Skip to content

Good controls and indicators are vital for effective cyber risk management. They're both a key interest for cyber specialists in the second line, and a major challenge.

One of the reasons for this is the need to balance appropriate controls and indicators for cyber risk management while focusing on the most material ones. For example, what makes a good indicator, or which controls are the most material in operation across the industry?

That's where the controls and indicator benchmarking from ORX Cyber can help. The first of its kind in the industry, the database is available as part of the ORX Cyber service

How does it work?


The benchmark provides an overview of the cyber risk management controls and indicators in place across the industry. 

Once you've submitted your controls and indicators information, you'll receive your individual report which is published through our secure Insight platform.


The report provides a quick and simple overview of how your firm assessed its cyber-related controls and indicators in comparison to the other participants.

The ORX Cyber controls and indicators benchmarking is run on a twice-yearly basis, including an annual refresh for all participants, which allows us to deliver improvements and additional insights. The next benchmarking exercise will begin in October 2023.

How you can use the benchmark

Gain deep insight into industry practice

Develop and enhance your controls and indicators

Identify weak, ineffective or missing controls

The detail

Aligned to the industry NIST framework, participating firms complete the submission template by assessing their controls against the framework. We currently use Version 1.1 of the NIST framework, which equates to 108 cyber related controls.

Completed templates are submitted through our secure Insight platform. Participants are also asked to provide information on control attributes, including:

  • Whether they are automated
  • Whether they are preventive, corrective, detective or directive
  • Whether they are operated internally or externally
  • What risks they manage

Similarly, participants are asked to provide an assessment of their cyber-related indicators based on our bespoke indicators aligned to the functions of the NIST framework. We collect and compile associated indicator attributes, including:

  • How frequently they are monitored
  • Whether they are leading or lagging
  • Where they are typically reported
  • Whether they are manually operated
  • What risks they manage

Gated content start

The ORX Cyber Controls and Indicators Benchmark is available to ORX Cyber subscribers and ORX members

If your firm is a subscriber or a member, log in or register to find out more and take part.

Log into the ORX website

Register for an account

Not an ORX Cyber subscriber? Find out more about the service and how it could benefit your firm.

ORX Cyber

contact-icon