Documente Academic
Documente Profesional
Documente Cultură
ISO ISO 27001:2013 Annex A Metrics Short Name Objective of Metrics Metrics Positive / Frequency Target Measure Task Responsible Source of
Annex Domain Negative Metrics Function Data
A
Domain
#
Manual -
media
To identify the extent of data loss because of # of devices disposed as per the secure disposal policy / Increasing is disposal and
8 Asset Management Effective coverage of Media Disposal media going out of ACME without appropriate total # of non-returnable devices going out of premise x better Monthly Percentage material
disposal treatment. 100 = Percentage of devices securely disposed. movement
register
Access
reconciliation
To ensure that the user accounts which are no between the
longer in use (due to termination of # of IDs belonging to personnel who are no longer Decreasing is Active
9 Access control Active IDs in AD - Separated Staff employment / end of contract) are disabled in employed or contracted but are not disabled or Monthly Absolute
better Directory and
the system or else may be misused for illegal removed from Active Directory.
Human
access. Resource
staff list.
Access
reconciliation
To ensure that the user accounts which are no between the
Active IDs in Isolated systems (not longer in use (due to termination of # of IDs belonging to personnel who are no longer Decreasing is Isolated
9 Access control interfacing with active directory for user employment / end of contract) are disabled in employed or contracted but are not disabled or Monthly Absolute
better Systems and
access management) - Separated Staff the system or else may be misused for illegal removed from isolated systems.
Human
access. Resource
staff list.
1
ISMS Metrics Measurements
Service Desk
# of proximity access cards not deactivated in physical Decreasing is & physical
Physical and environmental Latency between reported card loss & To Identify if the reported lost HID card can be
11 access control system within 'x' period (where 'x' is the better Quarterly Absolute access
security deactivation misused during the period of deactivation. agreed SLA). control
system.
To identify the number of systems not having # of systems discovered by AV server / # of systems in
corporate Anti-virus installed and hence Increasing is Anti-Virus
12 Operations Security Coverage of AV deployment central asset repository x 100 = Percentage of systems Monthly Percentage
susceptible to malwares and hence can cause better server
covered by anti-virus program.
problems in other corporate infrastructure.
To identify the number of systems having old or # of systems discovered by AV server vs. # of systems
no corporate anti-virus installed and hence Decreasing is Anti-Virus
12 Operations Security Outdated AV deployment susceptible to malwares, and hence can cause with older AV signature vs. # of systems without AV Monthly Absolute
better server
client (Bar chart).
problems in other corporate infrastructure.
# of incidents reported
&
To identify areas that may be vulnerable to Incident and
Information Security security incidents and to work on a targeted risk Total # of incidents addressed in the agreed timescales Decreasing is Semi-
16 Security incidents Absolute Actions
Incident Management (as per SLA) better Annually
management strategy and systemic issues. Register.
&
# of repeated root cause associated with incidents.
To identify the security compliance with ACME # of Extreme, Very High & High risks as an outcome of Decreasing is
18 Compliance Internal audits Yearly Absolute Manual
Information security policy. the internal audits. better
To manage / address multiple risks at one # of repeat findings as an outcome from both internal & Decreasing is
18 Compliance Number of repeat findings Yearly Absolute Manual
instance for closure. external audits better