A KPI (Key Performance Indicator) is a measurable metric that shows how effectively a security control or process is performing. ISO 27001 clause 9.1 requires you to define what is monitored and measured. Typical ISMS KPIs include mean response time for security incidents, the percentage of systems patched on time, awareness training completion rates, and the number of open nonconformities. Good KPIs have a clear threshold that triggers action when breached. Too many KPIs dilute attention — focus on the most meaningful indicators for your ISMS.