The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001:2013, Information technology -- Security techniques -- Information security management systems -- Requirements. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.
Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”
Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken centre stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.
In Prof. Humphreys’ own words, “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”
ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.
Among the many benefits to organizations of using ISO/IEC 27004 are:
ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001:2013 to provide organizations with greater added value and confidence.