# ISO 27001 Monitoring, Measurement & Evaluation > Draft and validate the Clause 9.1 report (PDCA 'Check') and Clause 6.2 objectives register: six validation tools covering KPI effectiveness, CAPA linkage for every failed control, CAPA field completeness (root cause, corrective action, owner, date, effectiveness review), cross-document audit NC reconciliation, and objectives completeness (including Clause 6.2(c) risk register linkage and Clause 6.2(h) resources). Tags: ISO 27001, ISMS, Compliance, Monitoring, Metrics, CAPA, Clause 9.1, Clause 10.2, Clause 6.2 ## Example Prompts - Draft the Clause 9.1 Monitoring & Evaluation report for the ISMS - Suggest effectiveness KPIs for incident detection and access control - Validate that every failed control in the report has a CAPA reference - Check our CAPA entries for completeness (root cause, corrective action, owner, date) URL: https://rakenne.app/skills/iso27001-monitoring-measurement-evaluation/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-monitoring-measurement-evaluation ## Overview Draft and validate the Clause 9.1 Monitoring, Measurement & Evaluation report — the "Check" phase of PDCA. The skill turns raw operational data into effectiveness-oriented KPIs, ensures every failed control is linked to a corrective action (CAPA), and validates CAPA entries for completeness per Clause 10.2. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Effectiveness-oriented KPIs** — metrics that measure control outcomes (time to detect, % meeting SLA) rather than activity counts (number of alerts, number of scans) - **Control performance monitoring** — structured reporting with results, targets, trends, and conclusions - **CAPA linkage** — every failed control or non-conformance must reference a corrective action - **CAPA completeness** — validates root cause analysis, systemic corrective action, owner, target date, and effectiveness review - **Correction vs corrective action** — enforces the distinction auditors check: fix the symptom (correction) AND fix the root cause (corrective action) ## Example Conversation > **You:** We need the quarterly Monitoring & Evaluation report for Clause 9.1. I have our incident and access-review data. I want KPIs that show control effectiveness, not just activity counts. > > **Agent:** I'll use the Clause 9.1 template and suggest effectiveness-oriented metrics. Running `metric_kpi_generator` for your key domains... > > **Incident Detection:** > - Prefer: Mean time to detect (MTTD), proportion of incidents detected by controls vs reported by users > - Avoid: Number of alerts, number of logs ingested > > **Access Control:** > - Prefer: Time to revoke access after role change (target ≤24h), proportion of access reviews with no orphan accounts > - Avoid: Number of access requests processed > > **Vulnerability Management:** > - Prefer: Time to remediate by severity (Critical ≤7d, High ≤30d), proportion remediated within SLA > - Avoid: Number of scans, number of vulnerabilities found > > I'll draft the report with these metrics. What are your actual results for this quarter? > > **You:** MTTD was 3.2 hours (target ≤4h — met). Access revocation median 18h (target ≤24h — met). Critical vuln remediation averaged 9 days with one outlier (target ≤7d — missed). I've raised CAPA-042 for the vuln remediation miss. > > **Agent:** Report drafted. Running `non_conformance_logic_bridge` to verify CAPA linkage... > > **Result: PASS** — 1 failed control detected, CAPA #42 referenced. All failures linked to CAPA. > > Now let me check the CAPA itself. Running `capa_completeness_validator` on your CAPA log... > > **Result: 2 issues found:** > - [ERROR] CAPA-042: No root cause analysis — Clause 10.2 requires determining the cause > - [WARNING] CAPA-042: No effectiveness review planned — should verify corrective action works > > **You:** Root cause was that the vulnerability scanning tool didn't alert the on-call team for high-severity findings — only critical. We've updated the alert configuration. > > **Agent:** That's a good correction (immediate fix), but you also need a systemic corrective action — why wasn't the alert configuration reviewed as part of the initial setup? Consider adding a "scanning tool configuration review" to the quarterly infrastructure checklist. And schedule an effectiveness review for next quarter to verify the SLA is consistently met. ## Sample Output Excerpt Below is a representative excerpt from a generated Clause 9.1 report with the CAPA log section. --- ### Monitoring Results (excerpt) | Control / Process | Metric / KPI | Target | Result | Trend | Conclusion | |------------------|-------------|--------|--------|-------|------------| | Incident detection | Mean time to detect (MTTD) | ≤ 4h | 3.2h | Improving (was 4.1h) | Effective | | Access control | Time to revoke after role change | ≤ 24h | 18h median | Stable | Effective | | Vulnerability management | Critical remediation time | ≤ 7d | 9d (one outlier) | Deteriorated | Not effective — CAPA-042 | | Backup/recovery | RTO achieved in quarterly test | ≤ 4h | 2.8h | Stable | Effective | | Training | Annual completion rate | 100% | 92% | Improved (was 85%) | Not yet effective — monitoring | ### CAPA Log (excerpt) | CAPA ID | Source | Description | Root Cause | Corrective Action | Owner | Target Date | Effectiveness Review | Status | |---------|--------|-------------|-----------|-------------------|-------|-------------|---------------------|--------| | CAPA-042 | Monitoring Q4 | Critical vuln remediation exceeded 7-day SLA | Scanner alert configuration did not include high-severity; only critical alerts triggered on-call | 1. Updated alert config (correction). 2. Added scanning tool config to quarterly infra review checklist (corrective action). | Head of Engineering | 2025-02-15 | 2025-05-15 | In progress | | CAPA-038 | Internal Audit | Access review not completed for Q2 | Manual spreadsheet process; no automated reminders | Implemented automated access review reminders in IAM tool; added to monthly ops checklist | IT Manager | 2024-12-01 | 2025-03-01 — verified effective | Closed | ## Extension Tools ### `metric_kpi_generator` Suggests effectiveness-oriented KPIs for 8 control domains: | Domain | Effectiveness Metric Examples | |--------|------------------------------| | Access control | Time to revoke, % reviews with no orphan accounts | | Incident detection | MTTD, % detected by controls vs user-reported | | Incident response | MTTC/MTTR, % closed with root cause | | Vulnerability management | Time to remediate by severity, % within SLA | | Backup/recovery | RTO achieved in tests, % restores successful | | Change management | % changes without rollback/incident | | Training/awareness | Phishing click rate trend, % completing training | | Supplier security | % suppliers with valid assessment, time to close NCs | ### `non_conformance_logic_bridge` Validates every failed control or non-conformance has CAPA linkage. Detects: - Failed controls and below-threshold metrics - Non-conformances and findings sections - Global CAPA statements ("corrective actions initiated for all findings") ### `capa_completeness_validator` Validates each CAPA entry has all required fields per Clause 10.2: | Field | Severity if Missing | |-------|:-------------------:| | Root cause analysis | ERROR | | Systemic corrective action (not just correction) | ERROR | | Owner | ERROR | | Target date | ERROR | | Immediate correction | WARNING | | Effectiveness review plan | WARNING | ## Getting Started Activate the *ISO 27001 Monitoring, Measurement & Evaluation* skill. If you've completed the *Organization Profile* skill, load it for context. Have this information ready: - Operational data for the reporting period (incident logs, access review results, scan reports, backup test results) - Current KPIs and targets (or let the agent suggest effectiveness-oriented metrics) - Any failed controls or non-conformances identified during the period - Existing CAPA log with corrective action entries The agent guides you through: scoping what is monitored, choosing effectiveness KPIs, drafting the report, validating CAPA linkage, and checking CAPA completeness. The output feeds directly into the management review (Clause 9.3) as a mandatory input. --- Back to [Skill Library](https://rakenne.app/skills/index.md)