Implement Cyber Security Metrics and KPIs
The CISO sets up metrics and indicators to measure and track cyber security performance in the organisation.
Plain language
The Chief Information Security Officer (CISO) sets up ways to measure how well the organisation is protecting itself from cyber threats. This is important because if you don't track your cyber security performance, you might miss weaknesses, which could lead to data breaches, financial loss, or damage to your business's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesOfficial control statement
The CISO implements cyber security measurement metrics and key performance indicators for their organisation.
Why it matters
Without cyber security metrics and KPIs, the CISO cannot track control effectiveness or risk trends, leaving gaps unnoticed and delaying response to emerging threats.
Operational notes
Define KPIs with owners, data sources, targets and reporting cadence; review monthly against threat changes, and use results to prioritise remediation and risk decisions.
Implementation tips
- The CISO should start by identifying key areas that need measuring, such as how quickly the IT team responds to security incidents. They can do this by consulting with department heads to understand what security issues are most relevant to their day-to-day operations.
- IT managers should develop clear and simple Key Performance Indicators (KPIs) that align with the organisation's cyber security goals. This could involve measuring how often systems are updated or how many suspicious emails get through to employees.
- The IT team should regularly collect data on these KPIs using tools like logs or reports to monitor how well the organisation's cyber defences are functioning. This data collection can be automated to ensure it's consistent and timely.
- Human Resources should ensure that staff are trained to understand these metrics and why they matter. This can include running workshops or sending out easy-to-read guides that explain the role of each metric in maintaining overall security.
- The CISO should report the results of these metrics to the board regularly. This can be done by presenting a clear and concise dashboard that highlights key areas of concern and suggests improvements to the cyber security strategy.
Audit / evidence tips
-
Askthe current list of cyber security metrics and KPIs: Review the document to ensure it includes well-defined metrics relevant to the organisation's security goals
Goodwill list metrics that cover various aspects of security, such as incident response times and the frequency of software updates
-
Askrecent performance reports: Check the reports to see if the organisation tracks its progress against these metrics over time
Goodincludes consistent reporting intervals and clear trends, showing improvement where needed
-
Askmeeting minutes from board reviews of these metrics
-
Asktraining records related to these metrics: Examine whether employees have received training that includes information on the relevance and importance of these metrics
Goodshows regular training sessions along with an attendance list
-
Askevidence of data collection methods
Goodwill detail how data is collected, any automation involved, and who oversees its accuracy
Cross-framework mappings
How ISM-0724 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| Annex A 5.4 | ISM-0724 requires the CISO to implement cyber security measurement metrics and KPIs to track performance | |
| Annex A 5.35 | ISM-0724 requires the CISO to implement cyber security measurement metrics and KPIs to track cyber security performance across the organi... | |
| Annex A 5.36 | ISM-0724 requires the CISO to implement metrics and KPIs to measure and track cyber security performance in the organisation | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.