Wednesday, 23 April 2014

How to measure your ISO 27001 ISMS efficiency with KPIs

Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you actually measure whether your information security is effective and whether it is developing in the right direction? Organisations that are using the ISO 27001 standard are to ensure ongoing improvements in their ISMS (Information Security Management System). Chapter 9 of the standard deals specifically with measurements. It says you shall define the processes and controls you will measure and you shall describe how, when and who should perform the measurements. You are also to decide who will assess the results of the measurements and how to do it. Basically you need to decide if the outcome is “good enough". This makes good sense in most companies, but ISO 27001 does not offer any guidance on which KPIs (Key Performance Indicators) it makes sense to measure or how to do it. Neupart has prepared a guide with a number of proposed metrics, KPIs or measuring points, if you will, that can be used to take the temperature of your ISMS processes. When you measure at appropriate intervals, you can see whether or not your ISMS develops as desired and if it has the effectiveness that you want. An ISMS measurement is a measure of whether a process is running, as opposed to measuring a specific security control. Some examples: In order to measure whether your controls work, you can perform internal audits or use common control measurements such as how much spam is caught by your spam filter, how many viruses are captured by your anti-virus, the number of attacks detected by your intrusion detection system or firewall, uptime/downtime, and other quantitative measurements. When you measure the processes, you measure improvements against targets or compare with previous periods. Measures could be the percentage of security tasks performed within the agreed time, the number of employees who has acknowledged the bring-your-own-device rules or the latest security policy update within one month, or the average time that is used to correct deviations from policy or from compliance requirements. The Neupart guide focuses on your ISMS processes, as there are plenty of other sources suggesting security control metrics. To make it short, ISMS metrics measure the value and effectiveness of the processes that make up your information security management system. Thus, ISMS metrics enable you to show changes over time, in order to e.g. report improvements and efficiency to management.    

You may also want to check out the efficient ISMS solution, SecureAware

We’d appreciate if you’d also share your experience or viewpoints on ISMS KPIs and metrics here below.


  1. The link to download ISO 27001 ISMS metrics guide doesn't seem to work.

  2. Hi! I just would like to give a huge thumbs up for the great info you have here on this post. I will be coming back to your blog for more soon. supplier quality control

  3. This information is really helpful to me. Thanks for upload.ISO 27001 lead auditor

  4. Awsome post. Its very interesting to read this post. ISO 27000 Certification