CapGRC
Back to resources
RisksArticle

The 10 essential risk indicators for your CISO dashboard

An effective GRC dashboard is not measured by the number of indicators displayed, but by their relevance to decision-making. Here are the 10 KRIs every CISO should monitor and how to calculate them.

7 min readFebruary 8, 2026

Boards and executive teams increasingly ask CISOs to justify security budgets and investments with concrete data. The challenge? Choosing the right indicators from among hundreds of possibilities, and presenting them in an intelligible way to non-technical stakeholders. A good GRC dashboard tells a story: that of your organization's risk level and the effectiveness of your controls.

Fundamental principle

A KRI (Key Risk Indicator) should be predictive, not just retrospective. It must signal deterioration before an incident occurs, not only after. Choose indicators that allow you to act in time.

KRI 1–2: Risk and coverage

  • KRI 1 — Average portfolio residual risk: average risk score after applying controls. Target: stable or decreasing. Alert threshold: >10% increase in a quarter.
  • KRI 2 — Critical risk coverage rate: % of critical risks with an active treatment plan. Target: 100%. Alert threshold: any critical risk without an action plan.

KRI 3–5: Compliance and audits

  • KRI 3 — Overall compliance rate by framework: % of requirements met (ISO 27001, Law 25, PCI-DSS). Target: >90% for active frameworks.
  • KRI 4 — Non-conformity remediation time: average time between identifying and closing a gap. Target: <30 days for major gaps.
  • KRI 5 — Scheduled audit completion rate: % of audits completed on time. Target: >95%. A low rate reveals underfunding or lack of resources.

KRI 6–8: Incidents and response

  • KRI 6 — Number of incidents per quarter (trend): more than the absolute number, the trend is what matters. A sustained increase indicates a deteriorating posture.
  • KRI 7 — MTTD and MTTR (Mean Time To Detect / Respond): average detection and response time. Industry targets: MTTD <24h, MTTR <72h for significant incidents.
  • KRI 8 — Third-party incident rate: % of incidents where a vendor was involved. Indicator of the quality of your third-party risk management program.

KRI 9–10: Maturity and culture

  • KRI 9 — Overall GRC maturity score (1–5): assessment of your GRC program maturity on a standardized scale. Enables communicating progress to management.
  • KRI 10 — Cybersecurity training completion rate: % of staff who completed the mandatory annual training. Target: >95%. Required by ISO 27001 and strongly recommended by the CCCS.

Related articles

CapGRC automatically calculates your KRIs

Real-time CISO dashboard with your 10 key indicators, trend visualization and automatic alerts.

Request a demoContact us