MarketISO/IEC 27004
Company Profile

ISO/IEC 27004

ISO/IEC 27004 Information Technology – Security techniques – Information Security Management – Monitoring, measurement, analysis and evaluation is an international standard supporting an information security management systems (ISMS), a systematic approach to securing valuable information. This standard forms part of the ISO/IEC 27000-series. An overview of the series can be found in ISO/IEC 27000.

What does the standard establish?
ISO/IEC 27004 describes techniques for: • Monitoring and measuring of information security performance. • Monitoring and measuring the effectiveness of an Information Security Management System (ISMS), including the management processes and controls. • Analysis and evaluation of the results of monitoring and measurement. The techniques are intended to apply to all types of organization, regardless of shape and size. Although virtually any observable characteristic or activity can potentially be measured, the process of measuring and using the information consumes corporate resources. This therefore begs questions about which aspects of an ISMS are or are not worth measuring. Furthermore, there are numerous measurement techniques, whether quantitative (objective, fact based), qualitative (subjective, opinion based) or some blend of the two. Questions such as what to measure, how and when to measure it, who should gather, analyse and report the information, how to present the measurement data and analysis are for management to determine. Generally speaking, senior/executive managers and directors are most concerned about the achievement of strategic business objectives. They tend to value broad, high-level, long-range measurements and trends relating to the management of information risks and security arrangements, plus governance aspects, in support of strategic business objectives. Middle and lower levels of management typically value more detailed contemporaneous information necessary to direct and control activities appropriately, again within the overall business context and objectives. At all levels, measurements help determine: • Whether changes are needed at all e.g. to improve the effectiveness or efficiency of security operations, or to maintain current levels. • Priorities for any necessary changes, relative to other aspects, activities, concerns etc. • The nature and extent of changes, including the evaluation and comparison of alternative approaches. • Whether activities, processes, systems, changes etc. are in fact achieving the intended results, at the appropriate rate (feedback). • Whether progress can be demonstrated, credibly, to various stakeholders. == Terms and structure ==
Terms and structure
Eighteen measurement-related terms are formally defined in clause 3, such as: • Measure • Measurement • Measurement function • Measurement method The main clauses of ISO/IEC 27004 are as follows: • Rationale - the purpose of measuring e.g. for performance and accountability reasons. • Characteristics - what to measure, monitor, analyse and evaluate, plus who should do this and when. • Types of measures - describes two main types - performance and effectiveness measures. • Processes - explains how to go about developing, implementing and using measurements. There are 3 annexes: • Annex A - describes an information security measurement model which includes the relationship of the components of the measurement model and the requirements of ISO/IEC 27001. • Annex B - describes 35 example measurements using a typical definition structure/form. • Annex C - elaborates on a mathematical "effectiveness measurement construct". == References ==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com