1. Purpose
Define and document the Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) used to monitor [ORGANIZATION]'s cyber risk posture and control effectiveness, including threshold levels aligned with the approved risk appetite.
2. Scope
This register covers all cyber risk and control performance indicators that are reported to management, executive leadership, and the Board as part of the cyber risk reporting program.
3. Register Content
3.1 Key Risk Indicators (KRIs)
KRIs measure exposure to cyber risk and provide early warning when risk levels are approaching or exceeding the defined risk appetite.
| KRI ID | Indicator Name | Description | Green Threshold | Amber Threshold | Red Threshold | Data Source | Frequency | Owner |
|---|---|---|---|---|---|---|---|---|
| KRI-01 | Critical vulnerability exposure | Count of unpatched critical/high vulnerabilities on in-scope assets | [CUSTOMIZE: <50] | [CUSTOMIZE: 50-100] | [CUSTOMIZE: >100] | [CUSTOMIZE: Vuln scanner] | Weekly | [CUSTOMIZE] |
| KRI-02 | Phishing click rate | Percentage of personnel clicking simulated phishing links | [CUSTOMIZE: <3%] | [CUSTOMIZE: 3-8%] | [CUSTOMIZE: >8%] | [CUSTOMIZE: SAT platform] | Per campaign | [CUSTOMIZE] |
| KRI-03 | Mean time to detect (MTTD) | Average time from intrusion to detection across incidents | [CUSTOMIZE: <24hrs] | [CUSTOMIZE: 24-72hrs] | [CUSTOMIZE: >72hrs] | [CUSTOMIZE: SIEM/SOAR] | Monthly | [CUSTOMIZE] |
| KRI-04 | Third-party risk exposure | Percentage of critical vendors with overdue risk assessments | [CUSTOMIZE: <5%] | [CUSTOMIZE: 5-15%] | [CUSTOMIZE: >15%] | [CUSTOMIZE: TPRM tool] | Monthly | [CUSTOMIZE] |
| KRI-05 | Privileged account anomalies | Number of privileged access events outside normal patterns | [CUSTOMIZE: <10/month] | [CUSTOMIZE: 10-25/month] | [CUSTOMIZE: >25/month] | [CUSTOMIZE: PAM/SIEM] | Weekly | [CUSTOMIZE] |
| KRI-06 | Regulatory finding backlog | Count of open regulatory/audit findings past remediation deadline | [CUSTOMIZE: 0] | [CUSTOMIZE: 1-3] | [CUSTOMIZE: >3] | [CUSTOMIZE: GRC tool] | Monthly | [CUSTOMIZE] |
| KRI-07 | Data loss events | Number of confirmed data loss or exposure events | [CUSTOMIZE: 0] | [CUSTOMIZE: 1-2] | [CUSTOMIZE: >2] | [CUSTOMIZE: DLP/incident log] | Monthly | [CUSTOMIZE] |
| KRI-08 | Risk acceptance aging | Percentage of risk acceptances past their review date | [CUSTOMIZE: <5%] | [CUSTOMIZE: 5-15%] | [CUSTOMIZE: >15%] | [CUSTOMIZE: Risk register] | Monthly | [CUSTOMIZE] |
3.2 Key Performance Indicators (KPIs)
KPIs measure the effectiveness and efficiency of security controls and processes.
| KPI ID | Indicator Name | Description | Target | Minimum Acceptable | Data Source | Frequency | Owner |
|---|---|---|---|---|---|---|---|
| KPI-01 | Patch compliance rate | Percentage of assets patched within SLA | [CUSTOMIZE: >95%] | [CUSTOMIZE: 90%] | [CUSTOMIZE: Patch mgmt] | Monthly | [CUSTOMIZE] |
| KPI-02 | Security training completion | Percentage of personnel with current training | [CUSTOMIZE: >98%] | [CUSTOMIZE: 95%] | [CUSTOMIZE: LMS] | Monthly | [CUSTOMIZE] |
| KPI-03 | Incident response time | Percentage of incidents responded to within SLA | [CUSTOMIZE: >95%] | [CUSTOMIZE: 90%] | [CUSTOMIZE: SOAR/ticketing] | Monthly | [CUSTOMIZE] |
| KPI-04 | MFA coverage | Percentage of user accounts with MFA enabled | [CUSTOMIZE: 100%] | [CUSTOMIZE: 98%] | [CUSTOMIZE: IAM system] | Monthly | [CUSTOMIZE] |
| KPI-05 | Backup success rate | Percentage of successful backup completions | [CUSTOMIZE: >99%] | [CUSTOMIZE: 97%] | [CUSTOMIZE: Backup system] | Weekly | [CUSTOMIZE] |
| KPI-06 | Risk assessment coverage | Percentage of in-scope systems with current risk assessment | [CUSTOMIZE: >90%] | [CUSTOMIZE: 80%] | [CUSTOMIZE: GRC tool] | Quarterly | [CUSTOMIZE] |
| KPI-07 | Policy acknowledgment rate | Percentage of personnel with current policy acknowledgment | [CUSTOMIZE: >98%] | [CUSTOMIZE: 95%] | [CUSTOMIZE: GRC/HR system] | Monthly | [CUSTOMIZE] |
| KPI-08 | Vulnerability remediation SLA | Percentage of vulnerabilities remediated within defined SLAs | [CUSTOMIZE: >90%] | [CUSTOMIZE: 80%] | [CUSTOMIZE: Vuln scanner] | Monthly | [CUSTOMIZE] |
3.3 Reporting and Escalation
All KRIs and KPIs shall be reported to [CUSTOMIZE: CISO/Security Leadership] at least [CUSTOMIZE: monthly].
KRI and KPI dashboards shall be provided to the [CUSTOMIZE: Executive Risk Committee] at least [CUSTOMIZE: quarterly].
Any KRI that enters the Red threshold shall be escalated to [CUSTOMIZE: CISO] within [CUSTOMIZE: 24 hours] with an action plan within [CUSTOMIZE: 5 business days].
Any KRI that enters the Red threshold for [CUSTOMIZE: two consecutive reporting periods] shall be escalated to [CUSTOMIZE: Executive Risk Committee / Board Risk Committee].
KPIs consistently below the Minimum Acceptable level shall trigger a root cause analysis and remediation plan within [CUSTOMIZE: 30 days].
3.4 Review and Calibration
This register shall be reviewed at least [CUSTOMIZE: semi-annually] by [CUSTOMIZE: CISO/Cyber Risk Team] to ensure indicators remain relevant, thresholds are appropriately calibrated, and data sources are reliable.
Thresholds shall be recalibrated when the Risk Appetite Statement is updated or when indicators consistently demonstrate that thresholds are too lenient or too stringent.
New indicators shall be added when changes in the threat landscape, regulatory environment, or business operations create monitoring gaps.
Retired indicators shall be documented with rationale for removal.
4. Compliance
Compliance with this register is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this register must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This register shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control