Browse Skills

ISO 27001 Monitoring, Measurement & Evaluation

    ISO 27001 ISMS Compliance Monitoring Metrics CAPA
    Get Started with This Skill

    Overview

    Draft and validate the Clause 9.1 report (PDCA ‘Check’): KPIs that measure control effectiveness, executive insight from raw data, and CAPA linkage for every failed control. The skill helps you turn raw logs and operational data into executive-ready metrics and ensures every failed control or non-conformance is linked to a corrective action (CAPA), as auditors expect in 2026.

    Example Conversation

    You: We need the quarterly Monitoring & Evaluation report for Clause 9.1. I have our incident and access-review data; I want KPIs that show control effectiveness, not just activity counts.

    Agent: I’ll use the Clause 9.1 template and the metric_kpi_generator to suggest effectiveness-oriented metrics. For incident detection we’ll use Mean Time to Detect (MTTD) and proportion of incidents detected by controls vs reported by users, rather than “number of alerts.” For access control I’ll add time-to-revoke and access-review outcome metrics. I’ll draft the report with results, analysis, and a failed-controls section. Once you add any CAPA references for failures, we’ll run non_conformance_logic_bridge to confirm every failed control is linked.

    You: We had one failed metric: vulnerability remediation for critical items missed the 7-day SLA. I’ve raised CAPA #42 for it. Run the bridge check.

    Agent: Running non_conformance_logic_bridge on the report…

    Agent: NON-CONFORMANCE LOGIC BRIDGE (CAPA LINKAGE) — Result: PASS. Failed controls / non-conformances detected: 1. Each has a corrective action (CAPA) initiated or referenced. Report satisfies non-conformance logic. You can finalise the report.

    What the Tools Validate

    The skill includes two extension tools:

    metric_kpi_generator suggests KPIs that measure control effectiveness instead of activity-only metrics:

    • Accepts an optional domain (e.g. access control, incident detection, vulnerability management, backup and recovery, training and awareness, supplier security)
    • Returns effectiveness-oriented examples (e.g. Time to Detect, proportion meeting target, RTO achieved in tests) and metrics to avoid (e.g. number of alerts, number of scans) so the report demonstrates outcomes rather than raw activity
    • Use when drafting the “what is monitored” section or when choosing KPIs so the report meets auditor expectations for “living” evidence of control performance

    non_conformance_logic_bridge ensures every failed control or non-conformance in the report has CAPA linkage:

    • Parses the Monitoring & Evaluation report for failed controls, non-conformances, below-threshold metrics, and listed findings
    • For each finding, checks that the document references or initiates a corrective action (CAPA) — either near the finding or via a global statement (e.g. “corrective actions initiated for all findings”)
    • Reports PASS when every failed control has CAPA linkage; FAIL with a list of findings that have no CAPA reference
    • Run before finalising the report so certification auditors do not treat failures as open findings without corrective action

    Output Excerpt

    A condensed excerpt from a generated Clause 9.1 report:

    ## 1. What is monitored and measured

| Control / process       | Metric / KPI                    | Method        | Frequency |
|------------------------|----------------------------------|---------------|-----------|
| Access control         | Time to revoke access after role change | IAM audit log | Monthly   |
| Incident detection     | Mean time to detect (MTTD)       | SIEM / tickets | Weekly    |
| Vulnerability mgmt     | Time to remediate Critical/High  | Scanner + change log | Monthly |

## 2. Results and analysis

### Access control — Time to revoke
- **Result:** 18h (median). **Target:** ≤24h. **Trend:** Stable. **Conclusion:** Effective.

### Vulnerability management — Critical remediation
- **Result:** 9 days (one outlier). **Target:** Critical ≤7d. **Trend:** One breach in Q1. **Conclusion:** Not effective. Corrective action: CAPA #42 initiated; process and SLA review due 2026-03-15.

## 3. Failed controls / non-conformances

| Finding | CAPA / corrective action |
|---------|---------------------------|
| Critical vuln. remediation missed 7-day SLA (one instance) | CAPA #42 initiated; due 2026-03-15 |

    Run non_conformance_logic_bridge on the draft to confirm every failed control has a CAPA reference before submission.

    Getting Started

    Add your source materials (e.g. logs, metrics exports, existing CAPA register) to the project workspace, then activate the ISO 27001 Monitoring, Measurement & Evaluation skill. The agent will guide you through scoping what is monitored, choosing effectiveness-oriented KPIs, drafting the report, and validating CAPA linkage with the non-conformance logic bridge.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started