Procedurally, once information security management has analyzed the entity-centric mission, identified stakeholders, and defined objectives; goals must be established with appropriate performance indicators for status assessments. “Practical information security service delivery and support utilization requires identification of a critical few measurement indicators in each of the relevant measurement domains that align safeguarding initiatives to targeted processes and activities. At the detail-level, these few critical measurements represent key performance indicators [(KPIs)] tailored to gauge objective achievement elements. To effectively drive performance alignment, entities should utilize expected outcomes to enable multiple measurements identification so the positive impact safeguarding investments contribute are visible.”
KPIs are utilized to measure achievements through comparative analyses. Information accuracy and consistency are rudimentary to measurement reliance. If KPIs are going to reliably convey activity status, management must accurately define and consistently measure expectations. That is, activity calculation inputs must be understood and accepted by those accountable for expected performance until revision notification.
“View Part I of the Measuring Delivery Value series here“