SIO consider information as an asset which needs to be secured against ever-changing threat scenarios by improving information security strategies and controls. There is a quote 1cIf you cannot measure it, you cannot improve it". To improve the effectiveness and protection of business information, SIO set up a process for periodically identify security weakness and measure performance of information security controls/processes; SIO defined information security performance measurement metrics and supporting processes for collection and analysis of meaningful and quantifiable data to measure the security posture of SIO. Metrics were defined based on the SIO 19s requirements for management to identify areas for improvement and formulate security strategies for continuously improving the security control and processes.