When it comes to ISO27001 it’s vital that you keep track of your ISMS’s effectiveness. Although ISO27001 doesn’t give exact KPIs or provide an outline of how to track your ISMS’s effectiveness, it’s important to regularly evaluate the performance of your security measures.
To make life a little bit easier, we’ve defined some examples of ISO 27001 KPIs, such as security incidents, employee training, and incident response time to help you improve your information security posture.
Why compliance and why ISO27001 KPIs?
The number of valid ISO 27001 certificates worldwide jumped from 36,000 in 2019 to 58,000 in 2021.
Because data breaches and cyber-attacks are on the increase thanks to the evolution of more and more complex online systems and more illicit industries that trade in data.
Because of the complexities of online security, Information Security compliance is vital. But, just like cyber security, compliance is an ever-changing, complex process and although it would be great to be able to get certified and then kick back and relax, that’s just not realistic.
Leading up to, during and after ISO 27001 certification, your organisation needs to stay on top of your ISMS, constantly tracking its performance.
The best way to do this is to devise ISO 27001 KPIs that you can use to ensure that you stay on track with your security management.
The ISO 27001 standard outlines best practices for information security, and tracking KPIs allows organisations to identify areas for improvement. ISO 27001 KPIs ensure optimal ISMS functionality.
In their article “2020 ISO Survey of Management System Standards reveals 17% increase in certifications”, the CQI states that there are many factors that are “changing the world of work, including digital transformation and Quality 4.0, and the demands of building a sustainable future.”
In order to keep up with this transformation, compliance is a necessary pillar in every business. And, like any performance pillar, compliance should be tracked using KPIs.
What is a KPI?
By definition a Key Performance Indicator (KPI) is, ‘A set of quantifiable measurements used to gauge a company’s overall performance’ – Investopedia.
How to define your ISO 27001 KPIs
When it comes to ISO 27001, KPIs should be defined to ensure that your company is meeting its security objectives.
Using Chapter 9 of ISO 27001 is a good starting point for defining a set of KPIs. After all, Chapter 9 requires that organisations evaluate how their ISMS is performing and how effective it is.
Chapter 9 states that, “The organisation shall determine what needs to be monitored and measured, including information security processes and controls.”
Using this instruction, you can quite easily decide which aspects of your ISMS will require KPIs.
Once you’ve determined this, in order to track a KPI, you (or rather, management) should assign an objective to each measurable goal.
Examples of ISO 27001 KPIs
Let’s take a look at some examples of ISO 27001 KPIs.
1. Security Incidents
A great example of a KPI that can be assigned an objective and then tracked is ‘Security Incidents’.
ISO defines a security incident as, “an unwanted event that could endanger the confidentiality, integrity, or availability of information”.
Your senior management might decide that your company should achieve a goal of fewer than 3 incidents per month. Or, they could create a relative objective, e.g., ‘Reduce security incidents by 33% this month’.
Of course, the parameters of the KPI will be different depending on your business and industry. The great thing about creating your own KPIs is that management can adapt them depending on what’s happening in the organisation. So, as you grow, you can tighten the parameters of your KPIs; if you find that your KPIs are too restrictive, you can relax them.
As long as you meet your ISMS objectives and remain true to your ISO 27001 certification, your KPIs are yours to define.
According to their article ‘Cybersecurity Risk Management for Tech Companies’, Security Scorecard suggests using the following security incident metrics to define your security incident KPI:
- Mean Time to Detect
- Alarm Time to Triage
- Alarm Time to Qualify
- Mean Time to Acknowledge
- Mean Time to Investigate
- Mean Time to Resolve
- Mean Time to Contain
- Mean Time to Recover
- Cost Per Incident
- Number of Incidents per Device or Host
- Mean Time Between Failures
2. Percentage of security incidents resolved within a target time
Keeping track of security incidents is one thing, but aiming to resolve them within a certain time is vital.
This KPI measures the effectiveness of an organisation’s incident management process in responding to and resolving security incidents in a timely manner.
The resolution time per incident will depend on:
- The severity of the incident.
- The organisation’s risk management strategy.
- The resources and capabilities of the organisation.
When creating objectives for this KPI, the following are reasonable metrics for a standard organisation:
- Resolve serious security incidents within 24 hours.
- Resolve less serious security incidents within 72 hours.
To determine how effective the incident resolution strategy is, once the target resolution times have been established, you will need to ascertain:
- The number of vulnerabilities identified
- The percentage of vulnerabilities remediated within a target time.
Using this KPI, you can minimise the potential impact on your company’s operations and, therefore, its reputation. It also provides valuable information for management to evaluate the effectiveness of your organisation’s ISMS and make informed decisions on resource allocation and process improvement initiatives.
3. Percentage of Systems Protected by Anti-Malware Software
When it comes to caught infections, the number will vary depending on the effectiveness of your malware. So, the number of infections caught might increase because you have superior malware and not necessarily because there are more infections than usual.
Your KPI when determining the effectiveness of your malware software should therefore depend on what percentage of systems are protected and have:
- anti-virus tools installed and enabled.
- up-to-date anti-malware signatures.
- specific anti-malware tools or features installed and active.
To measure this KPI, determine the number of systems that require anti-malware protection and the number of systems that have the protection in place. You can then calculate the percentage of systems protected by anti-malware software by dividing the number of systems with anti-malware protection by the total number of systems requiring protection.
4. Number of Employees Responsible for Information Security
Clause 5.3 is about management ensuring that roles, responsibilities and authorities are clear when it comes to appointing a team that is responsible for the ISMS.
Some organisations can use existing staff and shouldn’t need to appoint new staff members, while some will need to bring in external contractors or new employees.
It’s important that your organisation ensures that there’s one person who is responsible overall and that certain roles are filled. Remember, however, that one person can cover more than one role.
The responsibility for ISMS should take a top-down approach with management leading the way and, in fact, a senior executive could quite easily take on the role of, for example, a Chief Information Security Officer.
In a larger organisation, however, this might need to be a full time job.
The KPI for ‘Number of Employees Responsible for Information Security’ should be defined by:
- Are there enough employees to focus on key parts of the ISMS?
- Is there one person who is accountable overall?
- Have the roles been communicated to relevant parties?
Usually the following roles are necessary to ensure that the ISMS is defined and maintained:
- Security Leadership
- Security Risk Management
- Internal Audit
- Control Owners
- Percentage of checks performed to ensure compliance with firewall policy
Firewalls are a key component of your ISMS and are used to protect networks and systems from unauthorised access. Ensuring compliance with firewall policies is crucial for maintaining the effectiveness of the ISMS and protecting sensitive information.
When defining the objectives of this KPI, consider:
- Tracking the percentage of checks performed to ensure that firewalls are configured according to your organisation’s policies and procedures.
- Ensuring that access controls are configured correctly, rules are up-to-date, and any changes are approved and documented.
To accurately measure the effectiveness of your firewall policy compliance, you also need to consider:
- The quality of the checks.
- The outcomes of the checks.
- The actions taken as a result of the outcomes.
To make sure that your KPIs are useful and accurate, it’s vital that you:
- Establish clear policies and procedures for configuring and managing firewalls;
- Ensure that the checks are performed by qualified and trained personnel;
- Document the outcomes and actions taken;
- Use the results of the checks to drive continuous improvement of your firewall policies and procedures.
5. Number of Improvements identified
This KPI measures your organisation’s ability to identify areas for improvement in the information security processes and take action to address them.
Improvements can be found during ISMS activities such as security meetings or regular internal audits of your organisation’s ISMS which will help you to assess its compliance with the requirements of the ISO 27001 standard.
During these activities, your team will identify areas where the ISMS can be improved, such as in policies, procedures, or controls.
Once these areas have been identified, your organisation must:
- Track the number of improvements that have been identified.
- Prioritise the improvements based on their potential impact on the organisation’s information security posture.
- Take action to address these improvements, whether through changes to policies, procedures, or controls, or by implementing new technologies or training programmes.
By monitoring the number of improvements identified and tracking their implementation, you can improve the effectiveness of your ISMS and minimise the risk of security incidents.
This KPI also provides valuable information to your senior management to evaluate the effectiveness of your organisation’s information security programme and make informed decisions on resource allocation and process improvement initiatives.
By regularly identifying and addressing areas for improvement, you can maintain a strong information security posture. You’ll also maintain the confidentiality, integrity, and availability of your sensitive information assets.
6. Number of nonconformities identified
To find out more about what constitutes a nonconformity, check out our article 10 ISO 27001 Non-Conformance Examples, Both Minor and Major.
Non-conformities can be identified through internal audits, external audits, or other reviews of the ISMS.
Tracking the number of nonconformities identified can provide valuable insights into the effectiveness of the ISMS implementation. A high number of nonconformities may indicate that the ISMS is not being implemented effectively, that there are gaps in your company’s information security practices, or that there is a lack of understanding of the requirements of ISO 27001.
However, it is important to note that the number of nonconformities alone is not necessarily an indicator of the effectiveness of the ISMS. You’ll need to consider:
- The repetition if nonconformities between audits;
- The severity of each nonconformity;
- The impact of each nonconformity;
- The actions taken to correct them.
A small number of critical nonconformities may be more concerning than a larger number of minor nonconformities.
You also shouldn’t just focus on reducing the number of nonconformities identified. Instead, use this KPI as a tool to continuously improve your ISMS and information security practices.
That means you’ll have to:
- Regularly review and update policies and procedures;
- Conduct thorough risk assessments;
- Implement effective security controls.
7. Speed of improvement resolution following management reviews
The purpose of management reviews is to evaluate the performance of the ISMS, identify areas for improvement, and ensure that the system is aligned with your organisation’s goals and objectives. The management review can also provide insights into the level of commitment and engagement of top management in the organisation’s information security practices.
Management reviews should be conducted at least annually, or more frequently if required by your risk management strategy.
Tracking how quickly improvements are performed following a management review can help you to ensure that your company is meeting the requirements of the ISO 27001 standard.
This KPI will be affected by the following factors:
- The quality of management reviews.
- The speed at which the outcomes of the review are noted and actioned.
- The actions taken as a result of the findings of the reviews.
To ensure that management reviews are effective, you might want to:
- Establish clear objectives.
- Outline clear criteria.
- Ensure that appropriate stakeholders are involved.
- Assign timelines to improvements.
- Document the outcomes and actions taken.
8. How improvements from information security risk assessments (ISRAs) are addressed
Without information security risk assessments there’s not much worth in an ISMS. Security risk assessments identify potential risks to your information assets and establish appropriate controls to mitigate those risks.
As part of your objectives for this KPI, you should:
- Establish clear risk assessment methodologies and criteria;
- Involve appropriate stakeholders in the risk assessment process;
- Document the outcomes and actions taken.
Tracking how improvements from risk assessments are implemented can help you:
- Ensure that your company is speedily and effectively addressing potential risks to your information assets.
- Identify trends in risk assessment effectiveness.
- Identify trends in risks, such as an increase in the number or severity of identified risks over time.
- Identify areas that require additional attention and resources.
9. Percentage of business initiatives supported by the ISMS
One of the key requirements of ISO 27001 is to ensure that your ISMS aligns with and supports your organisation’s business objectives, initiatives and strategies. The percentage of business initiatives supported by the ISMS is a KPI that measures the effectiveness of this alignment.
To measure this KPI, you should review your project management systems or consult with project managers to:
- Determine the number of business initiatives or projects underway;
- Ascertain the number of those initiatives or projects that are supported by the ISMS;
- Identify all ongoing business initiatives, projects, and programmes that require information security support.
To monitor the percentage of business initiatives supported by the ISMS for ISO 27001, you should:
- Evaluate the level of support provided by the ISMS for each business initiative.
- Calculate the percentage of business initiatives supported by the ISMS.
- Establish a reporting process to monitor the KPI over time. This reporting process should include regular updates on the number of initiatives supported by the ISMS and the percentage of supported initiatives.
- Analyse the results to identify trends and areas for improvement.
- Based on the results of the analysis, take corrective action to improve the level of support provided by the ISMS for business initiatives. This may include adjusting information security controls or increasing the resources dedicated to the ISMS.
10. Capacity Management
It’s important to balance the level of capacity that a customer requires with the resources (both operating and planned) that are available.
According to mITSM, “Information Capacity Management contributes to an integrated Service Management approach by achieving the following activities:
- Identifying and defining the internal and external capacity requirements
- Planning of capacity procedures
- Developing the capacity plan
- Creating a capacity chapter in the SLA and Service Description
- Managing the implementation of capacity actions
- Application sizing
- Evaluating the capacity procedures and capacity measures (including analysis of capacity peeks)
- Capacity reporting
- Capacity improvement
- Maintaining a Capacity Database (CDB)
Using these activities as a guideline, you can create a KPI around capacity management that is easily monitored.
To monitor capacity management as a KPI for ISO 27001, you should compare performance to the established targets by:
- Regularly gathering data on resource usage.
- Tracking any deviations from targets.
- Investigating any issues that arise.
ISO 27001 KPIs: the key to great security performance
According to a 2022 study published by Encore, 54% of surveyed CISOs said that their board didn’t provide ample funding for information security. At the same time, the average cost of data breaches worldwide escalated to $4.35 million.
It’s clear, therefore, that with cyber-threats on the increase it’s vital to implement compliance standards that validate your information security systems.
Using ISO 27001 KPIs to track the effectiveness of your ISMS will help you to convince your board that not only is ISO 27001 certification important, it’s also quantifiable, qualifiable and absolutely vital.