What is ISO/IEC 27004?

ISO/IEC 27004:2016 – Information Technology – Security techniques – Information Security Management – Measurement

ISO/IEC 27004:2016, also referred to as ISO 27004, provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system. It expands substantially on clause 9.1 of ISO/IEC 27001 concerning ‘monitoring, measurement, analysis and evaluation. It establishes:

  • the monitoring and measurement of information security performance
  • the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls
  • the analysis and evaluation of the results of monitoring and measurement

ISO/IEC 27004:2016 is applicable to all types and sizes of organizations.


The standard is part of the ISO/IEC 27000-series. The ISO/IEC 27004 standard provides guidelines to help assist organizations to evaluate the performance of information security and the efficiency of a management system to meet the requirements of the ISO 27001. The standard helps organizations focus on what and where to improve the ISMS. It expands greatly on clause 9.1 of ISO 27001 concerning ‘monitoring, measurement, analysis and evaluation’.


These are the main sections:

  • Rationale – explains the value of measuring things, e.g., to increase accountability and performance;
  • Characteristics – what to measure, monitor, analyze and evaluate, when to do it, and who to do it;
  • Types of measures – performance (efficiency) and effectiveness measures;
  • Processes – how to develop, implement and use metrics.


Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.

Customer Review:

"I have just passed my Audit with zero non-conformances for the second year in a row using your ISO products to write my entire QMS. Thank you for producing documents of this quality"

Bettye Patrick

Buy the Standard

27001 Store Logo  ISO 27001:2022