GOV-023 Security Measures Performance Measurement
Description
The organization defines, measures, and reports on key metrics for the information security program. Metrics cover control effectiveness, risk posture trends, training completion, and incident rates. Results are reported to management at defined intervals.
Rationale
Without measured outcomes, a security program cannot demonstrate improvement or justify resource allocation. Metrics provide the evidence base for management decisions and external assurance reports.
Framework Mappings (3)
| GRC-02 | Risk Management Program | partial |
| PM-6 | Measures of Performance | full |
| CC4.1 | COSO Principle 16: Conducts Ongoing or Separate Evaluations | partial |
Evidence (2)
Security metrics report showing defined KPIs covering control effectiveness, risk posture, training completion, and incident rates — reported to management.
Example: Monthly or quarterly security metrics report (Confluence / GRC dashboard export / PDF), showing: metric name, target, current value, trend, and reporting period — distributed to named management recipients.
Test: Request the last two security metrics reports. Verify: (1) reports are produced within the defined cadence, (2) metrics cover at minimum: training completion rate, open vulnerability count or SLA compliance, incident rate, and audit finding closure rate, (3) current values are compared to targets, (4) the report is addressed to or acknowledged by a named executive or security committee.
Evidence that metrics results have been acted on — meeting minutes or action log showing management reviewed metrics and assigned follow-up items.
Example: Security committee or management meeting minutes (Google Drive), referencing the metrics report, showing: the date of review, attendee list including named management, and any action items generated from metric results.
Test: Request meeting minutes from the most recent security metrics review. Verify: (1) metrics were discussed, (2) at least one management-level attendee is recorded, (3) metrics that missed targets have documented action items with named owners.
Questions (2)
Does your organization define, measure, and report security program metrics (e.g. training completion, vulnerability SLA adherence, incident rates) to management on a defined schedule?
Metrics should be compared against defined targets and show trend data. Reports should be addressed to or acknowledged by a named executive or security committee.
Which of the following security metrics does your organization actively track and report?
A good metrics programme covers at least training completion, vulnerability remediation SLA, and incident rates, with results compared to defined targets each reporting period.