ISO/IEC 27004
Go home

Copyright © 2009 IsecT Ltd.

ISO/IEC 27004 Information technology — Security techniques ― Information security management — Measurement (draft) Updated following Beijing meeting May 2009

 

ISO/IEC 27004 will cover information security management measurements

Work on the standard started some four years ago. It is now entering FDIS stage with publication expected in Q3 or Q4 of 2009.

The standard is intended to help organizations measure and report the effectiveness of their information security management systems, covering both the security management processes (defined in ISO/IEC 27001) and the security controls (ISO/IEC 27002).

It “provides guidance and advice on the development and use of measures and measurement in order to assess the effectiveness of an information security management system (ISMS), including the ISMS policy and objectives and security controls in the Statement of Applicability used to implement and manage information security, as specified in ISO/IEC 27001.” The scope is to “provides guidance on the development and use of measures in order to assess the effectiveness of ISMS processes, control objectives and controls as specified in ISO/IEC 27001.” [both quotes come from the FCD].

The standard “provide guidance on the specification and use of measurement techniques for providing assurance as regards the effectiveness of information security management systems. It is intended to be applicable to a wide range of organisations with a correspondingly wide range of information security management systems. [It] provides guidance for measurement procedures and techniques to determine the effectiveness of information security controls and information security processes applied in an ISMS. The purpose of the Information security management measurements development and implementation process, defined in this Standard is to create a base for each organization to collect, analyse, and communicate data related to ISMS processes. This data is ultimately to be used to base ISMS-related decisions and to improve implementation of an ISMS.”

The standard is quite detailed in terms of measurement processes if not specific metrics. It describes methods of aggregating, calculating and analyzing “base measures” and “derived measures” to glean management information useful at a higher level of abstraction.

An appendix suggesting metrics that align with the sections of ISO/IEC 27002 has been added, bringing the standard a little closer to the ISO27k implementation guidance and metrics Adobe Acrobat PDF version paper developed by the ISO27k Implementers’ Forum.

 

Status

Although it is generally agreed that good practice guidance on security metrics is needed, this has been a long and difficult project because the field of security metrics is at a relatively immature state of development. As with ISO/IEC 27003, hundreds of pages of comments from the national bodies were received even at the late FCD stage and few were resolved. It seems quite likely that many comments will be revisited in a revision of the standard although this is not currently planned.