What is ISO/IEC 27004?
ISO/IEC 27004:2016 – Information Technology – Security techniques – Information Security Management – Measurement
ISO/IEC 27004:2016, also referred to as ISO 27004, provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system. It expands substantially on clause 9.1 of ISO/IEC 27001 concerning ‘monitoring, measurement, analysis and evaluation. It establishes:
- the monitoring and measurement of information security performance
- the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls
- the analysis and evaluation of the results of monitoring and measurement
ISO/IEC 27004:2016 is applicable to all types and sizes of organizations.
Purpose
The standard is part of the ISO/IEC 27000-series. The ISO/IEC 27004 standard provides guidelines to help assist organizations to evaluate the performance of information security and the efficiency of a management system to meet the requirements of the ISO 27001. The standard helps organizations focus on what and where to improve the ISMS. It expands greatly on clause 9.1 of ISO 27001 concerning ‘monitoring, measurement, analysis and evaluation’.
Contents
These are the main sections:
- Rationale – explains the value of measuring things, e.g., to increase accountability and performance;
- Characteristics – what to measure, monitor, analyze and evaluate, when to do it, and who to do it;
- Types of measures – performance (efficiency) and effectiveness measures;
- Processes – how to develop, implement and use metrics.
MAKE ISO 27001 CERTIFICATION SIMPLE AND FOOLPROOF!
Our All-in-One Certification Package is a proven, efficient system. It gives you all you need to prepare for certification – in one simple to use package.
