gv-ov-3 medium Govern / Oversight

Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments

Evaluating performance is how you distinguish a program that is working from one that merely looks active. Time-to-remediate, audit findings, incident rates, and training completion are all signals about whether your investments are producing real security improvements. Without this evaluation, leadership cannot make informed decisions about where to invest or what to cut.

Estimated effort: 4h

governanceoversightperformancemetricsevaluation

Complete first: gv-ov-1

Implementation steps

1

Define and collect performance indicators

Choose a small set of indicators that reflect actual security outcomes, not just activity. Good examples include: percentage of critical vulnerabilities remediated within SLA, mean time to detect incidents, percentage of employees completing security training, and number of policy exceptions open. Collect these consistently so trends are visible.

google-sheetslookertableausplunk
2

Conduct periodic performance evaluations

At least annually, run a more formal evaluation of the security program. This can be an internal assessment, a third-party audit, or a tabletop exercise that tests real response capabilities. Use the results to identify what is working well and what is not.
3

Feed evaluation results into program adjustments

Evaluation results should drive changes: adjusting priorities in the risk register, reallocating resources, adding controls where gaps were found, or retiring controls that are not providing value. Document the decisions made from each evaluation so there is a clear cause-and-effect chain between findings and actions.

jiraconfluencenotion

Evidence required

Security performance metrics

A documented set of performance indicators collected and tracked consistently over time.

· Monthly security metrics report with trend data
· Security scorecard showing key indicators over the past four quarters
· Training completion rate and vulnerability SLA adherence reports

Formal evaluation or audit records

Records of at least one formal evaluation of the security program in the past 12 months.

· Third-party security assessment report with findings
· Internal audit findings and remediation tracking
· Penetration test report with a summary of program strengths and weaknesses

Related controls

gv-ov-1 high

Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy

Oversight

gv-ov-2 high

The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks

Oversight

gv-oc-1 high

The organizational mission is understood and informs cybersecurity risk management

Organizational Context

gv-oc-2 high

Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

Organizational Context