ISO27k maturity metric
Yesterday I completed the "universal KPI" metrics paper for the ISO27k awareness module.
The finished article uses the management system requirements from the main body of ISO/IEC 27001, followed by the security controls in Annex A or ISO/IEC 27002 (mostly), as the basis for measuring an organization's ISMS.
Here's a little taster (click to enlarge):
I have added a few supplementary controls and scoring criteria in areas where I feel '27002 falls short of current good practice e.g. policy management, business continuity and compliance. At some future point, I will add IoT, cloud security and perhaps other controls for the same reason. One of the advantages of this style of metric is that it's straightforward to maintain, such as updating or adding new scoring criteria, ideally in such a way that prior scores remain valid.
As it is, it's already a lengthy, detailed paper - a 37-page Word document with two tables in landscape format containing ~13,000 words plus a page of instructions.
I'm itching to try this out in earnest, so if you know of anyone looking for an ISMS internal audit, ISO27k gap analysis, benchmark or review, or simply looking for a pragmatic infosec maturity metric, please get in touch.
PS This metric scores well on the PRAGMATIC metametric scale, naturally, since it is predictive, relevant, actionable, cost-effective, independently verifiable etc.
PPS The metric has value for:
PPS The metric has value for:
- Reviewing and evaluating an organization’s information risk and security management practices
- Reviewing and evaluating an organization’s information security controls
- Comparing and contrasting organizations or business units (benchmarking), enabling good practices to be shared from high- to low- scorers
- Assessing the infosec status of current or potential suppliers, business partners and takeover targets
- Gap analyses, checking the coverage and quality of an organization’s information risk and security practices against ISO27k (e.g. when initially scoping and planning to implement the standards)
- Justifying, prioritizing and guiding improvements (driving maturity)
- Internal audits and management reviews of ISMSs
- Routine operational and management reporting (governance)
- More in-depth evaluation of particular areas of concern, expanding on the scoring matrix.