Search in ISMS Guides


Wednesday, July 25, 2007

What do ISM3 metrics measure? Security? Risk ?

ISM3 metrics do not measure risk or security directly. Metrics in ISM3 are process metrics that measure:

  • Activity: The number of work products produced in a time period;
  • Scope: The proportion of the environment or system that is protected by the process. For example, AV could be installed in only 50% of user PCs;
  • Update: The time since the last update or refresh of process work products and related information system. It refers as well to how updated are the information systems that perform or support the process;
  • Availability: The time since a process has performed as expected upon demand (uptime), the frequency and duration of interruptions.

Every process in ISM3 contributes to the goals of the ISM, which are defined as:

  • Prevent and mitigate incidents that could jeopardize the organization's property and the output of products and services that rely on information systems.
  • Optimise the use of information, money, people, time and infrastructure.

No comments: