scope:

This International Standard provides guidelines intended to assist organizations to evaluate the information security performance and the effectiveness of the ISMS in order to fulfil the requirements of ISO/IEC 27001 Clause 9.1. It addresses: a) the monitoring and measurement of information security performance; b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls; c) the analysing and the evaluating of the results of monitoring and measurement. This International Standard is applicable to all types and sizes of organization. This International Standard is recommended for organizations implementing an ISMS that meets the requirements of ISO/IEC 27001. However, it does not establish any new requirements for ISMS which conform to ISO/IEC 27001 or impose any obligations upon organizations to observe the guidelines presented.