ORX Cyber Controls and Indicators Benchmark
Good controls and indicators are vital for effective cyber risk management. They're both a key interest for cyber specialists in the second line, and a major challenge.
One of the reasons for this is the need to balance appropriate controls and indicators for cyber risk management while focusing on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?
That's where the controls and indicator benchmarking from ORX Cyber can help. The first of its kind in the industry, the database is available as part of the ORX Cyber service.
How does it work?
The benchmark provides an overview of the cyber risk management controls and indicators in place across the industry.
Once you've submitted your controls and indicators information, you'll receive your individual report which is published through our secure Insight platform.
The report provides a quick and simple overview of how your firm assessed its cyber-related controls and indicators in comparison to the other participants.
The ORX Cyber controls and indicators benchmarking is run on a twice-yearly basis, including an annual refresh for all participants, which allows us to deliver improvements and additional insights. The next benchmarking exercise will begin in October 2023.
How you can use the benchmark
Gain deep insight into industry practice
Develop and enhance your controls and indicators
Identify weak, ineffective or missing controls
The detail
Aligned to the industry NIST framework, participating firms complete the submission template by assessing their controls against the framework. We currently use Version 1.1 of the NIST framework, which equates to 108 cyber related controls.
Completed templates are submitted through our secure Insight platform. Participants are also asked to provide information on control attributes, including:
- Whether they are automated
- Whether they are preventive, corrective, detective or directive
- Whether they are operated internally or externally
- What risks they manage
Similarly, participants are asked to provide an assessment of their cyber-related indicators based on our bespoke indicators aligned to the functions of the NIST framework. We collect and compile associated indicator attributes, including:
- How frequently they are monitored
- Whether they are leading or lagging
- Where they are typically reported
- Whether they are manually operated
- What risks they manage
Gated content start
The ORX Cyber Controls and Indicators Benchmark is available to ORX Cyber subscribers and ORX members
If your firm is a subscriber or a member, log in or register to find out more and take part.