Defining KRI's for Risks
Hi
I have a risk register that I am maintaining for ISMS. I have different types of risks which are defined in the risk register. Now I need to define KRI for each risk. How can I do it as it will be a lengthy process and I have never done it before? For this practice, I need to analyze each risk in the risk register for measurable metric which is a difficult task. Please advise how can I do it in a simple way.
Thanks
Assign topic to the user
First, it is important to note that ISO 27001 does not require the definition of Key Risk Indicators (KRIs). For performance evaluation, you should consider metrics related to processes and/or assets to which the most relevant risks are related to.
For a selection of indicators you should consider these criteria:
- Business relevant: the indicator should be aligned to clear business objectives or legal requirements, for example, the Return On Security Investment (ROSI).
- Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible.
- Assertive: the indicator should be capable of pinpointing relevant issues, for example, a KPI related to the number of failed login attempts explicitly limits the scope to the login process.
These articles will provide you a further explanation about key performance indicators for ISO 27001:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
Comment as guest or Sign in
Jan 05, 2020