Guest user Created: Sep 08, 2016 Last commented: Sep 08, 2016

Effectiveness of security controls

Assessing a risk is sometime we assume that a particular risk may happen. So we determined some control measures. But that risk is not commenced yet. That was just a probability . In that case how can we measure the effectiveness for that risk control we took to reduce the risk.

0 0

Assign topic to the user

Select user

Guest

Antonio Jose Segovia Sep 08, 2016

For an example: Failure of a CNC machine is the identified risk. But the CNC doesn't failed yet. But there is a chance
In this case , we identified some mitigation plan like
a) backup another CNC machine
b) Immediate call for technician to service
c) Preventive maintenance shall perform for the CNC machine at scheduled intervals.

So in this case, the risk is not happened yet , So how we can measure the effectiveness of the risk control

Answer:
If I have understood well your question, you want to monitor the effectiveness of security controls, and for this basically you can establish metrics for each control. For example, if you have the control A.12.3.1 Information backup for a particular risk, you can define this metric:

- Effectiveness of bac kup control = Backup fails / Total backup

In your case, the metric could be:

- Effectiveness of the CNC machine backup = Preventive maintenance performed / Preventive maintenance scheduled (in a year, or in a month, etc.)

For each metric, you can also define some parameters like frequency for monitor the effectiveness (for example annually), “objective value” (in your case for example 100%), etc.

This article can be also interesting for you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

And this free webinar can be also interesting for you “ISO 27001 and ISO 27004: How to measure the effectiveness of information security?” : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/

Finally, these materials will help you to know more about how to review the effectiveness of the security controls:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Sep 08, 2016

Expert Advice Community