Measuring Risk Assessment

[shankarnarayan.d () netsol co in]

Hi,

We have successfully enabled an Organization achieve BS7799. We have conducted a Qualitative Risk Assessment for the 
different IT assets

As a part of periodic improvements the client periodically adds additional security measures/ tweaking current controls 
etc. The Client wants to now measure the effectiveness of adopting these controls to show visible proof to his 
management about the effectiveness of these controls and maybe adopting the standard.

Can I get some suggestions (irrespective of whether it is relevant to BS7799 or not) as to how this client may show 
improvements to his management. Specifically, any metrics on how he may show effectiveness w/ respect to the 
"qualitative risk assessment". When he first implemented the Risk Treatment plan, he could show significant risk 
reduction, but (as an example), tweaks and changes now dont reduce a risk which is "High" to "Medium", they only bring 
it a few notches lower but still in "High"

Any inputs would be greatly appreciated. I am looking for something apart from standard inputs like compare the number 
of vulnerabilities/ security issues faced/ measuring the hits on Firewall/ IDS etc

Thanks,
Shankar