This article provides some examples of information security and CAF KPIs
Key Performance Indicators (KPIs) help you measure whether your security objectives are being achieved and whether your management system is performing effectively.
KPIs apply to both ISO 27001 and the Cyber Assessment Framework (CAF), and they provide evidence of continual improvement, regulatory readiness, and operational effectiveness.
Your KPIs should be measurable, consistently collected, and reviewed regularly (for example, as part of Management Review meetings).
They should directly support your information security objectives or CAF objectives, helping you demonstrate progress.
Information Security KPIs (ISO 27001)
It's a good practice to set Key Performance Indicators (KPIs) for your information security framework.
KPIs help you measure the progress and effectiveness of your information security risk management framework. KPIs are often aligned with objectives. They also provide clarity and focus for your team, allowing you to identify areas that may need more attention or resources.
KPIs should be measured on a regular basis using a consistent approach for data collection. This could be monthly or, in line with the regular Management Review Meetings.
The methods selected for data collection (including who and when) should produce comparable and reproducible results to be considered valid. The results should be recorded and analysed in such a way that they can then be reviewed in your management review meetings.
Examples of KPI’s:
- Number of Security breaches: one of the most important objectives of your security system. Security breaches can be tracked in your incident log.
- Percent of agreements with information security clauses: indicator that shows how services and products, provided by you or supplied to you, are legally supported considering information security aspects (e.g., availability, confidentiality, integrity, and continuity). The higher the value, the better supported your relationships with clients and suppliers are.
- Number of security-related service downtimes: downtimes related to information security issues directly reflect the effectiveness of the ISMS/ICT risk management framework. This information can be obtained from operational reports.
- Number of customer complaints relating to information security - each customer complaint relating to information security should be logged. This would usually be captured in the Incident and corrective actions log.
- Staff have received training in line with the training programme - This is a great indicator that as a company you are providing employees with the tools to be competent in information security. Your training programme will outline the training required for new starters and ongoing for existing employees. There should be a record of training completed for all staff.
- Staff have read all policies by the due date - this shows that staff are aware of what is expected of them and the consequences of not adhering to information security policies. Records of policy attestation are held in the Adoptech portal.
Examples of KPI's linked to Objectives
Objective: Enhance Data Protection
KPI: Achieve 100% encryption of customer data at rest and in transit by Q3.
KPI: Reduce data access privileges by 20% to ensure least privilege access by mid-year.
KPI: Conduct quarterly data protection audits, with zero critical findings per audit.
Objective: Improve Incident Response Capabilities
KPI: Reduce average incident response time from 6 hours to 3 hours by Q4.
KPI:Conduct at least 2 full incident response drills per quarter, with a minimum score of 85% on effectiveness.
KPI: Decrease the number of unaddressed security incidents by 50% compared to the previous year.
Objective: Strengthen Access Controls
KPI: Implement Multi-Factor Authentication (MFA) for 100% of all critical applications by Q2.
KPI: Achieve 95% compliance with quarterly access reviews across all departments.
KPI: Reduce the number of unauthorized access attempts by 25% through enhanced monitoring and alerts by year-end.
Objective: Maintain Compliance with Security Standards
KPI: Successfully pass SOC 2 and ISO 27001 audits with zero major non-conformities.
KPI: Ensure 100% of employees complete annual compliance training by Q2.
KPI: Achieve 100% adherence to quarterly internal audits and corrective actions for any identified issues.
Objective: Reduce Vulnerabilities in the SaaS Platform
KPI: Reduce the number of critical vulnerabilities identified during quarterly vulnerability scans by 40% by Q4.
KPI: Achieve a 100% patch application rate for critical vulnerabilities within 48 hours of identification.
KPI: Conduct monthly penetration tests with no high-severity issues identified in at least 10 consecutive tests.
Objective: Improve User Security Awareness
KPI: Achieve a 95% completion rate for security awareness training among employees by Q2.
KPI: Reduce the click-through rate on simulated phishing emails to below 2% by Q4.
KPI: Conduct quarterly security awareness assessments, with at least an 85% pass rate.
Objective: Enhance Security Monitoring and Response
KPI: Implement continuous security monitoring for 100% of critical systems by Q1.
KPI: Achieve 24/7 monitoring coverage with automated alerts, reducing manual intervention by 30% by Q3.
KPI: Detect and respond to 95% of security incidents within the established SLA timeframes by year-end.
Objective: Improve Data Privacy Compliance
KPI: Achieve 100% compliance with GDPR and CCPA data privacy requirements by Q2.
KPI: Complete 100% of required Data Protection Impact Assessments (DPIAs) for new projects by Q3.
KPI: Reduce the time to respond to data subject access requests (DSARs) to under 15 days on average by Q4.
Objective: Secure the Development Pipeline (DevSecOps)
KPI: Achieve 100% integration of security testing into the CI/CD pipeline by Q2.
KPI: Reduce the average time to remediate vulnerabilities found in the development phase by 50% by Q4.
KPI: Ensure 90% of all new code releases have no critical security flaws by year-end.
Objective: Improve Third-Party Risk Management
KPI: Conduct security assessments on 100% of critical third-party vendors by Q3.
KPI: Reduce the number of unresolved third-party security issues by 40% by year-end.
KPI: Ensure 100% of new third-party contracts include security requirements and SLAs by Q1.
These KPIs are designed to be specific, measurable, and aligned with the information security objectives. By tracking these KPIs, the company can monitor progress toward its security goals, identify areas for improvement, and demonstrate commitment to protecting customer data and maintaining a secure platform.
CAF KPIs (Cyber Assessment Framework)
If your organisation uses the Cyber Assessment Framework (CAF), your KPIs should measure performance across CAF’s four security objectives (A–D) and demonstrate progress toward meeting CAF principles and Indicators of Good Practice (IGPs).
CAF KPIs should help you measure your ability to:
-
Manage security risk (Objective A)
-
Protect systems supporting essential functions (Objective B)
-
Detect cyber security events (Objective C)
-
Minimise the impact of incidents (Objective D)
Your CAF KPIs should be actionable, evidence-based, and linked directly to your CAF objectives.
Examples of CAF KPIs (aligned to the KPI Matrix)
Objective A — Managing Security Risk
-
Risk Assessment Completion Rate – % of CAF-related risks assessed and reviewed within the required cycle.
-
Board-Level CAF Review Frequency – number of governance reviews per year.
-
Asset Inventory Accuracy – % of essential-function assets with assigned owners and up-to-date records.
-
Supplier CAF Assessment Coverage – % of critical suppliers assessed for cyber risk (CAF A4).
Objective B — Protecting Against Cyber Attack
-
Critical Systems Patch Compliance – % of critical systems patched within SLA.
-
High-Risk Vulnerabilities Remediated – % of high-risk vulnerabilities resolved within SLA.
-
Secure Configuration Compliance – % compliance against defined secure configurations (CAF B4).
-
MFA Adoption Rate – % of accounts and systems supporting essential functions using MFA.
Objective C — Detecting Cyber Security Events
-
Mean Time to Detect (MTTD) – average time taken to detect cyber security events.
-
Monitoring Coverage – % of critical systems with logging and monitoring enabled.
-
Security Alerts Investigated – % of alerts reviewed and triaged within SLA.
-
Anomalies Detected – number of anomalies requiring investigation.
Objective D — Minimising the Impact of Cyber Security Incidents
-
Mean Time to Respond (MTTR) – average time taken to respond to incidents.
-
Incident Response Exercise Completion – number of exercises completed each year.
-
Lessons Learned Completion Rate – % of incidents reviewed within 30 days.
-
Backup Recovery Success Rate – % of tested backups that restore successfully.
Linking Objectives and KPIs
For both ISO 27001 and CAF, KPIs should correlate directly with your objectives.
For example:
-
Objective: Enhance monitoring capabilities (CAF Objective C)
KPI: Mean Time to Detect (MTTD) -
Objective: Improve risk assessment processes (CAF Objective A)
KPI: Risk Assessment Completion Rate -
Objective: Enhance employee security awareness (ISO 27001)
KPI: % of staff completing mandatory training
This ensures your KPIs provide measurable evidence of progress and effectiveness.