Effectiveness

This part of the IMS deals with measuring the effectiveness of the IMS and its associated information security and quality controls. The approach is based on an extension of that advocated by Brewer and List in their paper on "Measuring the effectiveness of an internal control system" (the "time" theory) .

Time Theory

Just as a reminder, the two pictures to the right depict the two cases:

An event is detected in sufficient time for the impact that would otherwise result to be prevented. There is a small loss in profit due to the costs of fixing the problem. These costs would not have been incurred if the event had not happened.
The same event is detected too late to prevent the impact and a loss in profit results.

The event is detected in sufficient time to do something about it. The result is that the organisation is still in profit.

The same event is detected too late and the impact occurs. The result is that the organisation makes a loss.

The time theory identifies a spectrum of controls: Class 1 (prevents the event); Class 2 (detects the event in ample time to take action to prevent the impact); Class 3 (detects the event just in time to prevent the impact); Class 4 (detects the event just too late and the impact occurs); Class 5 (the impact occurs, but there is a partially deployed recovery plan in place and recovery is quick; Class 6 (there is a plan in place but it requires implementing it from scratch and recovery is therefore much slower); Class 7 (there is no plan and recovery, if at all possible takes far longer). We use these classifications and the time parameters in measuring the effectiveness of our controls.

Other Metrics

In addition to the time parameters:

We consider the effect that training has on the number of incidents, the metric being of the form the number of incidents that could have been prevented by better training divided by the total number of incidents.
Similarly we consider the effect that training has on the number of nonconformities discovered by internal IMS audit, the metric being of the form the number of nonconformities that could have been prevented by better training divided by the total number of nonconformities.

Add to this list any other metrics you wish to use.

If any of your assessment methods are complex, you will probably have an Information Security or other Procedure to deal with it. If you do, hyperlink to it.

In adding to this list, describe in particular, the criteria and methods you use to ensure that the quality objectives are met that are not covered by the above.

Note that this will include the assessment of whether customer requirements are met (because you are required to have a quality objective that addresses it). ISO 9001 requires you to measure product conformity which is a major part of this metric. Anchor this metric with the name "ProductConformity".

Note that this will also include the assessment of customer satisfaction (because you are required to have a quality objective that addresses it). Anchor this metric with the name "CustomerSatisfaction".

<<>>

Put here any additional text you wish concerning other metrics.

<<>>

THIS PAGE CONTINUES WITH OUR PROCESS FOR MEASURING EFFECTIVNESS OF CONTROLS. IT IS BASED ON THE BREWER-LIST TIME THEORY

REFERENCES FROM THE CONFORMANCE PAGES GO DIRECTLY TO THE PARAGRAPH IN QUESTION

YOU MAY ADD ADDITIONAL METRICS AND MEASUREMENT PROCESSES AS YOU PLEASE

THESE MEASUREMENT PROCESSES FEED INTO THE IMS MANAGEMENT PROCESS

IMS-Smart produced by Gamma Secure Systems Limited. Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy. BSI certificate numbers IS 85916 and FS 30710. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903. Use of IMS-Smart Template reference 018-080101, copyright © Gamma Secure Systems Limited, 2007-8