Professional Documents
Culture Documents
Sample ISMS Metrics and Measures
Sample ISMS Metrics and Measures
ISO ISO 27001:2013 Annex A Metrics Short Name Objective of Metrics Metrics Positive / Frequency Target Measure Task Responsible Source of
Annex A Domain Negative Metrics Function Data
Domain
#
To ensure all staff are checked prior to granting # of cases where personnel have comemenced Decreasing is Semi- Human
7 Human resource security Background Screening Latency employment prior to completion of background Absolute
access to classified ACME information. better Annually Resources
screening.
Manual -
media
To identify the extent of data loss because of # of devices disposed as per the secure disposal policy / Increasing is disposal and
8 Asset Management Effective coverage of Media Disposal media going out of ACME without appropriate total # of non-returnable devices going out of premise x Monthly Percentage
better material
disposal treatment. 100 = Percentage of devices securely disposed.
movement
register
Inactive ID > 90 in Isolated systems not To ensure that the user accounts which are no Manually on
interfacing with active directory for user longer in use (e.g. unused, backup, temporary
# of user IDs that have been inactive for more than 90 Decreasing is
9 Access Control Monthly Absolute isolated
accounts) are disabled in the system or else may days and not disabled In isolated systems. better
access management systems.
be misused for illegal access.
Access
reconciliation
To ensure that the user accounts which are no between the
# of IDs belonging to personnel who are no longer
longer in use (due to termination of employment Decreasing is Active
9 Access control Active IDs in AD - Separated Staff / end of contract) are disabled in the system or employed or contracted but are not disabled or better Monthly Absolute Directory and
removed from Active Directory.
else may be misused for illegal access. Human
Resource
staff list.
Access
reconciliation
To ensure that the user accounts which are no between the
Active IDs in Isolated systems (not # of IDs belonging to personnel who are no longer
longer in use (due to termination of employment Decreasing is Isolated
9 Access control interfacing with active directory for user / end of contract) are disabled in the system or employed or contracted but are not disabled or better Monthly Absolute Systems and
access management) - Separated Staff else may be misused for illegal access. removed from isolated systems. Human
Resource
staff list.
1
ISMS Metrics Measurements
Service Desk
# of proximity access cards not deactivated in physical & physical
Physical and environmental Latency between reported card loss & To Identify if the reported lost HID card can be Decreasing is
11 access control system within 'x' period (where 'x' is the Quarterly Absolute access
security deactivation misused during the period of deactivation. better
agreed SLA). control
system.
To identify the number of systems not having # of systems discovered by AV server / # of systems in
12 Operations Security Coverage of AV deployment corporate Anti-virus installed and hence central asset repository x 100 = Percentage of systems Increasing is Monthly Percentage Anti-Virus
susceptible to malwares and hence can cause covered by anti-virus program. better server
problems in other corporate infrastructure.
# of incidents reported
To identify areas that may be vulnerable to & Incident and
16 Information Security Security incidents security incidents and to work on a targeted risk Total # of incidents addressed in the agreed timescales Decreasing is Semi- Absolute Actions
Incident Management management strategy and systemic issues. (as per SLA) better Annually Register.
&
# of repeated root cause associated with incidents.
To identify the security compliance with ACME # of Extreme, Very High & High risks as an outcome of Decreasing is
18 Compliance Internal audits Information security policy. the internal audits. better Yearly Absolute Manual
To manage / address multiple risks at one # of repeat findings as an outcome from both internal & Decreasing is
18 Compliance Number of repeat findings Yearly Absolute Manual
instance for closure. external audits better