Having an ISMS (Information Security Management System) allows you, as a company, to demonstrate to your customers, suppliers and government organisations, that you guarantee information security.

Fortunately, more and more companies are understanding the importance of this implementation due to growing awareness among senior management in the field of “information security” (note that we are talking about information and not IT). Although an ISMS is certifiable through the ISO/IEC 27001 standard, such certification isn’t necessary in order to show that you have a mature ISMS, although it does help ensure that the information being handled complies with the requirements and stages of the Deming cycle:

  • Plan
  • Do
  • Check
  • Act

Okay but… as a CISO, how do I show senior management the usefulness of implementing an ISMS?

In the following article we are going to talk about the implementation of two types of indicators or metrics. We will talk about Key Performance Indicators, known as KPIs, when we want to reflect the acquisition of a result that is relevant to the organisation’s activity. On the other hand, we will talk about Key Risk Indicators or KRIs, when a metric shows us warnings regarding the risk in operational areas.

So, what does an indicator provide?

Indicators are nothing less than general assessment metrics on the efficiency or risk of an ISMS implemented in accordance with the ISO/IEC 27001 standard. In this way, an indicator allows us to monitor the commitment of senior management, as far as information security is concerned.

Consequently, and when dealing with the regulations of a management standard, the main role falls on said indicators, which can be represented through a scorecard for their administration. Specifically, what we plan on achieving is to present senior management with a periodic report (either monthly, quarterly or annually, depending on the needs of the organisation) on the management of information system security within the entity.

From my experience, I recommend that each indicator have a progress indicator over time and, in turn, a desired point of reach. This way we will set an objective we want to reach for a correctly functioning ISMS.

The objectives should be appropriate according to the metrics’ trends. For example, if an indicator were “percentage of secure jobs” and was at 100%, there would be no room for improvement after that point.

The main indicators are related to the following domains related to Annex A, Control Objectives of the ISO/IEC 27001 and ISO 20000-1 standards, although other frameworks can be used:

  • Risk management
  • Security control
  • Systems life cycle
  • Security plans
  • Security in Human Resources
  • Physical protection of work offices
  • Safety in the workplace
  • Control of incoming/outgoing information
  • Business continuity
  • Maintenance and updates of hardware and software
  • Documentation for policies, processes, guides and technical instructions
  • Employee awareness
  • Incident response

Graphically, we could generate a domain graphic that would allow us to see the maturity of the ISMS. If we use the domains of the ISO/IEC27001, we could obtain a graphic like the following, and visually show senior management a “photograph” of the company’s state of information security.

Each domain has indicators that can have their own forms of data extraction so that we can have lists of indicators in a simple spreadsheet.

In the next post, we will give some examples of KPIs and KRIs that are useful for management.



Artículo anteriorWhen the strategy is already a commodity
Artículo siguienteDetecting intruders at home II
Computer Engineer degree from the UPV, he decided to study a Master’s Degree in Information Security Technologies at the Open University of Catalonia to expand his knowledge on information security. He is currently working at Sothis, supporting the Department of Information Security Governance. His objective is to help organisations adopt a more secure view in their use of information.