Home > Articles > Other IT Certifications > CISSP

  • Print
  • + Share This
Like this article? We recommend

Like this article? We recommend



Metric Development Template

Measure ID

State the unique identifier used for measure tracking and sorting. The unique identifier can be from an organization-specific naming convention or can directly reference another source.


Statement of strategic goal and/or information security goal. For system-level security control measures, the goal would guide security control implementation for that information system. For program-level measures, both strategic goals and information security goals can be included. For example, information security goals can be derived from enterprise-level goals in support of the organization’s mission. These goals are usually articulated in strategic and performance plans. When possible, include both the enterprise-level goal and the specific information security goal extracted from agency documentation, or identify an information security program goal that would contribute to the accomplishment of the selected strategic goal.


Statement of measurement. Use a numeric statement that begins with the word “percentage,” “number,” “frequency,” “average,” or a similar term. Security controls that provide supporting data should be stated in Implementation Evidence.


Statement of whether the measure is implementation, effectiveness/efficiency, or impact.


Calculation to be performed the results in a numeric expression of a measure. The information gathered through listing implementation evidence serves as an input into the formula for calculating the measure.


Threshold for a satisfactory rating for the measure, such as milestone completion or a statistical measure. Target can be expressed in percentages, time, dollars, or other appropriate units of measure. Target may be tied to a required completion time frame. Select final and interim target to enable tracking of progress toward stated goal.

Implementation Evidence

Implementation evidence is used to compute the measure, validate that the activity is performed, and identify probable causes of unsatisfactory results for a specific measure.

For manual data collection, identify questions and data elements that would provide the data inputs necessary to calculate the measure’s formula, qualify the measure for acceptance, and validate provided information.

For automated data collection, identify data elements that would be required for the formula, qualify the measure for acceptance, and validate the information provided.


Indication of how often the data is collected and analyzed, and how often the data is reported. Select the frequency of data collection based on a rate of change in a particular security control that is being evaluated. Select the frequency of data reporting based on external reporting requirements and internal customer preferences.

Responsible Parties

Indicate the following key stakeholders: Information Owner: Identify organizational component and individual who owns required pieces of information; Information Collector: Identify the organizational component and individual responsible for collecting the data. (Note: If possible, Information Collector should be a different individual or even a representative of a different organizational unit than the Information Owner, to avoid the possibility of conflict of interest and ensure separation of duties. Smaller organizations will need to determine whether it is feasible to separate these two responsibilities.); and Information Customer: Identify the organizational component and individual who will receive the data.

Data Source

Location of the data to be used in calculating the measure. Include databases, tracking tools, organizations, or specific roles within organizations that can provide required information.

Reporting Format

Indication of how the measure will be reported, such as a pie chart, line chart, bar graph, or other format. State the type of format or provide a sample.

  • + Share This
  • 🔖 Save To Your Account