Performance Management


for Data Privacy, Security & Business Continuity

“You can't manage what you don't measure.”

         - Peter F. Drucker

As offered in the age old quote above, modern leaders understand that in order to truly manage a business activity, you must find a way to measure and perform ongoing monitoring to assess it value to the business.

Many of today's data security and privacy standards and regulations are similarly mandating establishing performance measurements and monitoring activity. e.g. ISO 27001 and ISO 27701, which mandate such activity to assess the operational effectiveness and the efficiency of a controls under an Information Security Management System (ISMS) and Privacy Information Management System (PIMS).

CIMA works with client data protection leaders and their control owners to facilitate the identification of control measurement opportunities, and select the best ones for monitoring purposes to determine if the objectives of an ISMS or PIMS are being achieved. This is a critical business activity if done correctly, as it helps the organization's leadership understand where and how their investment into an ISMS and PIMS is supporting the achievement of organizational business goals.

How We Help Clients

1

Strategic Analysis

Through an analysis of your organization's business strategy, we identify opportunities for alignment of your current or future ISMS / PIMS to ensure their focus on the business goals.



2

identification of ISMS / PIMS objectives

We facilitate on or off-site focus sessions / workshops with your team(s) to determine meaningful objectives top guide your ISMS / PIMS in alignment with the business strategy.



3

Identification of Control Measurements & Monitoring Approach

Through a facilitated approach, we work with your control owners to identify measurements opportunities for individual controls. This activity kicks-off with a short educational session to help establish a common understanding of measurements and monitoring in the context of a performance management program. Your internal control owners then document the opportunities for measurements, which are subsequently fed through a quality assurance review with our engagement consult(s) for review and follow up recommendations.

We then work with the ISMS / PIMS owner to narrow measurements to those best suited to provide meaning data regarding the control's operational effectiveness and efficiency.

Continuing to work with your control owners, we then identify effective ways and frequency of monitoring control measurements.



4

Aligning Control Measurements with ISMS / PIMS objectives

In collaboration with your ISMS / PIMS team, we then assess the output of phase 3 to identify which measurements will best help you to determine if your ISMS / PIMS objectives are being achieved.



5

Creation of Collection, Collation and Management System level monitoring

In this final stage we host a final workshop with the control owners associated with the control measurements from phase 4, to create a process flow and custom approach to collection, collate, measure and monitor ISMS / PIMS objectives, which will become your monthly or quarterly metrics for management reporting.

>