ISO/IEC 27004:2009 Information technology — Security techniques ― Information security management ― Measurement
ISO/IEC 27004 concerns measurements relating to information security management: these are commonly known as ‘security metrics’ in the profession (if not in SC 27!).
Scope and purpose
The standard is intended to help organizations measure, report on and hence systematically improve the effectiveness of their Information Security Management Systems.
It “provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved.”
The use of ‘monitoring, measurement, analysis and evaluation’ in ISO/IEC 27001 is confusing and will be explained/expanded-on in 27004.
The following sections are key:
Information security measurement overview;
Measures and measurement development;
Data analysis and measurement results reporting;
Information Security Measurement Program evaluation and improvement.
Annex A suggests a template on which to describe a metric, while Annex B offers some worked examples.
The standard is quite detailed in terms of the mechanics of measurement processes. It laboriously describes how to collect “base measures”, use aggregation and mathematical calculations to generate “derived measures”, and then apply analytical techniques and decision criteria to create “indicators” used for ISMS management purposes. Unfortunately, it does not offer much guidance on which base measures, derived measures or indicators might actually be worth all this effort in terms of managing information security.
Status of the standard
Although ISO/IEC JTC1/SC 27 recognizes that metrics are an essential tool for managing an ISMS, the project that initially developed the standard had long and troubled history. Hundreds of pages of comments from the national bodies were received even at the late FCD stage, few of which were resolved prior to publication: since guidance on security metrics was sorely needed, the standard was deemed ‘good enough’ to publish rather than delaying it still further.
The standard was first published in 2009.
ISO/IEC 27004 is currently being revised. A new title has been proposed (“Information security management systems — Monitoring, measurement, analysis and evaluation”), linking the revised standard explicitly to clause 9.1 of ISO/IEC 27001.
The revised standard is at WD3 stage.
I’m a little disappointed that this standard remains so tightly tied to ISO/IEC 27001. An ISO27k ISMS definitely needs metrics (thus 27001 should list 27004 as a normative or essential standard), but security metrics are of value even in the absence of an ISO27k ISMS. I believe there is a demand for a well-written and readily implemented information security metrics standard that extends beyond the ISO27k domain.
The current WD remains somewhat academic in places, for instance it defines and uses the generic term “information need” rather than, say, “measurement goal or objective”, and uses “measure” or “measurement” rather than “metric”. The laboured distinction between ‘base measure’ and ‘derived measure’ remains, while one annex contains a metrics example that reads like a college homework assignment or exam question reminiscent in style to “If object A of mass M is moving at a velocity of X m/s relative to object B of mass M’ ...”. On the other hand, the draft is noticeably more pragmatic and readable than the issued standard, marking a distinct improvement. This is an important point given that the overwhelming majority of information security professionals who should be implementing this standard are practitioners, not academics.