ISO27001 without metrics and without KPIs

Can I implement ISO27001 and be certified to ISO27001 without defining or using any metrics or KPIs?

Answer: yes.

How? Well bear in mind that nowhere in ISO27001 are the words metrics or KPIs used so at a simplistic level the answer to this question should be yes.

Why would I not want to use metrics and KPIs? The standard does not require it and in my experience almost every time I have seen people use metrics and KPIs they focus on the wrong thing or collect the wrong metrics, etc, etc.

But what about the requirements of Clause 9.1 about monitoring, measurement, analysis and evaluation?

The 9.1 requirements say nothing about metrics or KPIs but do of course require monitoring, measuring, analysis and evaluation. Let us start with some basics.

? What do we mean by monitor? This means that we “observe something over a period of time”.

? What do we mean when we say measure? It means we assess it somehow.

? What do we mean when we say analyse and evaluate? It means look at the results of our measuring and monitoring to make a decision.

This is about making decisions.

Despite what lots of people will tell you this has nothing to do with metrics or KPIs numbers or counting anything.

I am going to emphasis this. It is entirely possible to meet the requirements of clause 9.1 about monitoring, measurement and evaluation without using any metrics or KPIs or numbers. I have done so lots of times!

But surely you can only monitor and measure something if you have some metrics and/or KPIs? This is not the case. For example. For many years now I have been monitoring and measuring the happiness of my children and my wife. I do it all the time. If at any time you ask me “How happy is your wife?” I can give you an answer. Ok so it is not very scientific but you cannot really dispute the fact that I am monitoring and measuring the happiness of my children and my wife. If it is really important then I can convert this into a metric where 1 is miserable, 2 is unhappy and so on up to 5 very happy. But for my purposes assigning a number to this does not help me make any decisions. If I really have to I can in some cases get something to count to help with this. It is the case that I can “measure” (a KPI even) the happiness of one of my children by how often she calls home. The less she calls the happier she is. I could track the number of calls and produce a graph of this KPI but this graph would not help me understand how happy she is. I don’t need a graph to tell me that but hey – if you want a KPI and graph I can give you a KPI and a graph!

Another example. Before I cross the road I monitor and measure the traffic and then analyse and evaluate the information to decide if it safe to cross. I do not use any metrics or KPIs to do this. I don’t need to before I make a decision about crossing the road.

It is the same principle with the ISMS and the controls. You need to do whatever you need to do to help you understand enough about the performance of your ISMS and your controls to make decisions. Nothing more and nothing less. Do not let anyone try to force you into lots of metrics/KPIs, etc, etc if whatever you have put in place works for you. It might be that some numbers and more formality might help but you need to balance that against the effort to get the numbers. Will getting those metrics/numbers really help? If whatever you are doing works for you then you are probably meeting the requirements of clause 9.1.

That is it really but for the rest of this article I will suggest a simple approach to monitoring and measuring the performance of the ISMS and the controls that does not use any metrics or KPIs.

The approach outlined below meets the requirements of ISO27001 and has been through lots of successful certification audits.

The ISMS

Create a table with 3 columns. Column one is a list of the clauses. Not all of them – just the “main” ones that you want to monitor and measure. I usually exclude 4.1, 4.2 and 4.3 from this list because they don’t change much and I don’t feel the need to monitor and measure their performance. The second column is a Red/Amber/Green (RAG) status with the usual meanings. Red is “in a big mess and not working at all”, “Amber is not working as well as it should”, “Green” is OK. The third column is an action column where if you have any clauses that are red or amber you will put an action plan to get it to Green. Simple really.

The standard requires you to explain how this all works, who does it and when, etc. I suggest that you just define this as the job of the ISMS manager and that they do it at least once every quarter but more often if needed. If you have an information security committee you should make the review of this document a standing item on the agenda. This performance assessment of the ISMS may also change for a number of reasons, for example, when you get a non-conformity this may indicate that one of the clauses is not working as well as it should. In which case change its colour. When you have your Internal ISMS audit or certification audit the assessments may change. It should also be presented to the Management Review as the attendees may have a view. And so on.

You now have a dashboard which gives you a one/two page overview of the status of your ISMS. Not only that but it has colours! Management like that kind of thing.

Job done.

You will get people telling you that this is not good enough because it is subjective and not based on metrics/numbers. I disagree. If this approach is good enough to help you make decisions about the clauses then that is OK.

The controls

This is the same principle as used for the ISMS clauses but is a bit more work.

Create a table with 3 columns. Column one is a list of the controls as listed in your Statement of Applicability as applicable. I always list all of them although in principle you could just list some of them – the main/important ones. The second column is a Red/Amber/Green (RAG) status with the usual meanings. Red is “in a big mess and not working anything like well enough to manage all the risks”, “Amber is not working as well as it should to manage the risks”, “Green” is OK. The third column is an action column where if there are any controls that are red or amber you will put an action plan to get it to Green. Simple really.

You now need to explain how this RAG status is decided, who does it and when, etc. This can be done by one person or best done by a few people including the control owner (if you have one). This assessment is also informed by feedback from your information security meeting (if you have one). This can also be informed from your management review, any incidents, non-conformities, your internal ISMS audit, any external audits by clients, your certification audit, pen tests, etc. etc. I.e. you have all sorts of places giving you input to help answer the question “How well is this control working?” If your organisation is “large” with lots of divisions and lots of locations then trying to get a RAG status that you have confidence in is going to take more effort than just sitting down with a few people. But, the first time you do this then just keep it simple and then just refine the accuracy over time. One variation on this is to add an extra column which gives some kind of indication of how confident you are that the RAG statement is correct – perhaps a percentage level of confidence – 100% if you are certain that the RAG status is correct.

Important point. There is a common view that if you have identified a list of controls that are applicable then at all times all these controls should be operating at full effectiveness. This is not correct. They only need to be operating effectively enough to ensure that all the identified risks are within the risk appetite. This is why the definition of Red and Amber above include the reference to the risks. I.e. you can have a control that might be regarded as not operating properly but as long as it is operating properly enough so that all the risks it is helping manage are within the risk tolerance then all is well and you do not need to improve it.

You now have a dashboard which gives you an overview of the status of your controls. Again, it has some colours and management like it. It is actually quite useful as well.

Job done.

Over a period of time and if you think it is going to help you make better decisions you can use various techniques to help improve the accuracy of the assessment of the control effectiveness. This might mean doing some KPIs/metrics for some of them. It might mean employing a firm of heavy-duty auditors to come in every 6 months and spend 4 weeks testing to destruction all your controls. It is up to you to do whatever you think is necessary to help your ISMS meet its objectives.

Summary

The simple approach I have described above is one I have successfully used in many ISO27001 implementations for many years. It meets the requirements of ISO27001 clause 9.1 about monitoring and measuring the performance of your ISMS and controls. It is suitable for small and large organisations.

Keep it simple!

Chris