Control 1-9-1 of ECC – 2 : 2024 mandates personnel security measures to ensure that staff, contractors and third parties granted access to systems are appropriately vetted, authorised and monitored; this post explains exactly which KPIs to track, how to collect and automate evidence, and how to build reports that demonstrate compliance to auditors and stakeholders in a small-business context.
Why KPIs and reporting matter for Personnel Security
KPIs translate policy into measurable outcomes. For the Compliance Framework, auditors want proof that personnel security controls are consistently applied — not just policy text. Well-defined KPIs (for vetting, onboarding, training, access provisioning, offboarding and privileged access reviews) let you show trend lines, SLA conformance and remediation actions. For small businesses where resources are limited, KPIs also help prioritise automation and process changes that eliminate the highest operational risks.
Core KPIs to measure for ECC 2:2024 Control 1-9-1
Define a concise set of KPIs mapped to the control objectives. Examples tailored to Compliance Framework practice include: 1) Background check completion rate within required window (target 100% within 10 business days of offer acceptance); 2) Security training completion rate within 30 days of start date (target ≥95%); 3) Time-to-revoke access after termination (target ≤1 hour for privileged accounts, ≤8 hours for standard accounts); 4) Percentage of accounts with MFA enforced (target 100%); 5) Frequency and completion rate of role/access reviews (quarterly, ≥95% completion); 6) Percentage of contractors/vendors with signed security agreements before access (target 100%). Each KPI should have: a definition, measurement method, data source and target threshold.
Practical implementation: data sources and measurement methods
Use the systems you already have: HRIS/Workday for onboarding/offboarding dates, IAM/AD/Azure AD/Okta for account lifecycle and MFA status, LMS for training completions, and ticketing/ITSM for access requests and change logs. For small businesses without these suites, combine Google Workspace user reports, a simple HR spreadsheet, and an LMS like TalentLMS or Google Classroom. Implement SCIM or API provisioning where possible so you can automatically correlate HR events with IAM events (e.g., employee termination in HR triggers a timestamped API call to disable the account). Store raw logs (auth events, provisioning API calls) for at least the retention period required by your Compliance Framework.
Example scenario: a 50-person SaaS startup
Imagine a 50-employee startup using G Suite, GitHub, and AWS. Implement these steps: 1) Accept that HR owner will mark onboarding/termination in a single Google Sheet or HRIS; 2) Integrate Google Workspace and GitHub with Okta for SSO and SCIM provisioning; 3) Enforce MFA via Okta policy and capture MFA enrollment reports weekly; 4) Use an LMS to track security training and export completion CSVs weekly; 5) Create a monthly "Personnel Security Compliance Dashboard" (Google Data Studio/Looker Studio) that pulls HR dates, Okta account statuses, MFA percentages and LMS completion rates to compute KPIs. For evidence, include signed offer letters and background check results linked to HR file IDs and cross-referenced to account activation timestamps from Okta logs.
Reporting format and audit-ready evidence
Design reports to answer auditor questions quickly: "Who had access, why, when, and how was it revoked?" Your report should have a KPI summary page (current value, target, trend), a drill-down to exceptions (employees without completed checks or training), and an evidence package (sample personnel files, IAM logs, API call IDs, offboarding tickets). Include timestamps and unique IDs so auditors can trace an event end-to-end. For routine evidence retention, export CSVs from IAM and LMS monthly and store them in an immutable, access-controlled archive (S3 with versioning and CMEK or an on-premises WORM solution depending on your risk profile).
Compliance tips, thresholds and automation best practices
Make KPIs meaningful: avoid "vanity metrics" (e.g., simply counting users) and instead track SLA-driven measures. Set realistic thresholds (95–100% depending on risk). Automate tasks that cause the biggest failures: offboarding automation (terminate sessions, revoke tokens, disable MFA, remove from groups) and periodic access reviews using automated email attestations or IAM reports to owners. Configure alerts for KPI breaches (e.g., training completion <90% triggers a remediation workflow). Document exceptions and compensating controls for any permanent gaps (for example, a contractor who cannot get a background check but is limited to segmented, low‑risk resources).
Risks of not implementing the requirement
Failing to measure and report personnel security KPIs increases the chance of insider misuse, prolonged access for departed employees, credential compromise, and regulatory penalties. Small businesses risk losing customer trust and facing expensive incident response when rogue or orphaned accounts are used to exfiltrate data. Auditors will flag inconsistent enforcement or missing evidence, which can lead to failed assessments and contractual breaches with customers who require compliance attestation.
In summary, proving compliance with ECC – 2 : 2024 Control 1-9-1 requires selecting a focused set of KPIs tied to onboarding, training, access provisioning and offboarding; instrumenting your HR, IAM and LMS systems to produce reliable data; automating evidence collection where possible; and building concise, auditor-friendly reports that show current status, trends and remediation activity. For small businesses, prioritize automation for offboarding and MFA enforcement, keep a compact evidence repository, and treat KPI-driven workflows as living processes you iterate on every quarter.
