Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you measure whether your information security is effective and whether it is developing in the right direction?
Organisations that are using the ISO 27001 standard are to ensure ongoing improvements in their ISMS (Information Security Management System). Chapter 9 of the standard deals specifically with measurements. It says you shall define the processes and controls you will measure and you shall describe how, when, and who should perform the measurements. You are also to decide who will assess the results of the measurements and how to do it. You need to decide if the outcome is “good enough".
This makes good sense in most companies, but ISO 27001 does not offer any guidance on which KPIs (Key Performance Indicators) it makes sense to measure or how to do it. We have prepared a guide with several proposed ISO 27001 KPIs, metrics, KPIs, or measuring points, if you will, that can be used to take the temperature of your ISMS processes. When you measure at appropriate intervals, you can see whether or not your ISMS develops as desired and if it has the effectiveness that you want.
An ISMS measurement is a measure of whether a process is running, as opposed to measuring a specific security control. Some examples:
To measure whether your controls work, you can perform internal audits or use common control measurements such as how much spam is caught by your spam filter, how many viruses are captured by your anti-virus, the number of attacks detected by your intrusion detection system or firewall, uptime/downtime, and other quantitative measurements. When you measure the processes, you measure improvements against targets or compare them with previous periods. Measures could be the percentage of security tasks performed within the agreed time, the number of employees who have acknowledged the bring-your-own-device rules or the latest security policy update within one month, or the average time that is used to correct deviations from policy or compliance requirements.
The guide focuses on your ISMS processes, as there are plenty of other sources suggesting security control metrics. To make it short, ISMS metrics measure the value and effectiveness of the processes that make up your information security management system. Thus, ISMS metrics enable you to show changes over time, to e.g. report improvements and efficiency to management.
Want to measure the efficiency of your ISMS?
Get instant access to a free trial of our compliance planner and check your compliance level.
|