ISO / IEC 27004:2016 – Monitoring, measurement, assessment and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework. ISO / IEC 27004:2016 explains how to establish and operate assessment systems, and also reviews and records the effects of a series of information security measures.
As the old saying goes “If you can’t measure it you can’t manage it” but why do we need to measure Information security? To continually improve what methods, procedures, policies and so on that are in place to protect your organisation. Information security is key to the success of any organisation, one wrong security breach and your reputation as a security serious organisation is damaged.
You really can’t be too vigilant when it comes to information security. Cyber-attacks are among the most significant threats that a company can face. The security of personal data and commercially sensitive information is essential. But how do you tell if your ISO / IEC 27001:2013 Information Security Management System (ISMS) is making a difference?
ISO / IEC 27004:2016 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyse and disclose the effects of a set of information security metrics.
That is why ISO / IEC 27004:2016 offers critical and realistic help to the many companies that implement ISO / IEC 27001:2013 to protect themselves from the increasing diversity of security attacks that company is facing today.
Security metrics can provide insight into the efficiency of the ISMS and, as such, take centre stage. If you are an engineer or contractor responsible for security and management analysis, or an executive who wants better decision-making information, security metrics have become a critical vehicle for communicating the status of an organisation’s cyber risk posture.
Organisations need support to resolve the issue of whether the organisation’s investment in information security management is successful, suited to reacting, defending and reacting to the ever-changing cyber-risk climate.
ISMS.online will save you time and money towards ISO 27001 certification and make it simple to maintain.
Information Security Manager, Honeysuckle Health
ISO 27004:2009 was first published in 2009 as part of the ISO 27000 family of standards, this was later revised in 2016 and became known as ISO 27004:2016. Both Standards are guidelines and not requirements, therefore are not necessary or can be certified against, but what it does do very well is work with the other ISO 27000 standards, which we will move onto.
ISO / IEC 27004:2016 shows how to create an information security measurement programme, how to choose what to calculate, and how to operate the appropriate measurement processes.
It provides detailed descriptions of various types of controls and how the efficiency of those controls can be measured.
Among the many advantages for organisations using ISO / IEC 27004:2016 are as follows:
ISO / IEC 27004:2016 replaced the 2009 edition and was modified to comply with the revised version of ISO / IEC 27001:2013 to give organisations excellent added value and trust.
A tailored hands-on session based on your needs and goals
ISO 27004 consists of 8 clauses and 3 annexes. ISO 27004:2016 has 4 key Clauses:
Along with 3 Annex A controls which are Informative:
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Structure and overview
Clause 5: Rationale
Clause 6: Characteristics
Clause 7: Types of measures
Clause 8: Processes
Annex A: An information security measurement model
Annex B: Measurement construct examples
Annex C: An example of free-text form measurement construction
C.1 ‘Training effectiveness’ – effectiveness measurement construct