Overview
Draft and validate the Clause 9.1 Monitoring, Measurement & Evaluation report — the “Check” phase of PDCA. The skill turns raw operational data into effectiveness-oriented KPIs, ensures every failed control is linked to a corrective action (CAPA), and validates CAPA entries for completeness per Clause 10.2.
For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the ISO 27001 ISMS workspace tutorial .
What It Covers
- Effectiveness-oriented KPIs — metrics that measure control outcomes (time to detect, % meeting SLA) rather than activity counts (number of alerts, number of scans)
- Control performance monitoring — structured reporting with results, targets, trends, and conclusions
- CAPA linkage — every failed control or non-conformance must reference a corrective action
- CAPA completeness — validates root cause analysis, systemic corrective action, owner, target date, and effectiveness review
- Correction vs corrective action — enforces the distinction auditors check: fix the symptom (correction) AND fix the root cause (corrective action)
Example Conversation
You: We need the quarterly Monitoring & Evaluation report for Clause 9.1. I have our incident and access-review data. I want KPIs that show control effectiveness, not just activity counts.
Agent: I’ll use the Clause 9.1 template and suggest effectiveness-oriented metrics. Running
metric_kpi_generatorfor your key domains…Incident Detection:
- Prefer: Mean time to detect (MTTD), proportion of incidents detected by controls vs reported by users
- Avoid: Number of alerts, number of logs ingested
Access Control:
- Prefer: Time to revoke access after role change (target ≤24h), proportion of access reviews with no orphan accounts
- Avoid: Number of access requests processed
Vulnerability Management:
- Prefer: Time to remediate by severity (Critical ≤7d, High ≤30d), proportion remediated within SLA
- Avoid: Number of scans, number of vulnerabilities found
I’ll draft the report with these metrics. What are your actual results for this quarter?
You: MTTD was 3.2 hours (target ≤4h — met). Access revocation median 18h (target ≤24h — met). Critical vuln remediation averaged 9 days with one outlier (target ≤7d — missed). I’ve raised CAPA-042 for the vuln remediation miss.
Agent: Report drafted. Running
non_conformance_logic_bridgeto verify CAPA linkage…Result: PASS — 1 failed control detected, CAPA #42 referenced. All failures linked to CAPA.
Now let me check the CAPA itself. Running
capa_completeness_validatoron your CAPA log…Result: 2 issues found:
- [ERROR] CAPA-042: No root cause analysis — Clause 10.2 requires determining the cause
- [WARNING] CAPA-042: No effectiveness review planned — should verify corrective action works
You: Root cause was that the vulnerability scanning tool didn’t alert the on-call team for high-severity findings — only critical. We’ve updated the alert configuration.
Agent: That’s a good correction (immediate fix), but you also need a systemic corrective action — why wasn’t the alert configuration reviewed as part of the initial setup? Consider adding a “scanning tool configuration review” to the quarterly infrastructure checklist. And schedule an effectiveness review for next quarter to verify the SLA is consistently met.
Sample Output Excerpt
Below is a representative excerpt from a generated Clause 9.1 report with the CAPA log section.
Monitoring Results (excerpt)
| Control / Process | Metric / KPI | Target | Result | Trend | Conclusion |
|---|---|---|---|---|---|
| Incident detection | Mean time to detect (MTTD) | ≤ 4h | 3.2h | Improving (was 4.1h) | Effective |
| Access control | Time to revoke after role change | ≤ 24h | 18h median | Stable | Effective |
| Vulnerability management | Critical remediation time | ≤ 7d | 9d (one outlier) | Deteriorated | Not effective — CAPA-042 |
| Backup/recovery | RTO achieved in quarterly test | ≤ 4h | 2.8h | Stable | Effective |
| Training | Annual completion rate | 100% | 92% | Improved (was 85%) | Not yet effective — monitoring |
CAPA Log (excerpt)
| CAPA ID | Source | Description | Root Cause | Corrective Action | Owner | Target Date | Effectiveness Review | Status |
|---|---|---|---|---|---|---|---|---|
| CAPA-042 | Monitoring Q4 | Critical vuln remediation exceeded 7-day SLA | Scanner alert configuration did not include high-severity; only critical alerts triggered on-call | 1. Updated alert config (correction). 2. Added scanning tool config to quarterly infra review checklist (corrective action). | Head of Engineering | 2025-02-15 | 2025-05-15 | In progress |
| CAPA-038 | Internal Audit | Access review not completed for Q2 | Manual spreadsheet process; no automated reminders | Implemented automated access review reminders in IAM tool; added to monthly ops checklist | IT Manager | 2024-12-01 | 2025-03-01 — verified effective | Closed |
Extension Tools
metric_kpi_generator
Suggests effectiveness-oriented KPIs for 8 control domains:
| Domain | Effectiveness Metric Examples |
|---|---|
| Access control | Time to revoke, % reviews with no orphan accounts |
| Incident detection | MTTD, % detected by controls vs user-reported |
| Incident response | MTTC/MTTR, % closed with root cause |
| Vulnerability management | Time to remediate by severity, % within SLA |
| Backup/recovery | RTO achieved in tests, % restores successful |
| Change management | % changes without rollback/incident |
| Training/awareness | Phishing click rate trend, % completing training |
| Supplier security | % suppliers with valid assessment, time to close NCs |
non_conformance_logic_bridge
Validates every failed control or non-conformance has CAPA linkage. Detects:
- Failed controls and below-threshold metrics
- Non-conformances and findings sections
- Global CAPA statements (“corrective actions initiated for all findings”)
capa_completeness_validator
Validates each CAPA entry has all required fields per Clause 10.2:
| Field | Severity if Missing |
|---|---|
| Root cause analysis | ERROR |
| Systemic corrective action (not just correction) | ERROR |
| Owner | ERROR |
| Target date | ERROR |
| Immediate correction | WARNING |
| Effectiveness review plan | WARNING |
Getting Started
Activate the ISO 27001 Monitoring, Measurement & Evaluation skill. If you’ve completed the Organization Profile skill, load it for context.
Have this information ready:
- Operational data for the reporting period (incident logs, access review results, scan reports, backup test results)
- Current KPIs and targets (or let the agent suggest effectiveness-oriented metrics)
- Any failed controls or non-conformances identified during the period
- Existing CAPA log with corrective action entries
The agent guides you through: scoping what is monitored, choosing effectiveness KPIs, drafting the report, validating CAPA linkage, and checking CAPA completeness. The output feeds directly into the management review (Clause 9.3) as a mandatory input.