ISO/IEC 27001•

ISO 27001 Requirement 9.1 – Performance Evaluation

See it in action
By Mark Sharron | Updated 14 December 2023

ISO 27001 clause 9.1 requires organisations to evaluate how the ISMS is performing and look at the effectiveness of the information security management system.

Jump to topic


What does Clause 9.1 involve?

If the organisation is seeking certification for ISO 27001 the independent auditor working in a certification body associated to UKAS (or a similar accredited body internationally for ISO certification) will be looking closely at the following areas:

  • what it has decided to monitor and measure, not just the objectives but the processes and controls as well
  • how it will ensure valid results in the measuring, monitoring, analysis and evaluation
  • when that measurement, monitoring, evaluation and analysis takes place and who does it
  • how the results get used

Like everything else with ISO IEC international standards including ISO 27001 the documented information is all important – so describing it then demonstrating it is happening is the key to success!


How to meet the requirements of clause 9.1

As with much of clause 8 for the operation of the information security management system, clause 9.1 gets taken care of by looking at the whole ISMS and the other parts that contribute to this requirement.

For example:

  • The work completed in 4.1, 4.2 and 4.3 identifies the issues (including the information assets), the interested parties and the scope
  • 6.1 then highlights the risk identification, evaluation and treatment in a structured fashion to help address this requirement
  • 6.2 actually documents the objectives for the ISMS and if done well will include the measurement, monitoring, frequency, source management and evidence
  • 9.2 helps with internal audits of the whole system, showing what is working and what can be improved upon
  • 9.3 brings much of that requirements work together for management reviews and analysis with the strategic decision making from the agenda it covers off
  • Clause 10.1 then looks at the non conformity and 10.2 the broader continual improvement opportunities in the information security management system
  • Many of the Annex A controls also drive evaluation and reviews of performance including Annex A.5.1, Annex A.18 both for compliance with legislation and independent reviews of information security

So assuming these parts of the ISMS have been implemented with clause 7.5 robustness of documentation in mind you can breathe easy. There is nothing else to do except document that 9.1 is met by the points above and join up the management system so an auditor can see that all working in practice. It’s easy to do with ISMS.online.


Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


Streamline your workflow with our new Jira integration! Learn more here.