­
Key Metrics for your IT GRC Program - All Articles - CISO Platform

All Articles

Key Metrics for your IT GRC Program

Posted by pritha on November 27, 2019 at 11:30pm

IT GRC is a very broad topic encompassing nearly all aspects of information security. In this blog, we’ve tried to list down some key metrics that you should be tracking as part of your IT GRC program. Like all metrics these can be tracked on a periodic basis (monthly, quarterly etc.) and represented using a trending graph. Solutions like IT GRC Platforms can help automate the collection and reporting of metrics.

 

Maturity Score

This will be based on the frameworks the organization is following, like NIST Cybersecurity Framework (CSF), COBIT etc. Demonstrating progress based on maturity levels should be a key requirement for your IT GRC program.

Policy Related Metrics

These metrics provide insights into the effectiveness of your policies and can include metrics like:

  1. # Policy Exceptions and/or violations
  2. Avg Duration of Policy Exceptions
  3. # of Redundant Controls

Risk Metrics

This is very broad topic and should be based on organizational context. Organizations can also look at frameworks like FAIR for adopting a quantitative approach to cyber risk management. Here are some generic metrics organizations can consider:

  1. Risk Assessment Frequency
  2. Risk Tolerance or Risk Appetite (in $ value if possible)
  3. Residual Risk / Risk Tolerance Level
  4. # of Open Critical / High findings (via Risk Assessment)
  5. Average Time to Remediate Risk

 


Audit & Compliance

Audit related issues grab attention quickly. These are some of the metrics which can help track your audit program (monthly / quarterly / annual).

  1. # Critical or High Audit Findings
  2. Audit Exceptions Index (this can be calculated by : Audit Exceptions / Audit Findings)
  3. # Control Test Failures (by Criticality)

Read more:(TOP 6 VENDORS IN IT GOVERNANCE, RISK AND COMPLIANCE (IT GRC) MARKET AT RSAC 2017)
 

Incidents Metrics

Here’s a short list of key metrics which you can consider to monitor your incident management program:

  1. Incident Cost or Loss (brand impact)
  2. Critical or High Incidents Frequency
  3. Number of Incidents by Category (e.g.: Malware, Data Loss, Downtime etc.)

This is a short list of metrics, help us expand the list by listing your favorite metrics in the comments section.

Views: 3267
Tags: &, Buying, Compliance, GRC, Governance, IT, Metrics, Product, Risk, Security
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by pritha

Community Head, CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

City Round Table Meetup - Mumbai, Bangalore, Delhi, Chennai, Pune, Kolkata

Apr 15, 2025 at 8:00am to May 15, 2025 at 10:00am UTC+5.5
India
  • Description:
    CISO Playbook Round Table Overview : 
    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology Implementation: From…
  • Created by: Biswajit Banerjee
  • Tags: ciso, playbook, round table

Round Table Dubai 2025 | GISEC

May 8, 2025 from 6:00pm to 9:00pm UTC+04
Dubai
  • Description:
    CISO Playbook Round Table Overview : 

    Our round tables are designed to bring together top CISOs and IT leaders in intimate, focused sessions. These closed-door discussions will provide a platform to explore key security challenges and solutions. These sessions aim to create a focused, closed-door environment where 08-10 CISOs will dive deeply into the practicalities of implementing specific technologies.
    • Technology…
  • Created by: Biswajit Banerjee

Fireside Chat With Dan Bowden (Global Business CISO, Marsh McLennan (Marsh, Guy Carpenter, Mercer, Oliver Wyman))

May 9, 2025 from 9:30pm to 10:00pm UTC+5.5
Online
  • Description:

    We’re excited to bring you an insightful fireside chat on "Navigating the Cyber Insurance Landscape: Key Considerations for CISOs" with Dan Bowden (Global Business CISO, Marsh McLennan) and Erik Laird (Vice President - North America, FireCompass). In this fireside chat, we'll decode the complexities of cyber insurance from a CISO’s lens and uncover how to make smarter, security-aligned decisions when it comes to policy design, claims, and ROI.

    As cyberattacks grow in…

  • Created by: Biswajit Banerjee
  • Tags: ciso, cyber insurance, dan bowden

CISO Platform: CISO 100 Awards & Future CISO Awards @ Atlanta

Oct 1, 2025 at 9:00am to Oct 2, 2025 at 3:00pm UTC-04
Renaissance Atlanta Waverly Hotel & Convention Center
  • Description:

    Nominate for the CISOPlatform CISO 100 Awards & Future CISO Awards - Recognizing Cybersecurity Leaders. Recommend someone you know deserving of this prestigious accolade....Nominate your colleague, mentor, someone you admire or yourself !

    CISO Platform is collaborating as a community partner with EC-Council’s Global CISO Forum, supporting initiatives such as the CISO Platform…

  • Created by: Biswajit Banerjee