ISO 27001:2013 and KPIs
Assign topic to the user
Answer: ISO 27001:2013 does not require you to use KPIs (Key performance indicators) - it does however require you to set the objectives, define how to measure them, define who and when will report on the results, and who will evaluate these results. And I agree with you this is very similar concept to KPIs.
In our Documentation Toolkit, these principles are outlined in the Information Security Policy, while the control objectives need to be defined through the Statement of Applicability. We didn't describe the objectives into detail because they will differ greatly from company to company; you can also use the suggested objectives that are stated in Annex A of ISO 27001.
Comment as guest or Sign in
Jan 12, 2016