Define and evaluate Key Performance Indicators

A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. You can use KPI's to evaluate your success in reaching your Security Program Targets.

KPI's should be aligned by the business, and driven and defined by Senior Management, based on the desired outcome of your ICT Security Program.

KPI's are not static, and will need to be updated at regular intervals. KPI's can change, due to technical parameters (e.g. a move to the cloud) or by business parameters (a shift in how your business is operating)

Setting the correct KPI's for your environment can be a challenge. International Standards, Local Law Compliance or Industry Best-Practices can help you setting the correct KPI's for your organisation.

One way to evaluate the relevance of a performance indicator is to use the SMART criteria. The letters are typically taken to stand for Specific, Measurable, Attainable, Relevant, Time-bound. In other words:

  •     Is your objective Specific?
  •     Can you Measure progress towards that goal?
  •     Is the goal realistically Attainable?
  •     How Relevant is the goal to your organization?
  •     What is the Time-frame for achieving this goal?