ISO/IEC 27004
Go home

Copyright © 2010 IsecT Ltd.

 

 

Sponsor this page!

 

Contact us to advertise here.

 

ISO/IEC 27004:2009 Information technology — Security techniques ― Information security management — Measurement

 

ISO/IEC 27004 covers information security management measurements, generally known as security metrics. 

The standard was published in December 2009. This page updated Dec 29th

The standard is intended to help organizations measure, report on and hence systematically improve the effectiveness of their Information Security Management Systems.

It “provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.  This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved.” 

The standard has the following key sections:

  1. Information security measurement overview;
  2. Management responsibilities;
  3. Measures and measurement development;
  4. Measurement operation;
  5. Data analysis and measurement results reporting;
  6. Information Security Measurement Program evaluation and improvement.

Annex A suggests a template on which to describe a metric, while Annex B offers some worked examples.

The standard is quite detailed in terms of the mechanics of measurement processes.  It laboriously describes how to collect “base measures”, use aggregation and mathematical calculations to generate “derived measures”, and then apply analytical techniques and decision criteria to create “indicators” used for ISMS management purposes.  Unfortunately, it does not offer much guidance on which base measures, derived measures or indicators might actually be worth all this effort.

Status

Although it is generally agreed that pragmatic guidance on security metrics is sorely needed by the profession and would complement the remaining ISO27k standards, this has been a long and difficult project for ISO/IEC JTC1/SC27.  Partly this is because the field of security metrics is quite immature.  As with ISO/IEC 27003, hundreds of pages of comments from the national bodies were received even at the late FCD stage and few were resolved prior to publication.  It seems likely that many comments will have to be revisited in a post-publication revision of the standard although this is not currently planned ...