Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Performance Measurement Guide for Information Security



Elizabeth Chew, Marianne M. Swanson, Kevin M. Stine, N Bartol, Anthony Brown, W Robinson


This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports. [Supersedes SP 800-55 (August 2003):]
Special Publication (NIST SP) - 800-55 Rev 1
Report Number
800-55 Rev 1


information security, metrics, measures, security controls, performance, reports


Chew, E. , Swanson, M. , Stine, K. , Bartol, N. , Brown, A. and Robinson, W. (2008), Performance Measurement Guide for Information Security, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], (Accessed July 19, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created July 16, 2008, Updated February 19, 2017