ISO 27001 compliance is a complex, ongoing process, which organisations should track using KPIs (key performance indicators).
In this blog, we explain what KPIs are and how they fit into your ISO 27001 compliance project, and provide examples that can boost your compliance practices.
What are KPIs?
KPIs are a way of breaking down large goals into smaller, monitorable objectives. For example, say you were trying to live more healthily. You might identify areas that can help you achieve that goal – exercise regularly, eat more fruit and vegetables, cut back on the amount of alcohol you drink, and so on.
But how do you define ‘regularly’, ‘more’ and ‘cut back’? That’s where KPIs come in. They help document the actions you’ve taken, like ‘how often did I go running this week?’, and track your progress over time.
This principle is used to help organisations monitor their progress towards achieving business objectives. If your goal is to comply with ISO 27001, you must first establish steps you can take to achieve it.
Perhaps the most important KPI for that is ‘number of security incidents that have occurred’. Everything that you do to comply with ISO 27001 is ultimately geared towards reducing this number, and if you fail to limit security incidents, you can be sure that some, if not all, of your compliance practices aren’t up to scratch.
By contrast, incremental decreases in security incidents are proof that your compliance practices are working. As a result, you can show your KPIs to your executives to demonstrate the positive steps your organisation has taken.
We’ll come back to some more examples of information security KPIs later, but let’s now look at how they work and how they fit into ISO 27001.
Is a KPI the same as an objective?
The two concepts are related, because a KPI is essentially a way of developing objectives.
In other words, the KPI is something that you monitor, like the number of security incidents that occurred this month, this quarter, this year, etc.
Management may choose to assign an objective to this KPI. In this example, it might be an absolute figure (“we should have fewer than two security incidents this month”) or relative to past performance (“a 50% reduction from last month”).
The benefit of this approach is that your objectives can move according to the changes in your organisation. For example, you might give yourself a more lenient objective while understaffed, or a higher objective after investing in a new security mechanism.
Meanwhile, the KPI doesn’t change, meaning you won’t fall foul of the kinds of biases that occur when you’re evaluating your progress using anecdotal evidence or qualitative assessment. Instead, you can consistently chart your progress using the same measurement month after month, year after year.
KPIs and ISO 27001
ISO 27001 doesn’t explicitly refer to KPIs, but two clauses – 5.1 and 6.2 – include requirements that are tailor-made for them.
- Clause 5.1: Leadership and commitment
This clause states that ISO 27001’s compliance requirements should be fully integrated into the organisation’s processes.
Tracking KPIs helps you do this, because you can identify how deviations in your process affect your organisation’s productivity. These findings should be used to create formal processes, which employees will be motivated to follow to ensure they meet the objectives related to each KPI.
- Clause 6.2: Information security objectives and plans to achieve them
This requirement instructs organisations to identify whether their ISMS (information security management system) works as intended – which is exactly what KPIs do.
An ISMS comprises a complex set of processes, technologies and staff training features, and it’s essential that you monitor the way they are used.
For example, you might have installed the latest anti-malware technology, but if employees bypass security warnings, there will be compliance gaps.
Likewise, the technology is never going to detect 100% of malicious emails, so what do you consider an acceptable success rate – and does your system meet that target? To answer that, you need a KPI to monitor the number of suspicious emails that employees report.
Examples of KPIs
Organisations can use KPIs on practically every aspect of their operations, but doing so would require massive financial investment in tools that can track progress, or excessive manhours to log the information manually.
We therefore recommend that you choose your KPIs carefully, selecting them only if they provide a valuable insight into your information security practices. Some KPIs that you might consider using are:
- Number of business initiatives that are supported by the ISMS
Your ISMS is a centrally managed framework for monitoring, reviewing and improving your information security practices, so you want it to cover as much of your business as possible.
However, you don’t want the ISMS to cover too much, otherwise the scope will become unwieldy and impractical.
It’s therefore a good idea to keep track of how much of your organisation is covered by the ISMS. Ideally, you should track this as a percentage, because your ISMS will get larger or smaller as your organisation expands and shrinks.
- Number of information security incidents
This is the biggest factor that determines whether your ISMS is a success and, by extension, whether your organisation is equipped to deal with information security threats.
You should already be tracking this information, particularly if you are subject to the GDPR (General Data Protection Regulation), because although not all security incidents need to be reported to your supervisory authority, you are required to document them.
- How long it takes to detect security incidents
The biggest financial and reputational damages associated with security incidents come after the breach has occurred. The quicker you detect a breach, the less extreme the damage and the sooner you can close the vulnerability.
According to Ponemon Institute’s 2019 Cost of a Data Breach Report, 200 days is the target for detecting security incidents. Breaches that were identified within this time frame led to an average recovery cost of $3.34 million (about £2.58 million); anything over led to recovery costs of $4.56 million (£3.52 million).
KPIs and risk assessments
A lot of these KPI examples will sound familiar if you’ve been part of an ISO 27001 risk assessment. That assessment process involves assigning a value to information security threats based on the likelihood of them occurring and the potential damage they can cause.
With this information, the organisation decides how it will tackle the threat. It might do nothing (‘tolerate it’), determining that it would be less costly to let the threat play out than to address it.
Alternatively, the organisation might transfer the risk to a third party (like a cyber insurance firm), treat the risk (implementing a control to reduce the risk score) or terminate it by stopping whatever process created it.
KPIs help organisations decide whether the organisation’s approach to risk treatment worked. For example, the organisation might establish a new policy to treat the risk but see its information security performance worsen, in which case management knows it must amend the policy, do a better job telling staff to follow it or opt for a different risk treatment process.
These steps are part of an organisation’s continual improvement process – an essential and overlooked part of ISO 27001 risk assessment. It’s no good going to all the effort of highlighting and treating risks if you don’t check whether your solutions worked or could be improved upon.
KPIs provide easily interpretable results based on your information security actions, helping you monitor and bolster your ISO 27001 compliance.
Conducting a risk assessment
You can conduct consistent, valid risk assessments with vsRisk Cloud.
This online-based tool contains everything you need to get your ISO 27001 project started on the right foot or improve your current practices.
Once implemented, you can use KPIs to track the progress of your information security practices and to help inform future assessments.