Defining KPIs for ISO 27001

Written by

Key Performance Indicators (KPIs) are of crucial importance for telling if an organization is on the right path toward achieving its goals. A framework called the Balanced Scorecard has been around for more than 20 years, and already works with the KPI concept.

However, the need to monitor and measure new processes and activities related to information security continues to increase. 

The major problem is that the resources for these tasks are often quite limited. Therefore, we have to define the most relevant and cost-effective KPIs and ways to work with them. This is the best way to support decision makers in an organization.

ISO 27001 is the lead standard for information security management. It recognizes the importance of KPIs through its clauses 5.1 a) and 6.2. This involves communicating the importance of information security management and information security objectives. Additionally, it offers several other clauses to help define the objectives.

Features of the ISO 27001 Key Performance Indicators 

  • They are business relevant. ISO 27001 clearly states why we must measure and evaluate the KPIs. Clause 4.2 highlights the importance of understanding the needs and expectations of all interested parties. This means supporting existing business objectives or evidencing the fulfillment of contracts, laws and regulations.
  • They are process integrated. The KPIs should not affect or change the usual activities required to deliver the product or service. They should require the least amount of work possible. ISO 27001, clause 5.1 b), states that the requirements of an ISMS should be fully integrated into the organization's processes. Good examples of such integration include adopting existing KPIs, or performing small changes on forms we already use to gather information.
  • They are assertive. This indicator is straight to the point, showing exactly the process steps, organizational areas, or resources we need to address. For example, a KPI related to the number of failed backup recovery tests explicitly limits the scope to the backup process alone. 

Defining KPIs Based on the PDCA Cycle
ISO management standards follow a PDCA (Plan-Do-Check-Act) sequence. The following examples show KPIs we use to get a full view of the ISMS performance:

One of the important ISO 27001 KPIs regards the percent of business objectives supported by the ISMS. This indicator shows how well an ISMS supports the business. The higher the value, the more ISMS resources are aligned and integrated into the business in question. We can obtain this information from The ISMS Policy. 

Another indicator deals with the percent of risk treatment actions containing cost/benefit estimates. This KPI evidences risk treatment maturity. The higher the value, the more factual are the risk treatment decisions. We can obtain this information from The Risk Assessment and Treatment Report (identifying the impact value of occurring risks), compared with the Risk Treatment Plan (identifying cost of implementing controls). 

The next KPI deals with the percentage of contracts containing information security clauses. The indicator shows how a business’ provided or supplied deliverables legally support information security aspects (e.g. availability, confidentiality, integrity, and continuity). The higher the value, the better supported are the relationships with clients and suppliers. We can retrieve this information by comparing Non-Disclosure Agreements and information security clauses on contracts to all contracts. 

A major KPI outlines the number of security-related productivity loss. Productivity loss related to information security directly reflects the performance of an ISMS. We can obtain this information from daily productivity reports.

The following KPI is concerned with the number of undelivered products, and it is just as important as the loss of productivity. The number of undelivered products is an extremely important measurement to determine how effective an ISMS really is. We can acquire this information from marketing reports. 

Incident resolution time is next in line of the ISO 27001 key performance indicators. This is a crucial measurement for determining the efficiency of the ISMS. We can find this information in incident reports. 

Another important ISO 27001 KPI is the percent of reviewed controls. This indicator evidences the number of security controls being reviewed. The higher the value, the more controls are being evaluated. We can obtain this information from The Risk Treatment Plan and compare it to Incident Logs, Audit Reports, and Management Review Minutes. 

The next indicator shows the relation between improvement initiatives and corrective actions. This KPI evidences the maturity of the ISMS with respect to the changes, and the lower the result, the more proactive the organization. This means the company is working more proactively toward improving results and preventing losses.

Consequently, it does not waste time correcting existing errors or problems. We can acquire this information from audit reports and management review minutes. 

Use the ISO 27001 KPIs to Your Advantage 
By using the proper ISO 27001 KPIs, organizations can validate previous decisions by evidencing that implemented actions were genuinely effective. More importantly, they can use the KPIs to present factual evidence that justify their executive decisions. 

Companies need strong cases for updating their equipment or acquiring new technology. They need consistent and strong data on how their decisions will affect the interested parties and the business as a whole. The ISO 27001 KPIs support the need for making changes or taking corrective actions. Therefore, by taking advantage of the ISO 27001 KPIs, you will be able to make more informed business decisions and avoid any potential problems. 

What’s hot on Infosecurity Magazine?