ensuring conformity
Conformity with ISMS standards is the prerequisite for an effective management system. What then, constitutes a system such as this, which complies with the standards and delivers effective results? The chart below illustrates the components and mechanism of the system:
Figure 3-1 Three conformity components and a supporting mechanism to ensure conformity
Internal audits must assess whether or not: rules are established, necessary measures are implemented, and regular monitoring of the situation is in place; and if there is a mechanism to ensure the aforementioned three conformity components are put in place.
3.2. Assessing effectiveness through audits
Another important role of internal audits is to assess whether or not the objectives of the management system are fulfilled on an ongoing basis—in other words, whether or not the management system is effective.
Definition of the effectiveness of a management system:
The extent of planned activities that are performed and planned results that are delivered.
Now, let us discuss the opposite situation. What constitutes a situation where planned activity results are not delivered?
The applicability of this analysis is not limited to management systems. For instance, if you cannot obtain expected results from day-to-day operations or from a project, it means that the operation or the project in question is not effective. Without taking corrective actions, you will not be able to maintain, let alone grow, your business.
Audits for the maintenance and development of business are required to assess whether events that threaten business security (in the three areas of confidentiality, integrity, and availability) are appropriately controlled. This means that auditors without knowledge of what an “appropriately controlled” state is cannot assess effectiveness through an audit.
3.3. Effectiveness of ISMS
Now let us take another look at the effectiveness of an ISM from the perspective of a process-based approach.
The effectiveness of the ISMS and control measures of an organization can be assessed when the achievement levels of ISMS objectives and goals and the number of incident occurrences fall within acceptable levels.
Figure 3-2 Assessment of the effectiveness of an ISMS
Whether or not selected control measures are appropriate as outputs cannot be judged by assessing the control measures themselves. Rather, the appropriateness can be evaluated indirectly by checking corresponding inputs and process to see if:
The evaluation of one of the three process-based approach elements (inputs, processes, and outputs) can be conducted by review of the other two.
An effective ISMS starts with risk assessment to select and introduce appropriate control measures. Then, the selected control measures are implemented to achieve the ISMS’s objectives and goals. The level of effectiveness of the ISMS is indicated according to what extent the objectives and goals are achieved.
As they are conducted within a limited period of time, internal audits are unable to assess all information assets in all departments to verify compliance with applicable standards. Internal auditing always involves uncertainties. To assess if an organization’s management system is effective, auditors examine the conformity levels of some of the organization’s information assets and mechanisms for ensuring the conformity. If the organization’s management system (i.e., the PCDA cycle) is operated appropriately and the system delivers effective results, it can be assumed that the organization’s ISMS objectives and goals have been achieved and that an unacceptable level of incidents is not likely to occur.