Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Iso 27004 2016 pdf free download

04/12/2021 Client: muhammad11 Deadline: 2 Day

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation Technologies de l’information — Techniques de sécurité — Management de la sécurité de l’information —

, mesurage, analyse et évaluation

INTERNATIONAL STANDARD

ISO/IEC 27004

Reference number ISO/IEC 27004:2016(E)

Second edition 2016-12-15

© ISO/IEC 2016

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ii © ISO/IEC 2016 – All rights reserved

COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2016, Published in Switzerland

the requester.

Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47

www.iso.org

ISO/IEC 27004:2016(E)

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Foreword ........................................................................................................................................................................................................................................iv Introduction ..................................................................................................................................................................................................................................v 1 Scope ................................................................................................................................................................................................................................. 1 2 Normative references ...................................................................................................................................................................................... 1

..................................................................................................................................................................................... 1 4 Structure and overview ................................................................................................................................................................................. 1 5 Rationale ....................................................................................................................................................................................................................... 2

5.1 The need for measurement .......................................................................................................................................................... 2 ................................................................................................................... 3

.................................................................................................................................................................................. 3 .......................................................................................................................................................................................................... 3

6 Characteristics ........................................................................................................................................................................................................ 4 6.1 General ........................................................................................................................................................................................................... 4 6.2 What to monitor..................................................................................................................................................................................... 4 6.3 What to measure ................................................................................................................................................................................... 5

.................................................................................................... 6 ................................................................................................... 6

7 Types of measures .............................................................................................................................................................................................. 7 7.1 General ........................................................................................................................................................................................................... 7 7.2 Performance measures .................................................................................................................................................................... 7 7.3 Effectiveness measures .................................................................................................................................................................... 8

8 Processes ...................................................................................................................................................................................................................... 9 8.1 General ........................................................................................................................................................................................................... 9

........................................................................................................................................................ 10 8.3 Create and maintain measures ............................................................................................................................................... 11

8.3.1 General................................................................................................................................................................................... 11 .....................11

8.3.3 Develop or update measures .............................................................................................................................. 12 8.3.4 Document measures and prioritize for implementation ........................................................... 13 8.3.5 Keep management informed and engaged ............................................................................................. 13

8.4 Establish procedures ...................................................................................................................................................................... 14 8.5 Monitor and measure ..................................................................................................................................................................... 14

..................................................................................................................................................................................... 15 ................................................... 15

............15 8.9 Retain and communicate documented information ............................................................................................ 15

Annex A (informative) An information security measurement model ..........................................................................17 Annex B (informative) Measurement construct examples .........................................................................................................19 Annex C (informative) An example of free-text form measurement construction ............................................57 Bibliography .............................................................................................................................................................................................................................58

© ISO/IEC 2016 – All rights reserved iii

Contents Page

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

members of ISO or IEC participate in the development of International Standards through technical

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

constitute an endorsement.

as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.

The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

A total restructuring of the document because it has a new purpose – to provide guidance on ISO/IEC 27001:2013, 9.1 – which, at the time of the previous edition, did not exist.

(ISO/IEC 15939) remains the same and several of the examples given in the previous edition are preserved, albeit updated.

iv © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Introduction

can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement.

As with other ISO/IEC 27000 documents, this document should be considered, interpreted and adapted

This document is recommended for organizations implementing an ISMS that meets the requirements

© ISO/IEC 2016 – All rights reserved v

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation

1 Scope

This document provides guidelines intended to assist organizations in evaluating the information

2 Normative references

There are no normative references in this document.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/

— ISO Online browsing platform: available at http://www.iso.org/obp

4 Structure and overview

This document is structured as follows:

a) Rationale (Clause 5

b) Characteristics (Clause 6

Clause 7

d) Processes (Clause 8).

The ordering of these clauses is intended to aid understanding and map to ISO/IEC 27001:2013, 9.1 requirements, as is illustrated in Figure 1.

INTERNATIONAL STANDARD ISO/IEC 27004:2016(E)

© ISO/IEC 2016 – All rights reserved 1

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

In addition, Annex A between the components of the measurement model and the requirements of ISO/IEC 27001:2013, 9.1.

Annex B provides a wide range of examples. These examples are intended to provide practical guidance

Table 1. Annex C provides a further example using an alternative free-form text-based format.

Figure 1 — Mapping to ISO/IEC 27001:2013, 9.1 requirements

5 Rationale

5.1 The need for measurement

information within its scope. There are ISMS activities that concern the planning of how to do this, and

2 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Clause 7.

ISO/IEC 27001:2013, 9.1 further requires the organization to determine:

The mapping of these requirements is provided in Figure 1.

information as evidence of the monitoring and measurement results (See 8.9).

ISO/IEC 27001:2013, 9.1 also notes that methods selected should produce comparable and reproducible results in order for them to be considered valid (See 6.4).

5.3 Validity of results

ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring,

measures, taking the following points into consideration:

a) in order to get comparable results on measures that are based on monitoring at different points in

are situations where results are non-reproducible, but are valid when aggregated.

a) Increased accountability:

b) Improved information security performance and ISMS processes: Monitoring, measurement,

© ISO/IEC 2016 – All rights reserved 3

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

c) Evidence of meeting requirements:

standards) requirements, as well as applicable laws, rules, and regulations.

d) Support decision-making:

process. It can allow organizations to measure successes and failures of past and current

allocation for future investments.

6 Characteristics

6.1 General

and ISMS effectiveness.

missed altogether if suitable measures are not in place.

allow it to determine its information needs.

Organizations should next decide what measures are needed to support each discrete information

correspond to the information needs of the organization.

6.2 What to monitor

information need.

4 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

These monitoring activities produce data (event logs, user interviews, training statistics, incident

measured, additional monitoring can be required to provide supporting information.

Note that monitoring can allow an organization to determine whether a risk has materialized, and

of such controls to support measurement, organizations should ensure that the measurement process

6.3 What to measure

processes, activities, controls and groups of controls.

As an example, consider ISO/IEC 27001:2013, 7.2 c), which requires an organization to take action, where

who require training have received it and whether the training was delivered as planned. This can be

can be measured with a post-training questionnaire).

With regards to ISMS processes, organizations should note that there are a number of clauses in

ISO/IEC 27001:2013, 10.1 d) requires organizations to “review the effectiveness of any corrective action taken

this is explained in Clause 8.

ISMS processes and activities that are candidates for measurement include:

i) auditing.

controls are determined through the process of risk treatment and are referred to in ISO/IEC 27001 as

© ISO/IEC 2016 – All rights reserved 5

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

of attributes that can be measured, such as:

m) how long after the occurrence of an event does it take for the control to detect that the event has occurred.

6.4 When to monitor, measure, analyse and evaluate

case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked).

evaluation can proceed, an appropriate volume of data needs to be collected in order to provide

and evaluation can commence.

8.2. For example, if an organization is transitioning

Furthermore, a baseline is needed to compare two sets of measures taken at different points in time

activities into a measurement programme. It is important to note, however, that ISO/IEC 27001 has no requirement for organizations to have such a programme.

6.5 Who will monitor, measure, analyse and evaluate

Organizations (considering requirements of ISO/IEC 27001:2013, 9.1 and 5.3

measurement-related roles and responsibilities:

a) measurement client: the management or other interested parties requesting or requiring

c) measurement reviewer: the person or organizational unit that validates that the developed

6 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

d) information owner: the person or organizational unit that owns the information that provides

e) information collector: the person or organizational unit responsible for collecting, recording and

g) information communicator: the person or organizational unit responsible for communicating the

Individuals performing different roles and responsibilities throughout the processes can require diverse skill sets and associated awareness and training.

7 Types of measures

7.1 General

For the purposes of this guidance, the performance of planned activities and the effectiveness of the

a) performance measures: measures that express the planned results in terms of the characteristics

b) effectiveness measures: measures that express the effect that realization of the planned activities

Note that the terms “performance measures” and “effectiveness measures” should not be confused

effectiveness.

7.2 Performance measures

Performance measures can be used to demonstrate progress in implementing ISMS processes, associated

activities have been realised and intended results achieved, performance measures should concern the

ISMS activities.

reduce the cost and effort required and the potential for human error.

© ISO/IEC 2016 – All rights reserved 7

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Example 1

measurement activities can refocus on other controls in need of improvement.

Example 2

and other meetings that can be called. The planned (or intended) result in this case is full attendance

should reach and remain close to their planned targets. At this point, the organization should begin to focus its measurement efforts on effectiveness measures (see 7.3).

7.3).

According to ISO/IEC 27001:2013, 9.1, it is likewise important to also measure the effectiveness of

performance and effectiveness at planned intervals.

7.3 Effectiveness measures

Effectiveness measures should be used to describe the effectiveness and impact that the realisations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information

d) evaluate the degree to which ISMS processes, controls, or groups of controls have been implemented

h) interpret and report this data to decision makers.

8 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

These effectiveness measures combine information about the realisation of the risk treatment plan

and can be the ones that ought to be of most interest to top management.

Example 3

the greater the related risk exposure. An effectiveness measure can help an organization determine

Example 4

measure can help the organization to determine the extent to which each trainee has understood

8 Processes

8.1 General

In addition, there is an ISMS management process that covers the review and improvement of the above processes, see 8.8.

© ISO/IEC 2016 – All rights reserved 9

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Figure 2 — Monitoring, measurement, analysis and evaluation processes

8.2 Identify information needs

d) the risk treatment plan.

e) examine the ISMS, its processes and other elements such as:

10 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

g) select a subset of information needs required to be addressed in measurement activities from the

h) document and communicate the selected information needs to all relevant interested parties.

8.3 Create and maintain measures

8.3.1 General

measures at planned intervals or when the ISMS’s environment undergoes substantial changes. Such changes can include, among others:

Creating or updating such measures can include, among others, the followings steps:

k) keep management informed and engaged.

Updating measures is expected to take less time and effort than the initial creation.

8.3.2 Identify current security practices that can support information needs

practices can include measurement associated with:

© ISO/IEC 2016 – All rights reserved 11

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

Financial Hub
24/7 Assignment Help
Custom Coursework Service
Premium Solutions
Finance Homework Help
Online Assignment Help
Writer Writer Name Offer Chat
Financial Hub

ONLINE

Financial Hub

I am a professional and experienced writer and I have written research reports, proposals, essays, thesis and dissertations on a variety of topics.

$38 Chat With Writer
24/7 Assignment Help

ONLINE

24/7 Assignment Help

I reckon that I can perfectly carry this project for you! I am a research writer and have been writing academic papers, business reports, plans, literature review, reports and others for the past 1 decade.

$31 Chat With Writer
Custom Coursework Service

ONLINE

Custom Coursework Service

After reading your project details, I feel myself as the best option for you to fulfill this project with 100 percent perfection.

$16 Chat With Writer
Premium Solutions

ONLINE

Premium Solutions

I am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message.

$15 Chat With Writer
Finance Homework Help

ONLINE

Finance Homework Help

I am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message.

$32 Chat With Writer
Online Assignment Help

ONLINE

Online Assignment Help

I am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles.

$19 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

STT 213 - Chapter 8 data analysis and statistics chapter test form a - Www fofweb com science default asp - Chapter 10 - Gale force surfing case study answers - Respect for acting author hagen - Year 8 food technology - World War 2 - Human resource essay - How to become a teacher aide qld - Excel wssi example - Nuclear medicine technologist schools virginia - Premiere products database - A beautiful mind questions and answers - 1995 cyber thriller about espionage crossword - University of warwick senate house - Boe bot manual - Island experiment forum - Corporate finance help on a test. - Mdi multiple document interface - Timodine cream what is it used for - Penn foster biology research paper example - Nottingham university malaysia jobs - Week 4 nurs 340b vulnerable population - Contention in an essay - Jeumont schneider track circuit manual - Allocates expenses to revenues in the proper period - Motorhome tv antenna replacement - Paper - Vax co uk guarantees - How to find the area of a kite - Issa periodization - Have fun teaching letter l song - Independent nursing practice problem - Bird in hand principle entrepreneurship - Apple think different campaign analysis - Ms project 7 day work week - Grob's basic electronics 12e answer key - Z values for confidence intervals - Describe the situation at lehman brothers from an ethics perspective - North ainslie primary school - Geography environmental quality survey - My favourite toy car 5 lines - Distance from earth to mercury in scientific notation - The fenders folsom prison blues - Disability liaison unit monash - Argentometric method for chloride analysis - Sci 207 week 2 discussion - Trilogy definition of a crisis - Personal counseling theory paper - Hilti firestop submittal builder - What is a private limited company gcse business - Essentials of business communication ppt - Experiment to verify kirchhoff's current law - Torbay council garden waste - Data structures outside in with java 1st edition - Food Labels! - Ol 125 personal development plan swot analysis milestone two - Clownfish and anemone commensalism - Examples of evidence based practice assignments - Sample business rules database design - Conduct a swot analysis for ibm's smarter planet initiative - Logistics in global economy ppt - Amerindo internet fund plc - Fred 3 camp fred loser song lyrics - How to calculate torque needed to move a vehicle - Portfolio Project - Class d lc filter design - In exercise 6.1, how do you enable efs? - Marketing - Cpa score release countdown 2018 - Unidrive m200 user guide - COM 201: The Power of Effective Speaking - Ck+ dataset free download - Chromagen free hot water system - Police assistance line tuggerah - When to use ck or k - Which statement decribes megalithic architecture - A history of the modern world palmer pdf - What is group communication with examples - Project management simulation tips - Discussion 22 - Module 5 Forum - Field hockey attacking tactics - Somewhere in outer space god has prepared a place - 4rd 003 520 25 - Economic 4 - NEED IN 7 HOURS or LESS (NO EXCEPTION) - Geopolitical community assessment - Cheap molded plastic pallets - 2.10 module project assessment world history - eco 110 assignment - Bim implementation plan example - A baseball in the air - There's a sea in my bedroom worksheets - Durham english literature reading list - Tesco screenwash safety data sheet - 48 minutes in decimal - Tampon soaked in apple cider vinegar for bv - The cladogram of animals 25.2 answers