Governance, Risk Management, and Compliance blog

ISMS: The value you can measure is the value you deliver

[fa icon="calendar"] Monday, 12 November 2018 / by Jakob Holm Hansen

ISMS performance monitoring allows security officers to document specific business values while also enhancing the level of security within the organisation. A white paper provides inspiration on how to select, define, and monitor effects in an ISMS solution.

There are two tendencies that characterise development in the fields of IT security, governance and compliance.

Firstly, the complexity of all business operations has risen significantly over the past few years. Digitisation and regulations designed to regulate digitisation have increased the administrative burden on private and public companies.

Secondly, budgets for business IT security have risen on account of digitisation. Nowadays, an absolute top priority for all businesses is to secure the infrastructure and solutions that make it possible to track down the sought-after gains in terms of streamlining and productivity.

ISMS showcases business value

With an ISMS solution, not just the management of a company's security activities is centralised and automated. It also provides a tool that can monitor the value of the security measures undertaken by the company in order to comply with internal and external requirements.

"As for other parts of the business, the value you can measure is the value you deliver – and this is true for security officers as well. An ISMS solution should be able to give the management an idea of how effectively the company supports its own security processes. Without it, it is difficult to justify rising security costs and impossible to implement targeted measures to enhance security levels," says Jakob Holm Hansen, CEO.

Security and business targets must be aligned

Jakob Holm Hansen recommends identifying and setting KPIs in an ISMS solution and aligning these KPIs with the company's business targets.

"There are examples of companies that undertake performance surveys of IT security parameters that are irrelevant to the business. Performance surveys of the IT security closely linked with the operation of the company's core business are what add value for the management. Security is not a process separate from the rest of the business. Security is the prerequisite for the very running of the business," he explains.

Standardised method

 There is a standardised method for working with an ISMS solution to select, define and monitor the KPIs that are intended to provide decision support for the management. And there is a standardised method with regard to how this effect monitoring is operationalised so as to present the results in a manner clear to the management.

"The smartest, easiest way to operationalise effect monitoring is by automating a process that retrieves data and creates its own report that is pushed out to the management. If we use an annual cycle for organising security work and compliance programmes, it is possible to incorporate the management report into the structure of the annual cycle and this gives us the opportunity to adapt security on a continuous basis," concludes Jakob Holm Hansen. 


Download a guide to ISMS KPIs

Download our white paper on ISMS performance monitoring and get ready to set up metrics and processes. This guide includes a list of selected KPIs to inspire you.

Download here




Emner: ISO 27001, ISMS, annual information security plan

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts