Effectiveness of security controls
Assign topic to the user
For an example: Failure of a CNC machine is the identified risk. But the CNC doesn't failed yet. But there is a chance
In this case , we identified some mitigation plan like
a) backup another CNC machine
b) Immediate call for technician to service
c) Preventive maintenance shall perform for the CNC machine at scheduled intervals.
So in this case, the risk is not happened yet , So how we can measure the effectiveness of the risk control
Answer:
If I have understood well your question, you want to monitor the effectiveness of security controls, and for this basically you can establish metrics for each control. For example, if you have the control A.12.3.1 Information backup for a particular risk, you can define this metric:
- Effectiveness of bac kup control = Backup fails / Total backup
In your case, the metric could be:
- Effectiveness of the CNC machine backup = Preventive maintenance performed / Preventive maintenance scheduled (in a year, or in a month, etc.)
For each metric, you can also define some parameters like frequency for monitor the effectiveness (for example annually), “objective value” (in your case for example 100%), etc.
This article can be also interesting for you “How to perform monitoring and measurement in ISO 27001” : https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
And this free webinar can be also interesting for you “ISO 27001 and ISO 27004: How to measure the effectiveness of information security?” : https://advisera.com/27001academy/webinar/iso-27001-iso-27004-measure-effectiveness-information-security-free-webinar/
Finally, these materials will help you to know more about how to review the effectiveness of the security controls:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Comment as guest or Sign in
Sep 08, 2016