TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Friday, February 27, 2009

[ISO 27001 security] Can any one throw some light on metrics


Hi team

Great work you guys are doing !!!! Even though am a silent listener, i use to enjoy the entire series of mail exchanges. Thank you all who contribute towards this group.

I have recently finished the ISMS implementation for one of our client. Now that the time for measurement of the maturity of ISMS. So can any one throw some light in the area of metrics. How can start, which are the components do i need to take, any templates, etc.

Hope that you can help me in this.

Sandeep Erat

A set of ISMS metrics aligned with ISO27k vaguely approach the templates you
requested.  It is published at  This paper
documents the output of interactive ISMS metrics workshop involving a clever
bunch of IT auditors and other information security pros, under the auspices
of ISACA in Wellington NZ.  I'm quite sure others on this email reflector
would be able to suggest additional metrics that work for them.

I published a white paper on ISMS metrics at, originally in the ISSA Journal in
July 2006.  It goes into the rationale for designing/selecting information
security metrics, along the way referencing a all-time classic
though-provoking academic paper "Metrics: you are what you measure" at

Last but definitely not least is the excellent book by Andrew Jaquith
"Security metrics: replacing fear, uncertainty and doubt" - search the Web
or spend your US$31.50 at   Andrew runs a
wiki/blog/mailing list/conference on information security metrics in
conjunction with Dan Geer and a bunch of fellow professionals, through, thoroughly recommended.  One of their projects is a
catalog of potential information security metrics at

Do let us know how you get on, Sandeep.

Best wishes,

Gary Hinson
Passionately curious, curiously passionate  Creative awareness materials  ISO/IEC 27000 standards  Going green

No comments:

Post a Comment