Expert Advice Community

Guest

Measuring success of Information Security

  Quote
Guest
Guest user Created:   Apr 01, 2021 Last commented:   Apr 01, 2021

Measuring success of Information Security

1- I'm I right to say or think that we measure the success of Information Security by defining Key Performance Indicators (KPIs) for each Information Security Program?

2 - If so, how does one measure the success of the information Security program according to ISO27001. 

3 - Again, what specific KPI examples can you mention to me?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 01, 2021

1- I'm I right to say or think that we measure the success of Information Security by defining Key Performance Indicators (KPIs) for each Information Security Program?

It is correct to think that you need to define measurable objectives to evaluate the Information Security program's performance, but please note that you do not need to have one KPI specific for each Information Security Program. You can have several programs linked to a single KPI. For example, a KPI can be percentual of cost reduction due to security incidents, and this one can be linked to an Information Security awareness and training program and to an Information Security Program for data loss prevention. 

2 - If so, how does one measure the success of the information Security program according to ISO27001. 

ISO 27001 does not prescribe how to measure the success of the Information Security program, so organizations are free to define the approach that better suits them.

For example, measurement can be made in terms of the evolution of the maturity of information security processes, or fulfillment of business objectives.

3 - Again, what specific KPI examples can you mention to me?

ISO 27001 does not prescribe which performance indicators should be adopted by organizations, and organizations must define them according to their own needs and objectives. Some common issues organizations should take into account when defining KPIs are:

  • Business relevant: indicator aligned to clear business objectives or legal requirements
  • Process integrated: a KPI should add the least amount of work possible into business processes.
  • Assertive: the indicator should be capable of pinpointing relevant issues that need attention.

As general examples we have:

  • Percent of business initiatives supported by the ISMS
  • Number of security-related service downtimes
  • Percent of controls assessment performed
  • Number of improvement initiatives

These articles will provide you a further explanation about performance indicators and security objectives:

Quote
0 0
Guest
Christian Aborgeh Apr 01, 2021

Thank you. Your explanations are clear and understandable.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 01, 2021

Apr 01, 2021

Suggested Topics

Guest user Created:   Oct 08, 2021 ISO 27001 & 22301
Replies: 1
0 0

Supplier Security Policy

Mayank Created:   Sep 27, 2021 ISO 27001 & 22301
Replies: 1
0 0

Security Objectives