Information Security metrics

Answer: A metric is something used to verify if an effort is leading toward defined objectives. Thus, good metrics for ISO 27001 must:

- Be closely related to information security objectives (clause 6.2), or you will end up with metrics that no one will care about. For example, for the objective "information security culture disseminated in the organization", a good metric would be "number of employees who knows the security policy", or "employees knowledge level about information security practices".
-Be capable to express the effort's results in a way that makes sense to the objective. In the examples, the "number of employees" and the "knowledge level" provides you a good perception of how disseminated the information security culture is.
- Represent only a tiny fraction of the effort to achieve the result. Generally, well planed process and projects already posses internal metrics that can be used, so no new measurement effort is needed. Still considering the example, traini ng effectiveness evaluation and personnel performance evaluation, common HR practices, can be used to provide the data.

This article will provide you further explanation about defining metrics:
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

These materials will also help you regarding metrics definition:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/