"Having recently become an ISMS coordinator, I must prepare a monthly report to management. How does one write an information security report? What should be reported?"
Over the weekend we've raised and debated a bunch of ideas, such as a tiered approach, starting at the detailed operational level with effectiveness metrics for the selected information security controls, then aggregating and summarising information for less frequent reports to higher management, emphasising the business perspective (e.g. reporting not just the number of incidents, but a breakdown by severity level mapping to business impacts for senior management).
Using appropriate metrics makes sense, of course. It also occurs to me that, aside from structuring the reports according to the information security controls and incidents, you could use the information risks in a similar way. The themes and control attributes from ISO/IEC 27002:2022 (and/or your custom attributes) might also be a rational basis for grouping and reporting on the ‘ISMS things that are somehow related’, particularly for the more detailed reports.
As well as reporting historical and current status information, I would probably add some analysis of the current situation, resourcing (budgets and people) and priorities plus a forward view of plans with a time horizon that again reflects the outlook of the audiences. So, for the higher levels of management, the reports would focus on fewer, more significant issues (bigger/existential risks, key business-related objectives, major projects/initiatives etc. with the supporting details possibly relegated to appendices or simply cited in lower-level reports) and look further forward towards more distant horizons.
Generalising, I envisage a reporting structure along these lines:
- Continual/daily information used for routine, contemporaneous operational activities within the information risk and security management function, with weekly/monthly summaries fed into other reporting streams and formats e.g. ‘status reports’ and ‘ongoing activities’ (things completed in the most recent reporting period, things in progress now, and things planned for the next reporting period/s) and ‘current concerns’ (watchpoints) on the function’s intranet site;
- Monthly reports exchanged with management colleagues in related specialisms such as risk, IT, HR and compliance, used to agree priorities and so coordinate approaches, dealing with any conflicts or concerns and avoiding things ‘falling between the cracks’;
- Quarterly business-related executive summaries for the C-suite, including notes on everything significant (initiatives, projects, budgets & resourcing, incidents …) and mid-term plans (looking ahead maybe a year or two);
- Annual high-level summary reports to senior management (C-suite and Board) and, if appropriate, other significant stakeholders (owners, auditors, regulators, business partners …) presenting only the most significant information and longer term/strategic plans stretching a few years ahead.
In addition to these planned, regular reports, there may also be a need for ad hoc reporting on specific areas and particular audiences, such as:
- ISMS management reports, internal audits and external audits;
- Significant incidents and near-misses (corrective actions), plus ISMS improvement opportunities (preventive actions) i.e. projects and initiatives, including proposals for new investments;
- Anything else that deserves to be ‘escalated’ up through the management layers, or needs to involve and gain wider support e.g. policies and governance aspects;
- Whatever other reporting various audiences require e.g. for planning, structuring and coordinating infosec-related activities that cross departments, business units and/or businesses e.g. mergers and acquisitions, restructuring, new products …