A Simple Scorecard for Information Security

July 10, 2008

There are many complicated ways to develop an Information Security scorecard (aka Balanced Scorecards).  However, a scorecard should be simple, and this post provides a couple of very simple examples.  The first is a scorecard to measure the development of an Information Security Management System (ISMS) based on ISO 27002, and secondly, a scorecard for a part of COBIT.  More complex details of scorecarding specific metrics will be posted soon.

What are you measuring?

If you are planning on developing a scorecard you must have something in mind to be measuring.  That may be compliance to ISO 27002 or COBIT as illustrated in the examples below, but could also be anything else you are interested in.

1.  List the components that make up the focus of your scorecard (i.e. rows)

How are you measuring?

The de-facto standard for measuring the maturity of Information Security — or indeed any process — is the Capability Maturity Model (CMM).  The original purpose of CMM was to assess the software development of process however it is now the basis for measuring many other processes.

Any adaptation of the CMM will usually consist of five levels; ad-hoc/chaos (1), planned/repeatable (2), defined (3), controlled/managed (4), refined/optimised (5).  You may or may not then choose to break these down using descriptors as below.  These descriptors try to aid management interpretation.

2.  List the five CMM levels and possibly any suitable descriptors (i.e. columns)

Where are you going?

If you are measuring maturity of a process you are likely to be trying to improve that process.  Like a project chart you will have a starting point, a current point and end point (or goal).  It may help to demonstrate your pragmatism if the end point for all processes is not Excellence (5)!

3.  Clearly mark your starting point, current point and end point (goal).

Example – ISO 27002 Scorecard

Example – COBIT Scorecard