Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
6 ways to assess security work effectiveness

An important part of good information security management is assessing the effectiveness of your own security measures to ensure that all resource-intensive activities are actually contributing to the protection of your information assets.

ISO 27001 addresses the assessment of your own performance through measurement, internal audits and management reviews. Similarly, information security risk management is one aspect of comparing different perspectives and finding the most effective improvement investments. Also, the new EU NIS2 Security Directive requires organisations to define clear procedures for assessing their own security effectiveness.

In concrete terms, assessing security effectiveness means assessing how well your current security management systems, processes and structures protect information assets from various security threats. It involves understanding where you are now and what actions are needed to strengthen and improve your security posture.

Why assessing the effectiveness of security measures is important?

Understand vulnerabilities: Assessments boost your understanding of the different areas of cyber landscape that may be veering towards vulnerability. By identifying these areas, your organization is better equipped to prioritize actions and strengthen these weak points.

Find improvements: Continuous improvement is the only route towards a strong information security management system. Assessments help you spot improvement ideas which you can then prioritize separately for further development.

See the big picture: Information security is such a broad topic, that without specific overall assessments it's easy to lose the big picture and drown on details.

Remember when addressing cybersecurity, a proactive approach is key. Regular assessments are possibilities for you to spot vulnerabilities in advance, before they turn into real-life incidents.

Different ways to assess effectiveness and proportionality of your security measures

There are numerous factors and point-of-views to consider when assessing cybersecurity effectiveness. You can take a very broad approach (e.g. internal audits) reviewing basically everything security-related that you do. You can take a more technological approach (e.g. penetration testing) and get detailed results. And in best case, you understand how to combine different approaches to work well for your organization.

Certifications: Get an external pro to assess your compliance against a framework

Information security certifications are valuable tools for organizations to assess, validate, and demonstrate the robustness of their security measures. These certifications are typically awarded by recognized bodies following a rigorous assessment process. They can help your organizations assess the proportionality of your security measures in multiple ways:

Benchmarking & standardization: Certifications provide a benchmark against established standards, such as ISO 27001 or SOC 2. When you're certitied against a standard, your stakeholders know your security measures align with the best practices of this framework that is familiar for many.

Third party assessment: The process of obtaining a certification usually involves a thorough external audit conducted by accredited professionals. This external review allows for an unbiased assessment of your security posture, offering insights that might be overlooked internally.

Continuous improvement: To maintain certification, organizations must undergo periodic reviews and audits. This encourages continuous improvement and helps ensure that security measures stay effective and relevant as technology and threats evolve.

Competitive advantage & customer trust: Having a recognized security certification can serve as a competitive advantage, demonstrating to clients, partners, and regulators that the organization is committed to maintaining high security standards. Certifications will also help you answer security questionnaires or prove compliance with legal requirements (like NIS2).

Internal audits: Assess your security generally towards a set of requirements

Internal audits in information security are systematic evaluations conducted by an organization to assess how well its information systems comply with internal policies and external regulatory requirements. Performing an internal information security audits is like giving your organization a comprehensive health check-up - from information security perspective.

These audits aim to ensure that the organization's data handling and processing practices are secure, data integrity is maintained, and the risks related to cybersecurity threats are minimized. When you spot something that isn't compliant, you document a non-conformity that needs to be separately
fixed, to ensure continuous improvement.

You might decide e.g. to carry out two internal audits each year - and to cover your whole information security management system with internal audits every 3 years. These are quite normal approaches in ISO 27001 certified organizations. You can of course also use help of external consultants or partners to carry out these audits.

Information security metrics: Assess security by choosing key numbers to follow

Information security metrics are quantitative measures that help organizations assess the effectiveness of their security measures. These metrics are critical for monitoring the health of an organization's information security program, demonstrating compliance with regulations, and making informed decisions regarding security investments.

Good information security metrics should combine all security point-of-views: organizational, technological and people metrics. Here are some examples:

Organizational metrics: Overdue items in your ISMS, compliance score towards a framework, amount of risks identified, amount of improvements done, time to fix a non-conformity

Technological metrics: Time to identify an incident, amount of identified vulnerabilities, % of centrally monitored access rights

People metrics: % of guidelines read, skill test average results, % of yearly training completed

Management reviews: Commit your top management through "big picture reviews"

Management reviews are periodic evaluations conducted by top management. They go through main information security aspects (e.g. resource allocation, overall progress towards objectives, results of risk management, internal audits) and document down management's view on things along with wanted additional actions. Management reviews can be arranged as meetings e.g. twice a year, where security key people present things for top management.

Application security testing: Assess how well your key assets are protected against technical vulnerabilities

Security testing refers to the suite of processes used to evaluate and identify vulnerabilities in information systems, applications, and networks. Here the approach to assessing security is very technological, and thus only highlights certain vulnerabilities.

If your organization is working primarly on software development, tools like vulnerability scanning, penetration testing, application security audits and even ethical hacking can be important for regularly assessing your security measures.

Employee awareness: Assess do your people act securely in everyday work?

Testing the awareness of your employees is also a crucial component of assessing an organization's overall information security measures. Goal is to evaluate how well employees understand and comply with organization's security policies, and how effectively they can respond to potential security threats on everyday work. At best, employees are the active first line of defense.

To monitor your "people controls", you might choose tools like phishing simulations, security skill tests / quizzes, simulated social engineering attacks or incident response drills to assess your security.


Share article