This document contains twenty (20) metric definitions for six (6) important business functions: Incident Management, Vulnerability Management, Patch Management, Application Security, Configuration Management and Financial Metrics. Additional consensus metrics are currently being defined for these and additional business functions.
When the metrics changed, the tools which CIS offered became obsolete. Watch for updated tools.
On a related note: Your internal controls should consist of both preventative controls and detective controls for each of your control objectives. Control objectives would be:
5. Physical safeguards and security,
6. Error handling, and
7. Segregation of duties.
Sometimes also mentioned are “corrective controls.” When detective controls reveal a deviation, your detective controls are supposed to be used.
That is, preventative controls and detective controls are in place continuously, while corrective controls are invoked as necessary. On the one hand, you should have plans for corrective measures. On the other hand, referring to these plans as “controls” muddles the notion of a control. Corrective measures seems like a more appropriate phrase.