title: “[03] CISSP Cheatsheet - Security KPIs and Metrics” date: 2026-07-05 authors:
- Your Name
π Topic: Security KPIs and Metrics
Domain: D1 β Security and Risk Management
Tags: #cissp #metrics #kpi
π§Ύ Definition
Key Performance Indicators (KPIs) and metrics measure the effectiveness of security controls and help leadership make informed risk decisions. They should be actionable, measurable, and tied to business objectives.
π Key Points
- Use metrics like MTTD (Mean Time to Detect), MTTR (Mean Time to Recover), patch compliance, number of incidents, and percent of critical assets with protections.
- KPIs should be SMART: Specific, Measurable, Achievable, Relevant, Time-bound.
- Avoid vanity metrics; focus on indicators that drive decisions and improvements.
β οΈ CISSP Insight
- CISSP candidates should understand governance-level metrics and how they support risk management and reporting to executives.
βοΈ Key Difference / Trap
- Metric vs KPI
- Metric = any measured value
- KPI = a metric tied to a business objective and action
- Trap: Reporting too many metrics without clear owners or actionables.
ποΈ Example
A security team tracks patch compliance weekly and reports trend-based KPIs to leadership; a drop triggers a remediation action and post-mortem.
π References
- NIST CSF measurement guidance
- ISO/IEC 27004 β Information security management β Measurement
- CIS Controls measurement recommendations
π Quick Recall
- KPIs must be actionable, tied to risk, and support decision-making