ISO/IEC 27004 Information technology -- Security techniques -- Information security management measurements (draft)

ISO/IEC 27004 will be a new standard on information security management measurements. Work on the standard started four years ago. It is currently at CD stage with publication due later in 2008.

The standard will help organizations measure and report the effectiveness of their information security management systems, covering both the security management processes (defined in ISO/IEC 27001) and the controls (ISO/IEC 27002).

The scope is to “provide guidance on the specification and use of measurement techniques for providing assurance as regards the effectiveness of information security management systems. It is intended to be applicable to a wide range of organisations with a correspondingly wide range of information security management systems. [It] provides guidance for measurement procedures and techniques to determine the effectiveness of information security controls and information security processes applied in an ISMS. The purpose of the Information security management measurements development and implementation process, defined in this Standard is to create a base for each organization to collect, analyse, and communicate data related to ISMS processes. This data is ultimately to be used to base ISMS-related decisions and to improve implementation of an ISMS.”

The standard is quite detailed in terms of measurement processes if not specific metrics. It describes methods of aggregating, calculating and analyzing the base measurements to derive meaningful management information at a higher level.