ISMS Metrics Measurements

ISO ISO 27001:2013 Annex A Metrics Short Name Objective of Metrics Metrics Positive / Frequency Target Measure Task Responsible Source of
Annex Domain Negative Metrics Function Data
A
Domain
#

# of cases where personnel have comemenced

To ensure all staff are checked prior to granting Decreasing is Semi- Human
7 Human resource security Background Screening Latency employment prior to completion of background Absolute
access to classified ACME information. better Annually Resources
screening.

To ensure employees are well informed about

the information security practises within ACME # of employees undergone security awareness
Security awareness program coverage and are aware of there information security Increasing is
7 Human resources security training / Total # of employees x 100 = Percentage Yearly Percentage ISMS SSC
among employees responsibilities when dealing with ACME better
information and hence reducing the number of coverage of security awareness training.
incidents.

Manual -
media
To identify the extent of data loss because of # of devices disposed as per the secure disposal policy / Increasing is disposal and
8 Asset Management Effective coverage of Media Disposal media going out of ACME without appropriate total # of non-returnable devices going out of premise x better Monthly Percentage material
disposal treatment. 100 = Percentage of devices securely disposed. movement
register

To ensure that the user accounts which are no

longer in use (e.g. unused, backup, temporary # of user IDs that have been inactive for more than 90 Decreasing is Active
9 Access Control Inactive ID > 90 Monthly Absolute
accounts) are disabled in the system or else may days and not disabled in Active Directory. better Directory
be misused for illegal access.

To ensure that the user accounts which are no

Inactive ID > 90 in Isolated systems not Manually on
longer in use (e.g. unused, backup, temporary # of user IDs that have been inactive for more than 90 Decreasing is
9 Access Control interfacing with active directory for user Monthly Absolute isolated
accounts) are disabled in the system or else may days and not disabled In isolated systems. better
access management systems.
be misused for illegal access.

To identify privileged user accounts which may Active

9 Access control
# of Admin accounts with password age greater than 90
be compromised and misused with lack of days / # of Admin accounts x 100 = Percentage of admin Decreasing is Directory &
Admin where password age > 90 days Monthly Percentage
password change controls as per ACME accounts not complying with password requirements. better Isolated
password requirements. systems.

Access
reconciliation
To ensure that the user accounts which are no between the
longer in use (due to termination of # of IDs belonging to personnel who are no longer Decreasing is Active
9 Access control Active IDs in AD - Separated Staff employment / end of contract) are disabled in employed or contracted but are not disabled or Monthly Absolute
better Directory and
the system or else may be misused for illegal removed from Active Directory.
Human
access. Resource
staff list.

Access
reconciliation
To ensure that the user accounts which are no between the
Active IDs in Isolated systems (not longer in use (due to termination of # of IDs belonging to personnel who are no longer Decreasing is Isolated
9 Access control interfacing with active directory for user employment / end of contract) are disabled in employed or contracted but are not disabled or Monthly Absolute
better Systems and
access management) - Separated Staff the system or else may be misused for illegal removed from isolated systems.
Human
access. Resource
staff list.

1
 ISMS Metrics Measurements

Service Desk
# of proximity access cards not deactivated in physical Decreasing is & physical
Physical and environmental Latency between reported card loss & To Identify if the reported lost HID card can be
11 access control system within 'x' period (where 'x' is the better Quarterly Absolute access
security deactivation misused during the period of deactivation. agreed SLA). control
system.

# of high risk patches applied within 'x' period (with 'x'

To identify the number of days the systems are being the agreed SLA) SCCM /
Absolute
Patch coverage & Latency - Desktops & left vulnerable and hence the possibility of and Increasing is central
12 Operations Security Monthly or
Laptops exploiting vulnerabilities on information # of systems (desktops & laptops) patched / total # of better patching
Percentage
systems. systems requiring patches x 100 = Percentage of systems server
patch updated.

To identify the number of systems not having # of systems discovered by AV server / # of systems in
corporate Anti-virus installed and hence Increasing is Anti-Virus
12 Operations Security Coverage of AV deployment central asset repository x 100 = Percentage of systems Monthly Percentage
susceptible to malwares and hence can cause better server
covered by anti-virus program.
problems in other corporate infrastructure.

To identify the number of systems having old or # of systems discovered by AV server vs. # of systems
no corporate anti-virus installed and hence Decreasing is Anti-Virus
12 Operations Security Outdated AV deployment susceptible to malwares, and hence can cause with older AV signature vs. # of systems without AV Monthly Absolute
better server
client (Bar chart).
problems in other corporate infrastructure.

# of incidents reported
&
To identify areas that may be vulnerable to Incident and
Information Security security incidents and to work on a targeted risk Total # of incidents addressed in the agreed timescales Decreasing is Semi-
16 Security incidents Absolute Actions
Incident Management (as per SLA) better Annually
management strategy and systemic issues. Register.
&
# of repeated root cause associated with incidents.

To understand the awareness level among

employees & effectiveness of security incident # of unreported incidents (as a result of outage, word of Decreasing is Incident and
Information Security
16 Unreported security incidents management procedure within ACME. This will mouth, etc.) Monthly Absolute Actions
Incident Management better
help in conducting targeted security awareness Register.
trainings.

Internal audits help unearth security risks

associated with critical systems and further
mitigating the risks as per the risk management #critical
of critical systems and processes audited / Total # of Increasing is Manual -
18 Compliance Internal audit coverage systems and processes scheduled for audit x 100 Yearly Percentage ISMS internal
procedure. Without internal audits of the critical = Percentage effectiveness of coverage by internal audit. better audits.
systems they would continue to be prone to
security threats and increased incidents.

To identify the security compliance with ACME # of Extreme, Very High & High risks as an outcome of Decreasing is
18 Compliance Internal audits Yearly Absolute Manual
Information security policy. the internal audits. better
To manage / address multiple risks at one # of repeat findings as an outcome from both internal & Decreasing is
18 Compliance Number of repeat findings Yearly Absolute Manual
instance for closure. external audits better