ISO/IEC 27004:2009(E)

First edition 2009-12-15
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques

This International Standard provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.

Information technology — Security techniques — Information security management — Measurement

This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can guarantee complete security.

The implementation of this approach constitutes an Information Security Measurement Programme. The Information Security Measurement Programme will assist management in identifying and evaluating noncompliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement or changing these processes and/or controls. It may also assist the organization in demonstrating ISO/IEC 27001 compliance and provide additional evidence for management review and information security risk management processes.

This International Standard ISO/IEC 27004 assumes that the starting point for the development of measures and measurement is a sound understanding of the information security risks that an organization faces, and that an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an organization to provide reliable information to relevant stakeholders concerning its information security risks and the status of the implemented ISMS to manage these risks.

Effectively implemented, the Information Security Measurement Programme would improve stakeholder confidence in measurement results, and enable the stakeholders to use these measures to effect continual improvement of information security and the ISMS.

The accumulated measurement results will allow comparison of progress in achieving information security objectives over a period of time as part of an organization’s ISMS continual improvement process.

This International Standard gives recommendations concerning the following activities as a basis for an organization to fulfil measurement requirements specified in ISO/IEC 27001:

1. developing measures (i.e. base measures, derived measures and indicators);
2. implementing and operating an Information Security Measurement Programme;
3. collecting and analysing data;
4. developing measurement results;
5. communicating developed measurement results to the relevant stakeholders;
6. using measurement results as contributing factors to ISMS-related decisions;
7. using measurement results to identify needs for improving the implemented ISMS, including its scope, policies, objectives, controls, processes and procedures;
8. and facilitating continual improvement of the Information Security Measurement Programme.