Information Security Reporting & Measurement
When it comes to information security, the organisation has a difficult job to do. On the one hand you need to ensure the business or function is at the forefront of its service delivery; on the other hand you need to make sure that the company is resilient to the information security attack which digital automation will amplify.
How can boards and the wider organisation ensure that the right things are being done and in the right way?
Robust information security measurement and reporting provides information that is factually based and measures progress, effectiveness of a process while monitoring if outcomes are being achieved.
Measurement may be against organisational policy and standards, organisational objectives or wider industry, legal, regulatory or contractual requirements. These will be unique to your organisation.
Types of reporting may include -
-
Management Reports (e.g. Executive Committee, Information Security Forum)
-
Project Reports (e.g. Security Culture Project, ISO27001 Certification Project)
-
Audit Reports (e.g. Internal Policy & Standards, Best Practice, Supply Chain)
-
Technical Testing Reports (e.g. Penetration Testing, Phishing Exercises)
-
Incident Reports (e.g. Major Incidents, Near Misses)
The CISO365 approach to reporting information security ensures that reports are -
-
Relevant – they will summarise the key issues and highlight the overall position
-
Influential - they will have the ability to influence business decisions
-
Understandable - every key issue is identified with sufficient explanation
-
Timely - available within ten working days of reporting period end
-
Comparable - consistent style across reports. Performance indicators used to illustrate trends across previous reporting
-
Reliable - is prudent in that a degree of caution is applied in making judgements under conditions of uncertainty
The result, the measurement of the effectiveness of your information security controls facilitate decision making, increases performance and increase accountability. Key stakeholders gain clear situational awareness of business critical information security activities and their effectiveness.