← Controls / PM

PM-06 Measures of Performance

Program Management

Description

Develop, monitor, and report on the results of information security and privacy measures of performance.

Supplemental Guidance

Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy.

Changes from Rev 4

Title changed from 'Information Security Measures of Performance' to 'Measures of Performance'. Privacy added.

Compliance Mappings

ISO 27001:2022

10.14.46.29.19.3A.5.35A.5.36

ISO 27002:2022

5.355.36

COBIT 2019

APO13EDM02MEA01MEA02

NIST CSF 2.0

GV.OV-01GV.OV-03ID.IM-01ID.IM-03

PCI DSS v4.0.1

12.4

CSA CCM v4

AIS-03SEF-05TVM-09TVM-10

CSA AICM v1

AIS-03SEF-05TVM-09TVM-10

NIS2 Directive

Art. 21(2)(f)Art. 32

PRA Operational Resilience

SS1/21-6.2SS1/21-7.1

APRA CPS 234

Para 27-28

BSI IT-Grundschutz

ISMS.1

BIO2

5.355.36

RBI CSF

Annex1.21ITGRCA.21

FISC Security Guidelines

FISC.O7

LGPD + BCB 4893

BCB.Art.18BCB.Art.19

HKMA TM-E-1

TME1.12.3TME1.3.3

DNB Good Practice

DNB.14.1DNB.16.2DNB.16.4DNB.5.2

SAMA CSF

1.31.92.2

NCA ECC

1-21-71-8

UAE IA

T1

CBB TM

TM-16

Qatar NIA

GV

CBUAE

CR-14

CBE CSF

GOV-3

SA JS2

JS2-5JS2-9

CBN CSF

Part2.2Part6.1Part6.2Part7.2

BoG CISD

CISD-COMPCISD-IV

BoM CTRM

1.55.4

BCBS 239

Principle 12

FFIEC IS

Appendix AII.C.1II.C.4II.DIV.AIV.A.1IV.A.4

NYDFS 500

500.2

HIPAA Security Rule

ยง164.308(a)(8)

EBA ICT Guidelines

3.3.5

SEBI CSCRF

AUDITCCIGV.OV

CMMC 2.0

CA

10 CFR 73.54

73.54(d)

DOE C2M2 v2.1

PROGRAM

API 1164

Sec 15

AWIA

AWWA Sec 1

CBEST

CBEST.10CBEST.7

TIBER-EU

TIBER.CLOSETIBER.REM

PCI HSM

10

ISAE 3402

Clause 10Clause 5Clause 6

Solvency II

Art.46Art.47

NAIC Insurance Data Security

44E

PRA SS1/23

P4.5P5.2

FCA SYSC 13

SYSC 13.5.3SYSC 13.7.5SYSC 13.G.3

HITRUST CSF v11

00.a00.c04.b06.c

ISO 27799

18.35.2

NHS DSPT

NDG-5.1NDG-6.4

Basel SCO60

SCO60.70SCO60.71SCO60.72SCO60.82