KPIs for ISO 27001? Do Such Things Exist?
On Gary Hinson’s excellent ISO 27001 Google Group, the following question was just posed:
Dear Implementers:
What could be the KPIs by which I, being Management Representative,
can show complete picture in a compiled brief/short report? Your
response would be highly awaited.
Which I think is a great question! Talk about no-nonsense. None of this “high-falutin” nonsense about ISO adoption providing ‘piece of mind’ and ‘common language’ or ’strategic currency’. No this is straight from the hip - tell me right now how I can communicate the value of an ISO implementation to non-security management.
I’m not sure I’ve got a good answer. Do you? You guys (loyal, cool, readers) are really bright and many of you CxSO’s in your own organizations. Leave comments and in our next post I’ll publish the best and brightest (as well as some of my own thoughts).
shrdlu Dec 2
Alex, I really have no idea. I personally wouldn’t try to justify an ISO implementation by itself. If I could show traceability on how it affected our overall security risk, then that’s what I’d do (and then say, as a by the way, “by doing this we’re also implementing a standard that a lot of people feel is important”). But then again, I don’t have any customers blindly clamoring for it.
rybolov Dec 2
Whatever you do, don’t start measuring percentage of compliance. Eventually, that’s what all metrics efforts around a framework devolve into.
Best start is to start measuring how much money the CISO’s shop saves the company. How do you do that? FAIR!
Brian Honan Dec 2
The most important KPIs are those that are relevant to the business. When presenting any KPI information make sure it is tailored for the audience that will recieve it. For example, focusing on cost savings, process improvements etc. would be KPIs senior management would be more interested in. While focusing on technical KPIs would be of more interet to IT.
An example could be presenting the % of spam blocked by your spam filter as a € value to business. To do this multiply the number of spam emails blocked by the cost of each spam email to your business. You then have a value mgmt can relate to. Presenting the same information to IT you might want to break down the types of spam blocked, such as failed reverse DNS lookup, heauristics, etc. so the IT people can identify what elements of the filters need to be improved.
Some good resources to look at from http://www.iso27001security.com are;
http://www.iso27001security.com/ISO27k_implementation_guidance_1v1.pdf
http://www.iso27001security.com/ISO27k_security_metrics_examples.pdf
Alex Dec 3
This is from an email from Jenean Paschalidis CISSP, CISM. His thoughts are:
I have never written, but I have some thoughts on the topic. The following may not necessarily give you the answers you seek, but hopefully provide food for thought in that direction. I apologize in advance for not taking the time (I’m in a time crunch at work) to be grammatically correct and eloquent….
Transparency and accountability-this is what all executive/senior management (the company) is on the hook for. ISO provides that. If you want to understand and have confidence in your operations as supported by security (because you will know the who, what, where, when, why and how of a system (human, technical etc.) and you want to be able to trace back why a decision (risk-vetted) had been made - then adoption of this best international practice will assist in providing these answers. Additionally, for all those publicly–traded companies, Standard and Poor’s will be rating companies on how well and robust their risk management practices are. Investors will not support poor risk systems. If the current economic environment doesn’t shed more light on its (risk) importance, then what will? This isn’t about technology- it’s about doing business-just doing it much better and with proof that you’re doing it better than before. For this to be a serious part of the organization’s culture- the management has to take it seriously-no other way will it work properly. If a fire has to start first- then make risk part of the appraisal process-especially for management. To be really clear, a 360 feedback loop would be perfect.
The biggest problem with implementing ISO is that everyone hears/assumes how much work (resources) it’s going to take to get it done. I’ve led an organization to ISO certification and it is a lot of work-initially- but a pleasant breeze afterwards. It takes more work to do it half-heartedly, or just plain wrong, than to do it as best it can be done- making incremental improvements- not wholesale changes. It’s a cultural change-not the latest project. People are afraid of work-especially if they don’t what or the value of what they’re working towards- that my friend is where the execs MUST articulate themselves on behalf of the company.
Other than the basic KPI’s we all know in terms of metrics/measurement, I would be more inclined to find out what the stakeholders, but most specifically the C-Suite value (assets) and tie those assets to “strategic risk management” . You need a robust system/ methodology for this-ISO helps deliver such. I would get my “true” KPI’s from their very mouths. What do they hold dear and how can you protect it? It’s not the technical system they care about, it’s what’s on the system and how it can affect their lives (professionally and personally) they are interested in. There will be little difference between these two aspects of an executive in the immediate future (turn on the tv!). Do it right, right now at little cost, or do it wrong later at a much higher cost or worse-you won’t be around for it to make a difference. Society is rather fed up with organizations “playing at risk”- look at what it’s costing us now…. Define the problem-honestly, correctly, and show (clearly and in a structured, documented fashion) what you did to solve it. That’s what we want, honesty, transparency and accountability. If the C-Suite has another (and better) way to do this- then let them make it known and implement that instead. Until then, stick with ISO.
Best regards,
Jenean
Danny Lieberman Dec 24
“How how I can communicate the value of an ISO implementation to non-security management?”
This is easy. Use money - everything else is window dressing.
The question is: What security controls should a firm actually implement after an ISO 2700x risk assessment? The result of providing inappropriate security countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.
We have found that the PTA ISO 27001 library enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of an all-or-nothing checklist implementation
PTA (Practical Threat Analysis ) and the companion ISO 27001 library can be downloaded for free at http://www.software.co.il/popular-articles/211-automating-iso-27001.html
Danny Lieberman
Alex Dec 24
@Daniel,
That download link doesn’t work and redirects the user to a different domain.