Gary Hinson, CEO, IsecT Ltd. We all need metrics in order to manage our information risks and risk treatments rationally. A management system makes no sense without metrics, it’s flying blind. Pure guesswork is not a sensible basis on which to develop strategies and plans, justify and prioritize security investments, respond positively to changes, challenges, opportunities and incidents, and systematically improve things. This presentation will focus on how to answer the obvious but tricky question “What should we measure?”. Using ISO/IEC 27004 as a stepping-off point, Gary will explain firstly how to figure out what needs to be measured, and secondly how to measure it. You will come away with a practical approach – not a predetermined set of generic metrics but a tried-and-trusted method to determine for yourself the particular metrics that complement, support and add value in your unique situation.