Back

Establish, implement, and maintain a policies and controls metrics program.


CONTROL ID
01666
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a metrics policy., CC ID: 01654

This Control has the following implementation support Control(s):
  • Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted., CC ID: 01679
  • Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures., CC ID: 01680
  • Report on the percentage of policy compliance reviews for which no compliance violations were noted., CC ID: 01681
  • Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures., CC ID: 01682


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Gateway providers holding government information must document their implementation and effectiveness with the scoped ISM controls, the PSPF and the Australian Security Intelligence Organisation's (ASIO) T4 Physical Accreditation requirements. (55., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The organization should develop metrics for all policies and measure them on a regular basis. (Critical Control 9.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • how the effectiveness of controls are measured. (§ 9.3 ¶ 4 e), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • how the effectiveness of controls will be measured. (§ 9.3.3.1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization must establish and maintain a policies and controls metrics standard. (ISPE8, CISWG Information Security Program Elements, 10-Jan-05)
  • Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)