Jorge Lozano, Senior Manager Cyber Security, PwC

The ISO27001:2013 requires the organization to establish a method to evaluate the performance and effectiveness of the ISMS. The selected method must produce reproducible and comparable results. This presentation will review a process to define security metrics that can be obtained from implemented controls, discuss key elements that the metrics should include, and offer some examples of metrics that can be used by top management for strategic decisions.