Control 1-1-2 of the Essential Cybersecurity Controls (ECC – 2 : 2024) under the Compliance Framework mandates that organizations not only build an ECC roadmap but also measure progress and success against it using consistent KPIs and evidence-based reporting—this post explains how to define those KPIs, collect the necessary data, build practical dashboards, and operationalize reporting so small and midsize organizations can demonstrate continual compliance and risk reduction.
Define KPIs that map to control objectives and evidence requirements
Start by mapping Control 1-1-2 objectives and your Compliance Framework evidence requirements to a small set (5–8) of KPIs. Each KPI should have a clear owner, data source, calculation method, target threshold and collection frequency. Practical KPI examples tied to ECC roadmap execution include: percentage of roadmap milestones implemented, percent of required controls with evidence uploaded, average time-to-remediate (TTR) security gaps, weekly vulnerability closure rate, and control maturity index (CMI) by control family. Define each KPI as a formula (e.g., % controls implemented = implemented_controls / total_controls * 100) and store that definition in your compliance register so auditors can trace the calculation back to the raw data.
Sample KPIs, formulas and data sources
Here are concrete KPIs and where to get the data: 1) Roadmap Completion (%) = COUNT(controls.status="Implemented") / COUNT(all roadmap items) * 100 — data from your project tracker (Jira/GitHub Projects/Google Sheet). 2) Evidence Coverage (%) = COUNT(controls.evidence_uploaded = TRUE) / COUNT(controls.in_scope) * 100 — data from the compliance repository (SharePoint, Confluence, or a simple folder structure indexed by script). 3) Mean Time To Remediate (days) = AVG(close_date - open_date for vulnerabilities) — data from ticketing/vulnerability scanner (e.g., OpenVAS, Nessus, Qualys) and ITSM (e.g., ServiceNow, Freshservice). 4) Vulnerability Remediation Rate (%) per month = (vulns_closed_last_30_days / vulns_opened_last_30_days) * 100 — track via scanner APIs and a cron job that stores daily snapshots. For small businesses, these data sources can be a mix of free scanners, ticketing CSV exports, and a central Google Sheet or lightweight database.
Implementation: tooling, automation and dashboards
Practical implementation for small organizations should emphasize automation and reproducibility. Use scanner APIs (OpenVAS/Nmap/OWASP ZAP) to export vulnerability counts nightly to a CSV or a small PostgreSQL database. Use your project tracker API (Jira/GitHub) to pull control implementation statuses and evidence links. A simple pipeline: cron job → API pulls → normalize fields (control_id, status, evidence_url, owner, timestamp) → write to DB → scheduled SQL queries to compute KPIs → push results to a dashboard (Grafana, Power BI, or Google Data Studio). Example SQL to compute roadmap completion: SELECT (SUM(CASE WHEN status='Implemented' THEN 1 ELSE 0 END)::float / COUNT(*)) * 100 AS roadmap_completion FROM controls WHERE control_family='ECC'; Automate exports and store raw exports with timestamps for audit trails.
Reporting cadence, audience and governance
Define reporting cadence tied to stakeholder needs: operational KPIs for the SOC/IT team weekly, program-level KPIs for the CISO monthly, and executive scorecards quarterly. Assign KPI owners and a RACI so there is no ambiguity about who validates the data and who presents it. Include thresholds and traffic-light rules (green/amber/red) and escalation paths when KPIs cross defined tolerances. For example, if Mean Time To Remediate exceeds 30 days for high-risk findings, automatically create an escalation ticket to the CISO and include the incident in the next board report.
Real-world small-business scenario: imagine a retail company of 40 employees with constrained budget and no SIEM. They can implement Control 1-1-2 by (1) creating a single Google Sheet as the canonical control register, (2) using OpenVAS weekly scans and exporting CSVs, (3) using Zapier or simple Python scripts to append scan results and ticket closures to the sheet, (4) building a Google Data Studio dashboard that reflects roadmap completion, vulnerability trends, and evidence coverage, and (5) scheduling a monthly 15-minute compliance review with the owner, IT lead and CEO to review the dashboard and update priorities. This approach provides auditable exports and a demonstrable pattern of measurement without heavy tooling costs.
Compliance tips and best practices: keep KPI definitions immutable—store them in a version-controlled document (Git or Confluence with version history). Retain raw exports for at least your audit retention period (commonly 1–3 years). Use consistent timestamps and timezone settings for automated pulls so trend lines align. Where possible, derive KPIs from machine-readable sources (APIs) rather than manual entry; if manual entry is necessary, require two-person verification for key fields (owner + approver) and log the approver and timestamp. Implement automated alerts when KPIs degrade and include links to supporting artifacts in every report to speed audit verification.
Risk of not implementing this requirement: without consistent KPIs and reporting, organizations lose visibility into roadmap health, fail to prioritize remediation effectively, and cannot provide auditors or senior leaders with objective evidence that controls are being implemented. This results in extended exposure to known vulnerabilities, potential regulatory penalties, failed audits, and poor allocation of scarce security resources. For small businesses, the most immediate risk is a preventable breach caused by an unaddressed high-severity vulnerability that was invisible due to poor measurement practices.
Summary — implementing Control 1-1-2 is about turning intention into measurable action: define clear, auditable KPIs that map to ECC controls, automate data collection from scanners, ticketing and project trackers, establish a reporting cadence with owners and escalation paths, and present evidence-backed dashboards to stakeholders. Even small organizations with minimal budgets can implement practical pipelines (API pulls + Google Sheets/Data Studio or simple DB + Grafana) to demonstrate progress, reduce risk, and satisfy Compliance Framework audit expectations.
