Effectiveness Review
LEGAL BASIS
§30(2) No. 6 BSIG – Concepts and procedures for assessing the effectiveness of risk management measures in information technology security
Annual Security Review
| Review Area | Method | Responsible |
|---|---|---|
| Risk analysis | Update of risk assessment | ISO |
| Incident response | Tabletop exercise / simulation | ISO + IT team |
| Backup & recovery | Restore test | IT operations |
| Access control | Authorization audit | ISO |
| Training | Completion rates and knowledge testing | HR / ISO |
KPIs
| KPI | Target | Measurement |
|---|---|---|
| Patch compliance | ≥ 95% within defined deadlines | Monthly |
| Mean Time to Detect (MTTD) | < 24 hours | Per incident |
| Mean Time to Respond (MTTR) | < 4 hours (critical) | Per incident |
| Training completion | 100% mandatory training | Annually |
| Backup restore success rate | 100% | Quarterly test |
Penetration Tests
- External tests – Annually by independent provider
- Internal tests – Event-driven for significant changes
- Scope – Infrastructure, web applications, internal systems
- Result utilization – Findings feed into risk analysis and action planning
PDCA Cycle
| Phase | Activity |
|---|---|
| Plan | Risk analysis, measure planning, training planning |
| Do | Implementation of measures, operation of security systems |
| Check | KPI measurement, audits, penetration tests, incident evaluation |
| Act | Corrective actions, risk analysis adjustment, process improvement |