kpi
Proportion of information security risks for which satisfactory controls have been fully implemented
The first thing to do is to define what you mean by the “controls fully implemented.” Obviously, you can track this by some activity-related metricĀ (like required employees were informed and trained), or you can track it by some outcome-related metrics, for example, something that would independently confirm that your employees were trained well enough.