ISMS Metrics Measurements

ISO ISO 27001:2013 Annex A Metrics Short Name Objective of Metrics Metrics Positive / Frequency Target Measure Task Responsible Source of
Annex A Domain Negative Metrics Function Data
Domain
#

To ensure all staff are checked prior to granting # of cases where personnel have comemenced Decreasing is Semi- Human
7 Human resource security Background Screening Latency employment prior to completion of background Absolute
access to classified ACME information. better Annually Resources
screening.

To ensure employees are well informed about

7 Human resources security
Security awareness program coverage
among employees
the information security practises within ACME
and are aware of there information security # of employees undergone security awareness training / Increasing is
responsibilities when dealing with ACME Total # of employees x 100 = Percentage coverage of better Yearly Percentage ISMS SSC
information and hence reducing the number of security awareness training.
incidents.

Manual -
media
To identify the extent of data loss because of # of devices disposed as per the secure disposal policy / Increasing is disposal and
8 Asset Management Effective coverage of Media Disposal media going out of ACME without appropriate total # of non-returnable devices going out of premise x Monthly Percentage
better material
disposal treatment. 100 = Percentage of devices securely disposed.
movement
register

To ensure that the user accounts which are no

9 Access Control Inactive ID > 90 longer in use (e.g. unused, backup, temporary # of user IDs that have been inactive for more than 90 Decreasing is Monthly Absolute Active
accounts) are disabled in the system or else may days and not disabled in Active Directory. better Directory
be misused for illegal access.

Inactive ID > 90 in Isolated systems not To ensure that the user accounts which are no Manually on
interfacing with active directory for user longer in use (e.g. unused, backup, temporary
# of user IDs that have been inactive for more than 90 Decreasing is
9 Access Control Monthly Absolute isolated
accounts) are disabled in the system or else may days and not disabled In isolated systems. better
access management systems.
be misused for illegal access.

To identify privileged user accounts which may Active

9 Access control
# of Admin accounts with password age greater than 90
be compromised and misused with lack of
days / # of Admin accounts x 100 = Percentage of admin Decreasing is
Directory &
Admin where password age > 90 days Monthly Percentage
password change controls as per ACME better Isolated
accounts not complying with password requirements.
password requirements. systems.

Access
reconciliation
To ensure that the user accounts which are no between the
# of IDs belonging to personnel who are no longer
longer in use (due to termination of employment Decreasing is Active
9 Access control Active IDs in AD - Separated Staff / end of contract) are disabled in the system or employed or contracted but are not disabled or better Monthly Absolute Directory and
removed from Active Directory.
else may be misused for illegal access. Human
Resource
staff list.

Access
reconciliation
To ensure that the user accounts which are no between the
Active IDs in Isolated systems (not # of IDs belonging to personnel who are no longer
longer in use (due to termination of employment Decreasing is Isolated
9 Access control interfacing with active directory for user / end of contract) are disabled in the system or employed or contracted but are not disabled or better Monthly Absolute Systems and
access management) - Separated Staff else may be misused for illegal access. removed from isolated systems. Human
Resource
staff list.

1
 ISMS Metrics Measurements

Service Desk
# of proximity access cards not deactivated in physical & physical
Physical and environmental Latency between reported card loss & To Identify if the reported lost HID card can be Decreasing is
11 access control system within 'x' period (where 'x' is the Quarterly Absolute access
security deactivation misused during the period of deactivation. better
agreed SLA). control
system.

# of high risk patches applied within 'x' period (with 'x'

being the agreed SLA) SCCM /
To identify the number of days the systems are Absolute
Patch coverage & Latency - Desktops & and Increasing is central
12 Operations Security left vulnerable and hence the possibility of Monthly or
Laptops # of systems (desktops & laptops) patched / total # of better patching
exploiting vulnerabilities on information systems. Percentage
systems requiring patches x 100 = Percentage of systems server
patch updated.

To identify the number of systems not having # of systems discovered by AV server / # of systems in
12 Operations Security Coverage of AV deployment corporate Anti-virus installed and hence central asset repository x 100 = Percentage of systems Increasing is Monthly Percentage Anti-Virus
susceptible to malwares and hence can cause covered by anti-virus program. better server
problems in other corporate infrastructure.

To identify the number of systems having old or

# of systems discovered by AV server vs. # of systems
no corporate anti-virus installed and hence Decreasing is Anti-Virus
12 Operations Security Outdated AV deployment with older AV signature vs. # of systems without AV Monthly Absolute
susceptible to malwares, and hence can cause client (Bar chart). better server
problems in other corporate infrastructure.

# of incidents reported
To identify areas that may be vulnerable to & Incident and
16 Information Security Security incidents security incidents and to work on a targeted risk Total # of incidents addressed in the agreed timescales Decreasing is Semi- Absolute Actions
Incident Management management strategy and systemic issues. (as per SLA) better Annually Register.
&
# of repeated root cause associated with incidents.

To understand the awareness level among

employees & effectiveness of security incident Incident and
Information Security # of unreported incidents (as a result of outage, word of Decreasing is
16 Unreported security incidents management procedure within ACME. This will Monthly Absolute Actions
Incident Management mouth, etc.) better
help in conducting targeted security awareness Register.
trainings.

Internal audits help unearth security risks

associated with critical systems and further # of critical systems and processes audited / Total # of Manual -
18 Compliance Internal audit coverage mitigating the risks as per the risk management critical systems and processes scheduled for audit x 100 Increasing is Yearly Percentage ISMS internal
procedure. Without internal audits of the critical = Percentage effectiveness of coverage by internal audit. better audits.
systems they would continue to be prone to
security threats and increased incidents.

To identify the security compliance with ACME # of Extreme, Very High & High risks as an outcome of Decreasing is
18 Compliance Internal audits Information security policy. the internal audits. better Yearly Absolute Manual

To manage / address multiple risks at one # of repeat findings as an outcome from both internal & Decreasing is
18 Compliance Number of repeat findings Yearly Absolute Manual
instance for closure. external audits better