Information Security Indicators

The threat from cyber attacks is growing and represents a significant risk to industry, which could include huge loss of intellectual property or of reputation.

Industry is focusing increasingly on security assurance. But a global reference framework is needed to provide a valid means of assessing an organization’s security status. The key issue is to define a full set of measurements – or security indicators – which would be shared widely.

This would enable organizations to assess themselves accurately and to benchmark their level of assurance and the effectiveness of their security measures. It could also lead to the emergence of commonly recognized and reliable statistics.

Our Industry Specification Group on Information Security Indicators (ISG ISI) is producing specifications which together form a reliable and commonly-recognized reference model for the measurement of information security risks. We have started a phase 2 in April 2016 to develop new specifications.
ISI specifications are used increasingly in different EU countries, and are considered as unique in the standardization world filling a gap in the Cybersecurity field. They have been adopted officially by some Information Security Government Agencies.

Based on this strong basis (more than 100 large European companies and organizations using ISI today), feedback from users has been received and new specifications need to be produced. This concerns especially the design of a cybersecurity language to model threat intelligence information and enable detection tools interoperability (ISI-006), of comprehensive guidelines to build a secure SOC especially regarding the architecture aspects (ISI-007), of a whole SIEM approach which is truly integrated within an overall organization-wide and not only IT-oriented cyber defence (ISI-008).

A full list of related standards in the public domain is accessible via the ETSI standards search. Via this interface you can also subscribe for alerts on updates of ETSI standards.