Informationssicherheits-KPIs: welche Kennzahlen steuern wirklich gut?

TL;DR: Cyber-Security-KPIs are most useful when they support decisions, remain stable over time, and map directly to risk, audit evidence, and management review under ISO/IEC 27001, ISO/IEC 27004, BSI guidance, and NIST SP 800-55. Weak metric design hides control failures instead of exposing them, so governance must focus on a small, decision-ready set of measures.

NHIMG editorial — based on content published by Imprivata: information security KPIs as a governance and control instrument

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams choose KPIs that actually improve governance?

A: Start with the decision the metric is meant to support, then work backwards to the control it measures.

Q: Why do identity metrics need to be separated by account type?

A: Human users, privileged accounts, service accounts, and third-party identities fail in different ways, so averaging them hides risk.

Q: When should organisations use leading metrics instead of incident counts?

A: Use leading metrics whenever the goal is prevention or early warning.

Practitioner guidance

• Define each KPI as a control outcome Write the formula, data source, review cadence, baseline, and exception rules before the metric enters any report pack.
• Separate leading and lagging indicators Use one set of metrics to show likely control failure, such as stale credentials or overdue reviews, and another set to show realised impact, such as incidents or recovery time.
• Build identity-specific dashboards Track human accounts, privileged access, service accounts, and third-party access separately so teams can see where control weakness is concentrated instead of averaging risk away.

What's in the full article

Imprivata's full article covers the practical KPI guidance this post intentionally leaves at the governance level:

• Concrete examples of identity and security KPI definitions suitable for ISO 27001 and NIS-2 reporting
• How to separate leading and lagging measures so management reviews can detect control drift earlier
• Ways to document metric baselines, data sources, and exceptions for audit readiness
• A structured view of security awareness and governance metrics that can support operational reporting

👉 Read Imprivata's analysis of information security KPIs for ISO 27001 and NIS-2 →

Informationssicherheits-KPIs: welche Kennzahlen steuern wirklich gut?

Explore further

View Full Forum →  |  NHI Foundation Course →