Is a procedure required by ISO 27001 for evaluating the effectiveness of an ISMS document?

The assertion that there is no requirement for a procedure specifically for evaluating the effectiveness of an Information Security Management System (ISMS) document under ISO 27001 is not aligned with the standard's requirements. In fact, ISO 27001 emphasizes the need for organizations to continually assess and evaluate the performance of their ISMS, which inherently includes the effectiveness of its documentation.

The standard mandates that organizations must establish processes for monitoring, measurement, analysis, and evaluation of the ISMS, including regular reviews and assessments. This means that while a formalized procedure might not be explicitly detailed in the documentation, the underlying necessity for evaluating the effectiveness of the ISMS is present and integral to maintaining compliance with ISO 27001.

The need for constant monitoring and improvement is a fundamental aspect of the ISMS cycle and supports the organization's commitment to continuous improvement of its information security posture. Therefore, assuring the effectiveness of ISMS documents through established procedures is a best practice that aligns with the standard's intentions and requirements.