DraftInternalISO 9001ISO 14001ISO 27001

SW-IMS-MAN-009

IMS Manual - Clause 9: Performance Evaluation

Version

1.0

Owner

IMS Owner

Effective Date

TBD

Review Date

TBD

IMS Manual - Clause 9: Performance Evaluation

Document ID: SW-IMS-MAN-009-v1.0
Effective Date: [TBD]
Review Date: [TBD]
Owner: IMS Owner
Approved by: [TBD]

Purpose

This section of the IMS Manual describes how Swedwise AB monitors, measures, analyzes, and evaluates the performance and effectiveness of the Integrated Management System. It addresses Clause 9 (Performance Evaluation) requirements for ISO 9001, ISO 14001, and ISO 27001.

Performance evaluation ensures that the IMS achieves intended results, meets objectives, and drives continual improvement.

9.1 Monitoring, Measurement, Analysis and Evaluation

9.1.1 General

Swedwise determines:

What needs to be monitored and measured
Methods for monitoring, measurement, analysis, and evaluation
When monitoring and measurement are performed
When results are analyzed and evaluated

This ensures valid, reliable results to demonstrate conformity and evaluate IMS performance.

9.1.2 What Needs to Be Monitored and Measured

Performance categories monitored:

Category	Key Areas	Purpose
Customer-Related Performance	Customer satisfaction, complaints, retention, NPS	ISO 9001: Ensure customer focus
Process Performance	Service delivery, project performance, operational efficiency	Demonstrate process effectiveness
Quality Objectives	Achievement of quality targets	ISO 9001: Track progress toward quality goals
Environmental Performance	Energy consumption, travel carbon emissions, waste	ISO 14001: Environmental footprint and objectives
Environmental Compliance	Compliance obligations, legal requirements	ISO 14001: Demonstrate legal compliance
Information Security Performance	Incidents, vulnerabilities, access reviews, training	ISO 27001: Security posture and effectiveness
Risk and Opportunity Management	Risk treatment effectiveness, emerging risks	All standards: Risk-based approach
IMS Effectiveness	Audit findings, nonconformities, corrective actions	Overall IMS performance

9.1.3 Monitoring and Measurement Methods

Methods employed:

Method	Application	Examples
Automated monitoring	Real-time system health, security alerts	Azure Monitor, Microsoft 365 security dashboard, SaaS platform monitoring
Performance metrics (KPIs)	Quantitative targets and actuals	Dashboards, reports, scorecards
Surveys	Customer and employee feedback	Customer satisfaction survey (annual), NPS, employee engagement
Audits	Systematic evaluation of conformity	Internal audits (SW-IMS-PRO-003), external audits
Inspections	Verification activities	Access reviews, physical security checks, waste disposal audits
Data analysis	Trend analysis, root cause analysis	Incident trends, nonconformity patterns, energy usage over time
Reviews	Periodic assessment	Management review (SW-IMS-PRO-004), risk review, supplier review

9.1.4 When Monitoring and Measurement Occur

Frequency depends on the metric and risk:

Frequency	Examples
Continuous (24/7)	SaaS platform uptime, security alerts, system health
Daily	Support ticket volume, critical incident status
Weekly	Security event review, capacity utilization
Monthly	SLA compliance, energy consumption, customer service reports
Quarterly	Access reviews, environmental aspects review, risk register review
Annually	Customer satisfaction survey, compliance evaluation, certification audits
Event-driven	Post-incident reviews, project retrospectives, change assessments

Monitoring schedule documented in:

SW-IMS-PRO-010: Monitoring and Measurement Procedure
Annual audit program (SW-IMS-PRO-003)
Management review schedule (SW-IMS-PRO-004)

9.1.5 Analysis and Evaluation

Swedwise analyzes and evaluates monitoring and measurement results to:

Determine:

Conformity of products, services, and processes to requirements
Customer satisfaction levels and trends
Effectiveness of the IMS and achievement of objectives
Process performance and opportunities for improvement
Risk treatment effectiveness
Supplier performance
Need for improvements to the IMS

Analysis methods:

Statistical analysis (trends over time, correlation)
Comparative analysis (actual vs. target, period vs. period)
Root cause analysis (for nonconformities and incidents)
Benchmarking (against industry standards or competitors)

Analysis outputs documented in:

Monthly/quarterly performance reports
Management review input materials (SW-IMS-PRO-004)
Trend analysis reports
Annual IMS performance summary

Responsibility: IMS Owner coordinates; Quality Lead, Environmental Lead, CISO provide domain-specific analysis.

9.2 Customer Satisfaction (ISO 9001)

9.2.1 Monitoring Customer Perception

Swedwise monitors customer perceptions of the degree to which requirements and expectations are fulfilled.

Customer satisfaction is a key indicator of quality performance and business success.

9.2.2 Methods for Obtaining Customer Feedback

Method	Description	Frequency	Owner
Customer Satisfaction Survey	Structured survey covering service quality, responsiveness, value, likelihood to recommend	Annual (or post-project)	Quality Lead / CSM
Net Promoter Score (NPS)	"How likely are you to recommend Swedwise?" (0-10 scale)	Quarterly or post-project	Quality Lead
Service Review Meetings	Periodic meetings with key customers to discuss performance, feedback, plans	Quarterly (SaaS); project close (consulting)	Customer Success Manager
Customer Complaints	Formal and informal complaints logged and analyzed	Continuous	Customer Success / Support
Informal Feedback	Ad-hoc feedback from customer interactions	Continuous	All staff (escalated to CSM)
Contract Renewals and Churn	Renewal rate and reasons for non-renewal	Ongoing	Sales / Customer Success

See SW-QMS-PRO-002 (Customer Feedback Procedure) for detailed customer feedback processes.

9.2.3 Customer Satisfaction Metrics

Key metrics tracked:

Metric	Target	Measurement
Customer Satisfaction Score (CSAT)	≥ 4.0/5.0	Annual survey average rating
Net Promoter Score (NPS)	≥ 50	Percentage promoters (9-10) minus detractors (0-6)
Customer Retention Rate	≥ 90%	(Customers at year end - new customers) / customers at year start
Complaint Rate	≤ 5 per quarter	Number of formal complaints logged
Complaint Resolution Time	≤ 10 business days	Average time from complaint to resolution
SLA Compliance	100%	Percentage of SLA commitments met (SaaS services)

9.2.4 Analysis of Customer Feedback

Customer feedback is analyzed to identify:

Satisfaction trends (improving, stable, declining)
Common themes (positive and negative)
Root causes of dissatisfaction
Opportunities for improvement
Risks to customer relationships

Analysis results reported to:

Management Team (quarterly in management review)
Relevant departments (for corrective or improvement action)
Customers (service review meetings, annual reports)

Actions taken based on feedback:

Corrective actions for complaints (SW-IMS-PRO-005)
Service improvements
Training or competence development
Process changes
Customer recovery actions

9.3 Environmental Performance and Compliance Evaluation (ISO 14001)

9.3.1 Environmental Performance Monitoring

Swedwise monitors and measures environmental performance against objectives and targets.

Environmental metrics:

Environmental Aspect	Metric	Target	Measurement Frequency
Energy Consumption (Offices)	kWh per employee per month	-5% year-over-year	Monthly
Business Travel (Carbon Emissions)	CO2 tons per year	-10% year-over-year	Quarterly
E-Waste (IT Equipment)	Recycling rate	90%+	Annually (disposal events)
Paper Consumption	Sheets per employee per year	-15% year-over-year	Quarterly
Cloud Infrastructure (SaaS)	Energy efficiency (PUE at data center)	≤ 1.3 PUE	Annually (data center report)

Data sources:

Energy bills (office landlords)
Travel expense reports and booking systems
IT asset disposal records
Printing logs and paper purchase records
Data center sustainability reports (Entiros)

Responsibility: Environmental Lead collects, analyzes, and reports environmental performance data.

9.3.2 Evaluation of Compliance with Environmental Legal Requirements

Swedwise periodically evaluates compliance with environmental legal and other requirements.

Compliance evaluation process:

Legal Register Maintenance:
- Environmental Lead maintains register of applicable environmental legal requirements
- Includes EU directives, Swedish laws, customer requirements
- Reviewed and updated quarterly
Compliance Assessment:
- Annual evaluation of compliance against each requirement
- Evidence collected: certifications, records, audits, reports
- Non-compliance identified and escalated
Compliance Status:
- Compliant / Non-Compliant / Not Applicable
- Non-compliance triggers corrective action (SW-IMS-PRO-005)
Documentation:
- Compliance evaluation results documented
- Reported to management in annual management review
- Evidence retained for certification audits

See SW-IMS-PRO-012 (Legal Compliance Procedure) for detailed compliance evaluation process.

Key environmental legal requirements for Swedwise:

WEEE Directive (e-waste disposal)
Energy efficiency regulations (office equipment)
Environmental reporting (if applicable based on size/sector)
Customer environmental procurement requirements

9.4 Information Security Performance (ISO 27001)

9.4.1 Security Monitoring and Measurement

Swedwise monitors and measures information security performance to evaluate effectiveness of security controls and achievement of security objectives.

Security performance metrics:

Metric	Target	Measurement Frequency
Security Incidents (Total)	≤ 5 per quarter	Continuous (reported monthly)
Major Security Incidents	0 per year	Continuous
Critical Incident Response Time	≤ 15 minutes	Per incident
High Vulnerability Remediation	≤ 30 days	Monthly
Critical Vulnerability Remediation	≤ 72 hours	Per vulnerability
Access Review Completion	100% (quarterly)	Quarterly
Security Training Completion	100% (annual)	Annually
Phishing Simulation Click Rate	≤ 5%	Quarterly simulations
Patch Compliance	≥ 95% (endpoints up-to-date)	Monthly
Backup Success Rate	100%	Daily (monitored continuously)

Data sources:

Microsoft 365 security dashboard
Azure Security Center
Security incident logs (SW-ISMS-PRO-002)
Vulnerability scan reports (SW-ISMS-PRO-005)
Access review records (SW-ISMS-PRO-007)
Training platform (security awareness completion)

Responsibility: CISO collects, analyzes, and reports security performance data.

9.4.2 Evaluation of Security Control Effectiveness

Security controls from the Statement of Applicability (SoA) are periodically evaluated for effectiveness:

Evaluation methods:

Internal audits: Systematic audit of security controls (SW-IMS-PRO-003)
Penetration testing: Annual testing of SaaS platform (external)
Vulnerability assessments: Monthly automated scanning
Access reviews: Quarterly review of user access rights (SW-ISMS-PRO-007)
Security incident analysis: Post-incident review to assess control gaps
Compliance checks: Verification against ISO 27001 Annex A controls

Evaluation frequency:

Each control evaluated at least annually (via internal audit program)
High-risk controls evaluated more frequently (quarterly)
Ad-hoc evaluation triggered by incidents or changes

Evaluation results:

Effective / Partially Effective / Ineffective
Ineffective controls trigger corrective action
SoA updated to reflect control status

See SW-ISMS-SOA-001 (Statement of Applicability) for complete control listing and implementation status.

9.5 Analysis and Evaluation of IMS Performance

9.5.1 Integrated Data Analysis

Swedwise analyzes data from monitoring and measurement activities to evaluate:

Effectiveness of the IMS:

Are objectives being achieved?
Are processes performing as intended?
Is the IMS suitable for the organization's context?
Are risks being adequately addressed?

Key integrated metrics:

Metric	Target	Status Indicator
Overall IMS Objective Achievement	≥ 80% of objectives met	Green: ≥80%, Amber: 60-79%, Red: <60%
Internal Audit Findings	Decreasing trend	Track major/minor nonconformities over time
Corrective Action Closure Rate	≥ 90% on time	Percentage closed by due date
Nonconformity Recurrence Rate	≤ 10%	Same nonconformity recurring after corrective action
Customer Satisfaction (CSAT)	≥ 4.0/5.0	Quality performance indicator
Environmental Objectives	All targets met	Environmental performance indicator
Security Incidents (Major)	0 per year	Security performance indicator

9.5.2 Trend Analysis

Trends analyzed:

Performance over time (monthly, quarterly, yearly)
Comparison against targets and previous periods
Identification of patterns (seasonal, process-related, department-related)
Emerging risks or opportunities

Trend analysis conducted for:

Nonconformities (are we improving?)
Customer satisfaction (stable, improving, declining?)
Incidents (security, quality, environmental)
Process performance (efficiency, effectiveness)

Trend analysis tools:

Run charts and control charts
Statistical process control (where applicable)
Comparative dashboards (actual vs. target, period over period)

9.5.3 Performance Evaluation Outputs

Results of analysis and evaluation are used to:

Demonstrate conformity: Evidence for certification audits, customer audits, stakeholder reporting
Assess customer satisfaction: Understand customer perception and loyalty
Evaluate process performance: Identify high-performing and underperforming processes
Assess conformity of products/services: Verify quality standards are met
Evaluate IMS effectiveness: Overall system health check
Identify improvement opportunities: Data-driven improvement initiatives
Risk assessment input: Update risk register based on performance data
Management decision support: Inform management review decisions

Documented in:

Quarterly performance reports
Management review input materials
Annual IMS performance summary
Trend analysis reports

Presented to:

Management Team (quarterly)
Department Heads (as relevant)
All staff (annual summary)

9.6 Internal Audit

9.6.1 Purpose and Scope

Swedwise conducts planned internal audits to provide information on whether the IMS:

Conforms to Swedwise's own requirements and ISO 9001, ISO 14001, ISO 27001 requirements
Is effectively implemented and maintained

Internal audits are a key source of objective evidence for management review and certification.

See SW-IMS-PRO-003 (Internal Audit Procedure) for complete internal audit process.

9.6.2 Audit Program

Annual audit program establishes:

Processes and areas to be audited
Audit frequency (based on risk, importance, previous audit results)
Audit schedule (when audits will occur)
Auditor assignments (ensuring independence)

Audit frequency considerations:

High-risk areas: Semi-annually (e.g., information security controls, SaaS operations)
Medium-risk areas: Annually (e.g., document control, environmental aspects)
Low-risk areas: Every 18 months (if very stable and low-risk)
All IMS processes: At least once per audit cycle (typically annual)

Audit program approved by: Management Team (annually)

9.6.3 Audit Planning and Execution

For each audit:

Planning:
- Define audit objective, scope, criteria
- Assign lead auditor and audit team
- Prepare audit plan and notify auditee (2 weeks advance)
Execution:
- Opening meeting (objectives, logistics)
- Evidence gathering (interviews, document review, observations)
- Findings evaluation (conformities, nonconformities, observations)
- Closing meeting (present findings, next steps)
Reporting:
- Audit report prepared within 5 working days
- Findings documented (conformities, positive practices, nonconformities, observations)
- Distributed to auditee, management, IMS Owner
Follow-up:
- Auditee develops corrective action plan for nonconformities
- IMS Owner verifies corrective action effectiveness
- Nonconformities closed when verified effective

9.6.4 Auditor Competence and Independence

Auditor requirements:

Understand ISO 9001, ISO 14001, ISO 27001 relevant to audit area
Completed internal auditor training (minimum 1-day course)
Demonstrate objectivity and professional behavior

Independence:

Auditors do not audit their own work
Cross-functional audits (e.g., Customer Success audits IT operations; IT audits sales processes)
External auditors may be used if independence cannot be maintained

Auditor records maintained by: IMS Owner (training, qualifications, audit experience)

9.6.5 Audit Results and Improvement

Audit results used to:

Identify nonconformities and trigger corrective actions
Identify improvement opportunities
Verify effectiveness of previous corrective actions
Assess overall IMS performance
Input to management review

Audit metrics tracked:

Number of audits completed vs. planned
Nonconformities by category and severity
Corrective action closure rate and timeliness
Recurrence of nonconformities
Positive findings and best practices identified

Audit records retained for: 7 years (ISO certification requirement)

9.7 Management Review

9.7.1 Purpose and Frequency

Top management reviews the IMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

Management review is a strategic decision-making forum, not an operational meeting.

Frequency: Quarterly (minimum)

See SW-IMS-PRO-004 (Management Review Procedure) for complete management review process.

9.7.2 Management Review Inputs

Management reviews consider:

Input Category	Specific Inputs
1. Status of Previous Actions	Action items from last review; effectiveness of completed actions
2. Changes in Context	External: market, regulatory, technology, stakeholder expectations Internal: organization, strategy, resources
3. Performance and Effectiveness	Quality, environmental, security performance Objectives achievement status Process performance Customer satisfaction
4. Customer Feedback	Satisfaction surveys, complaints, retention, NPS
5. Internal Audit Results	Findings, trends, corrective action status
6. Extent Objectives Met	Progress against quality, environmental, security objectives
7. Process Performance	Service delivery, SaaS operations, project performance
8. Nonconformities and Corrective Actions	Trends, recurrence, closure rates
9. Monitoring and Measurement Results	KPI performance, compliance status
10. Resource Adequacy	Staffing, budget, infrastructure, competence
11. Risk and Opportunity Management	Top risks, treatment effectiveness, new risks/opportunities
12. Opportunities for Improvement	Suggestions, innovations, benchmarking
13. Need for IMS Changes	Scope, structure, documentation updates

Specific ISO 27001 inputs:

Security incident trends and major incidents
Risk assessment and treatment plan effectiveness
Security audit results (internal and external)
Compliance with legal and contractual security requirements
Threat intelligence and emerging security trends

Specific ISO 14001 inputs:

Environmental performance and objective achievement
Compliance evaluation results
Communication from external interested parties (customers, regulators, community)
Environmental aspect changes or new aspects
Environmental legal requirement changes

Input materials prepared by: IMS Owner (consolidates inputs from Quality Lead, Environmental Lead, CISO, Department Heads)

Distributed to attendees: At least 3 days before management review meeting

9.7.3 Management Review Outputs

Management review outputs include decisions and actions related to:

Output Category	Examples
1. Continual Improvement Opportunities	Which improvement initiatives to pursue, prioritization, resources
2. Need for Changes to IMS	Scope changes (new services, locations) Policy or procedure updates Role or structure changes
3. Resource Needs	Additional staffing, budget allocation, infrastructure investment, training
4. Objectives and Targets	Setting or revising IMS objectives, adjusting targets based on performance
5. Strategic Direction	Alignment of IMS with business strategy, risk appetite, strategic priorities

All decisions documented with:

Clear statement of decision
Rationale
Actions required
Owner (who is responsible)
Deadline
Resources allocated

Example decision:

Decision: Implement automated security awareness training platform
Rationale: Current manual process is time-consuming; low completion rate; opportunity to reduce phishing risk
Action: Procure and deploy training platform; migrate existing content; train staff
Owner: CISO
Deadline: Q3 2025
Resources: 100,000 SEK budget; 0.5 FTE CISO time for 3 months
Expected Outcome: 100% training completion; reduce phishing click rate from 12% to <5%

9.7.4 Management Review Process

Typical agenda (2-3 hours):

Time	Agenda Item	Presenter
0:00-0:10	Opening and introduction	CEO
0:10-0:20	Actions from previous review	IMS Owner
0:20-0:35	Context changes (external and internal)	CEO / IMS Owner
0:35-1:00	Performance review (quality, environmental, security)	Quality Lead, Environmental Lead, CISO
1:00-1:20	Internal audit results and trends	IMS Owner
1:20-1:35	Risks and opportunities	IMS Owner / CISO
1:35-1:50	Resource adequacy and improvement opportunities	IMS Owner / Department Heads
1:50-2:10	Decisions and actions	CEO / Management Team
2:10-2:20	Closing and next steps	CEO

Attendees (mandatory):

CEO (Chair)
Management Team members
IMS Owner
CISO
Quality Lead
Environmental Lead

Minutes prepared by: IMS Owner (within 5 working days)

Minutes distributed to:

All attendees
Department heads
Filed in management review records

Actions tracked in: Management Review Action Tracker (updated monthly by IMS Owner)

Management review records retained for: 7 years

9.7.5 Communication of Management Review Outcomes

Internal communication:

To all staff: High-level summary of key decisions, achievements, initiatives
To department heads: Full minutes, action items for their areas, implementation expectations
To process owners: Specific actions or changes affecting their processes

External communication (if applicable):

Certification body: Summaries during certification audits
Customers: Assurance of management oversight (if contractually required)

Management review minutes classified as: Internal (confidential; contains strategic information)

9.8 Performance Evaluation Records

Records maintained:

Record	Retention Period	Location	Owner
Monitoring and Measurement Results	3 years	Performance dashboard, report repository	IMS Owner, Quality Lead, Environmental Lead, CISO
Customer Satisfaction Survey Results	5 years	Customer feedback database	Quality Lead
Environmental Performance Data	7 years	Environmental register	Environmental Lead
Security Performance Metrics	5 years	Security dashboard, incident logs	CISO
Internal Audit Reports	7 years	Audit repository	IMS Owner
Audit Program and Plans	7 years	Audit repository	IMS Owner
Management Review Minutes	7 years	Management review repository	IMS Owner
Management Review Action Tracker	Current + 3 years	Action tracking system	IMS Owner
Compliance Evaluation Results	7 years	Compliance register	Environmental Lead, CISO
Analysis and Trend Reports	5 years	Report repository	IMS Owner

Procedures:

SW-IMS-PRO-003: Internal Audit Procedure
SW-IMS-PRO-004: Management Review Procedure
SW-IMS-PRO-005: Nonconformity and Corrective Action Procedure
SW-IMS-PRO-010: Monitoring and Measurement Procedure
SW-IMS-PRO-012: Legal Compliance Procedure
SW-QMS-PRO-002: Customer Feedback Procedure
SW-ISMS-PRO-002: Incident Management Procedure
SW-ISMS-PRO-007: User Access Review Procedure

Policies:

SW-IMS-POL-001: Integrated Management System Policy
SW-QMS-POL-001: Quality Policy
SW-EMS-POL-001: Environmental Policy
SW-ISMS-POL-001: Information Security Policy

Registers:

SW-ISMS-SOA-001: Statement of Applicability
SW-IMS-REG-001: Integrated Risk Register
SW-EMS-REG-001: Environmental Aspects Register
SW-ISMS-REG-002: Asset Register

ISO Standards:

ISO 9001:2015 - Clause 9 (Performance Evaluation)
ISO 14001:2015 - Clause 9 (Performance Evaluation)
ISO 27001:2022 - Clause 9 (Performance Evaluation)

Document Control

Version	Date	Author	Changes
1.0	[TBD]	[Author]	Initial release

Approval

Role	Name	Signature	Date
IMS Owner
CEO