ISO/IEC 27004:2009 Information technology — Security techniques ― Information security management ― Measurement
ISO/IEC 27004 concerns measurements relating to information security management: these are commonly known as ‘security metrics’ in the profession.
Scope and purpose
The standard is intended to help organizations measure, report on and hence systematically improve the effectiveness of their Information Security Management Systems.
It “provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved.”
The following sections are key:
Information security measurement overview;
Measures and measurement development;
Data analysis and measurement results reporting;
Information Security Measurement Program evaluation and improvement.
Annex A suggests a template on which to describe a metric, while Annex B offers some worked examples.
The standard is quite detailed in terms of the mechanics of measurement processes. It laboriously describes how to collect “base measures”, use aggregation and mathematical calculations to generate “derived measures”, and then apply analytical techniques and decision criteria to create “indicators” used for ISMS management purposes. Unfortunately, it does not offer much guidance on which base measures, derived measures or indicators might actually be worth all this effort in terms of managing information security.
Status of the standard
Although ISO/IEC JTC1/SC 27 recognizes that metrics are an essential tool for managing an ISMS, the project that initially developed the standard had long and troubled history. Hundreds of pages of comments from the national bodies were received even at the late FCD stage, few of which were resolved prior to publication: since guidance on security metrics was sorely needed, the standard was deemed ‘good enough’ to publish rather than delaying it still further.
The standard was first published in 2009 and is available for CHF162 from the ISO/IEC webstore.
ISO/IEC 27004 is currently being revised. A new title has been proposed (“Information security management systems — Monitoring, measurement, analysis and evaluation”), linking the standard closely to clause 9.1 of ISO/IEC 27001:2013.
At long last! A ray of hope on the ISO27k metrics front! SC 27 respondents to a questionnaire circulated by the editors responsible for revising ISO/IEC 27004 acknowledge that the current published standard is wordy, academic, perhaps even unworkable, which is probably why it has achieved such a low uptake, despite the obvious need for measurements as part of the ISMS. No surprise there.
However, there are encouraging signs that the editors and project team are prepared to consider a markedly different approach, although there is some concern that the new version ought to be backward compatible with the old (one might ask “Why?” given that it is hardly being used!). I hope the release of the current version of 27004 has not, in fact, set the field back which was the fear expressed to SC 27 in the formal comments accompanying NZ’s vote against publishing the standard.
Given that the editors feel “ISMS standards are practical standards, not university textbooks”, I hope the rather academic and unhelpful measurement modelling content of the current version will be dropped like a stone, toned-down or at least relegated to an dark and dusty annex.
Other security measurement standards are being trawled for more pragmatic guidance in relation to ISO27k. NIST SP800-55 Revision 1 certainly merits a closer look, as does ISO/IEC 15939, BSI’s BIP 0074 and perhaps IT Grundshutz. The idea of ‘categorizing’ metrics seems to have taken hold, although there is no agreement yet on the nature of those categories, while maturity metrics are also of interest (in the sense that an organization’s infosec metrics will change as its approach to and experience of infosec matures).
New Zealand has proposed a simple process flow for the selection/design and use of security metrics:
Compared to the current standard’s use of ‘entity attributes’, ‘base measures’, ‘derived measures’, ‘indicators’ and so forth, this should be a far more straightforward and useful approach, one that strongly links the ISMS to business strategy through the elaboration of sensible and valuable information security metrics. [There’s a long way to go between now and publication, and a number of hurdles to clear: let’s see whether this diagram makes it in some vaguely recognizable form into the finished product!]
Meanwhile, for those who simply cannot wait for the 27004 update, visit our website on information security metrics outlining the innovative PRAGMATIC metametrics approach which, we believe, addresses many of the shortcomings of 27004.