Key performance indicators for an ISO 27001 ISMS

Think about a medical exam. Our objective is for the physician to tell us that our health is ok and that we’ll live a long life, right? And how does the physician evaluate our health to determine if we are on track or not? By using several biological indicators, like blood pressure, cholesterol levels, heart rate, etc.

Think now about your organization. How can you tell if it is on track to achieve its objectives, specifically information security objectives? This article will show some key performance indicators (KPIs) you can consider to evaluate the performance of an ISMS.

Why do I need information security key performance indicators?

A key performance indicator (KPI) is a metric used to evaluate factors that are crucial to the success of an organization. It differs from an objective in that an objective is something you want to achieve, while a KPI is something used to verify if your efforts are leading you toward the defined objective. For example, if 60 mph is the speed objective, the speedometer helps you to achieve and maintain this speed. For more information about control objectives, please read ISO 27001 control objectives – Why are they important?.

In a scenario where decision makers are surrounded by information, and have limited resources to work on objectives, to define those most relevant (the KPIs) and how and when they should be presented is a good way to help monitor results and make proper decisions.

Besides the verification if one is on course to achieve the proposed objectives, KPIs may be used to support ISO 27001 by helping to communicate the importance of information security management and objectives (ISO 27001 clauses 5.1.a and 6.2).

Criteria for indicator selection

Though there are many criteria you can use for KPI selection (an Internet search can show dozens of options), some aspects are common to them and they can make your task easier:

Business relevant: the indicator should be aligned to clear business objectives or legal requirements, which makes it easier for people to understand why it should be measured and evaluated. ISO 27001 has some requirements that may be attended by the use of indicators related to effectiveness (see clauses 9.1 and 9.3) and compliance (Annex A.18), but an organization should consider efficiency indicators, too; for example, the Return On Security Investment (ROSI) can show how well used the resources are to support clause 7.1.

Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible, compared to the usual activities required to deliver the product/service, and the information (e.g., marking a step as completed or recording the time to perform an activity) needed should be in the same forms already used by the process.

Assertive: the indicator should be capable of pinpointing relevant issues (e.g., process steps, organizational areas, resources, etc.) that need attention. For example, a KPI related to the number of failed login attempts explicitly limits the scope to the login process.

Examples of performance indicators

The following examples cover a complete PDCA (Plan-Do-Check-Act) sequence, showing how different indicators can be used to get a full view of the performance of the processes related to information security management.


Percent of business initiatives supported by the ISMS: indicator that shows the ISMS’s level of alignment and integration with the business. The higher the value, the more optimized the ISMS resources, since management resources are being used over more aspects of the organization. You can use the ISMS Scope Document, compared to all services/processes of the organization, to obtain this information.

Percent of information security initiatives containing cost/benefit estimates: indicator that shows the organization’s maturity on risk treatment. The higher the value, the more the risk treatment decisions are based on facts. You can use the Risk Assessment and Treatment Report and the Risk Treatment Plan, compared to all security initiatives implemented, to obtain this information.

Percent of agreements with information security clauses: indicator that shows how services and products, provided by you or supplied to you, are legally supported considering information security aspects (e.g., availability, confidentiality, integrity, and continuity). The higher the value, the better supported your relationships with clients and suppliers are. You can use Non-Disclosure Agreements and SLAs with information security clauses, compared to all agreements related to services and products, to obtain this information.


Number of security-related service downtimes: downtimes related to information security issues directly reflect the effectiveness of the ISMS. This information can be obtained from operational reports.

Duration of service interruptions: as important as the number of downtimes, the average duration of down times is an important measurement of ISMS effectiveness. This information can be obtained from operational reports.

Incident resolution time: another important measurement of ISMS effectiveness, this information can be obtained from operational reports.


Percent of controls assessment performed: indicator that gives you a view of how many security measures are being reviewed. The higher the value, the more controls are being analyzed in terms of effectiveness, efficiency, and opportunities for improvement (assuming the assessments are performed according ISO 27001). You can use the Risk Treatment Plan, compared to Training Plans, Incident Logs, Audit Reports, and Management Review Minutes, to obtain this information.


Number of improvement initiatives: indicator that shows the proactivity of an organization’s ISMS with respect to changes in the environment and the opportunities identified. Changes with the objective to improve results or prevent losses, instead of correct errors or problems, are good examples that reflect a high value on his KPI. You can use the Audit Reports and Management Review Minutes to obtain this information.

Proper monitoring to improve results and avoid problems

Organizations are under constant pressure to achieve results, and to do so, it is essential that they can count on proper navigational instruments that can show them if they are on the right course and allow timely adjustments. But, it is also essential that these instruments are well chosen and calibrated, or else you may find yourself attacking the wrong problems and turning a bad situation into something worse.

To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.