1. Select processes and objects for measurement: Organizations need to define what needs to be
measured and the scope of measurement. Only well documented processes that are
consistent and repeatable should be considered for measurement. An object may
include processes, plans, projects, resources, and systems, or system
components. Objects of measurement can also be performance of controls or
processes, behavior of personnel, and activities of units responsible for
information security.
2. Define baselines: Baseline values that indicate point of reference should be defined for
each object that is being measured. Threshold values, targets or patterns that
indicate an acceptable level of performance must be finalized and approved by
the relevant stakeholders.
3. Collect Data:
Collecting timely, accurate, measurable, multi dimensional data from systems
and processes that are in the scope of measurement would be the most critical
activity in creating security metrics. Automated data collection techniques can
be used to achieve standardized data collection and reporting.
4. Develop a measurement Method: According to ISO 27004, logical sequence of operations are applied on
various attributes of the object that is selected for measurement, in order to
arrive at an output ‘indicator’ that makes sense for stakeholders. These
indicators can be used as data sources for improving performance of information
security programs.
5. Interpret measured values: Having processes and technology for analysis and interpretation of
quantitative and qualitative measurement values (indicators) would be the next
step in ISMS measurement. The analysis of results from measurement process
should identify gaps between the baseline value and the actual measurement
value.
6. Communicate measurement values: Outputs of ISMS measurement should be communicated to relevant
stakeholders. Measurement values can be communicated in the form of charts,
operational dashboards, reports or newsletters. A comparable, consistent result
from the measurement process forms the basis for the management review meeting
decisions and ISMS improvement activities.
Comments
Post a Comment