ISO/IEC 27004:2009 Information technology — Security techniques ― Information security management ― Measurement
ISO/IEC 27004 concerns measurements relating to information security management: these are commonly known as ‘security metrics’ in the profession (if not in SC 27!).
Scope and purpose
The standard is intended to help organizations measure, report on and hence systematically improve the effectiveness of their Information Security Management Systems.
It “provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. This would include policy, information risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved.”
The use of ‘monitoring, measurement, analysis and evaluation’ in ISO/IEC 27001 is confusing and is explained in 27004.
The revised version will be limited solely to supporting clause 9.1 of ISO/IEC 27001.
The following sections are key:
- Information security measurement overview;
- Management responsibilities;
- Measures and measurement development;
- Measurement operation;
- Data analysis and measurement results reporting;
- Information Security Measurement Program evaluation and improvement.
Annex A suggests a template on which to describe a metric, while Annex B offers some worked examples.
The standard is quite detailed in terms of the mechanics of measurement processes. It laboriously describes how to collect “base measures”, use aggregation and mathematical calculations to generate “derived measures”, and then apply analytical techniques and decision criteria to create “indicators” used for ISMS management purposes. Unfortunately, it does not offer much guidance on which base measures, derived measures or indicators might actually be worth all this effort in terms of enabling management to manage information security.
Status of the standard
Although ISO/IEC JTC1/SC 27 recognizes that metrics are an essential tool for managing an ISMS, the project that initially developed the standard had a long and troubled history. Hundreds of pages of comments from the national bodies were received even at the late FCD stage, few of which were resolved prior to publication: since guidance on security metrics was sorely needed, the standard was deemed ‘good enough’ to publish rather than delaying it still further. The standard was first published in 2009.
ISO/IEC 27004 is currently being revised.
A new title has been agreed: “Information security management systems — Monitoring, measurement, analysis and evaluation”.
Status: overwhelmingly approved for publication with just a few simple editorial comments. May conceivably be published at the end of 2016, more likely some time in 2017.
An ISMS is literally worse than useless without suitable metrics (thus it is appropriate for 27001 to list 27004 as a normative or essential standard) but information security metrics are of value in all organizations regardless of whether or not they have an ISO27k ISMS in place. I understand why the revised 27004 standard (along with several other ISO27k standards) are aligned specifically to ISO/IEC 27001: the narrow scope and tight focus increases the chances of the standards being completed and published in a reasonable timeframe (a problem that plagued the original version of 27004, and derailed the 27005 revision). However, I believe that leaves a gap for broader-scope standards, including a general purpose information risk and security metrics standard ... or indeed an entire book.
I’m delighted to report that the revised standard is much more sensibly worded than the first edition, making it useful for practitioners. Furthermore, approaches such as requiring the business managers and risk owners to define their measurement requirements, and concepts such as a ‘measurement programme’ (which might be termed a ‘measurement system’, except that the abbreviation of Information Security Measurement System is already spoken for!), are definitely steps in the right direction, in my opinion.
The example metrics are not very helpful though e.g. example B.10.2 “Percentage of personnel who received annual information security awareness training” is a very poor measure of security awareness. It simply measures attendance rather than, say, proactive participation, engagement, learning, knowledge transfer, effectiveness, quality of awareness/training sessions or whatever. Worse still, the example implies that ‘annual security awareness training’ is an acceptable approach (it is definitely not good practice) and conflates awareness with training.
Also there are issues with the vocabulary since the metrics-related terms previously defined in ISO/IEC 27000 are mostly irrelevant now.
The German standards body, DIN, suggested introducing the GQM (Goal-Question-Metric) approach into the standard - an excellent idea but raised far too late to make it into the revised standard ... so that’s one that will hopefully be taken forward into the next round of revision.