Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation Technologies de l’information — Techniques de sécurité — Management de la sécurité de l’information —
, mesurage, analyse et évaluation
INTERNATIONAL STANDARD
ISO/IEC 27004
Reference number ISO/IEC 27004:2016(E)
Second edition 2016-12-15
© ISO/IEC 2016
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ii © ISO/IEC 2016 – All rights reserved
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
the requester.
Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47
www.iso.org
ISO/IEC 27004:2016(E)
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Foreword ........................................................................................................................................................................................................................................iv Introduction ..................................................................................................................................................................................................................................v 1 Scope ................................................................................................................................................................................................................................. 1 2 Normative references ...................................................................................................................................................................................... 1
..................................................................................................................................................................................... 1 4 Structure and overview ................................................................................................................................................................................. 1 5 Rationale ....................................................................................................................................................................................................................... 2
5.1 The need for measurement .......................................................................................................................................................... 2 ................................................................................................................... 3
.................................................................................................................................................................................. 3 .......................................................................................................................................................................................................... 3
6 Characteristics ........................................................................................................................................................................................................ 4 6.1 General ........................................................................................................................................................................................................... 4 6.2 What to monitor..................................................................................................................................................................................... 4 6.3 What to measure ................................................................................................................................................................................... 5
.................................................................................................... 6 ................................................................................................... 6
7 Types of measures .............................................................................................................................................................................................. 7 7.1 General ........................................................................................................................................................................................................... 7 7.2 Performance measures .................................................................................................................................................................... 7 7.3 Effectiveness measures .................................................................................................................................................................... 8
8 Processes ...................................................................................................................................................................................................................... 9 8.1 General ........................................................................................................................................................................................................... 9
........................................................................................................................................................ 10 8.3 Create and maintain measures ............................................................................................................................................... 11
8.3.1 General................................................................................................................................................................................... 11 .....................11
8.3.3 Develop or update measures .............................................................................................................................. 12 8.3.4 Document measures and prioritize for implementation ........................................................... 13 8.3.5 Keep management informed and engaged ............................................................................................. 13
8.4 Establish procedures ...................................................................................................................................................................... 14 8.5 Monitor and measure ..................................................................................................................................................................... 14
..................................................................................................................................................................................... 15 ................................................... 15
............15 8.9 Retain and communicate documented information ............................................................................................ 15
Annex A (informative) An information security measurement model ..........................................................................17 Annex B (informative) Measurement construct examples .........................................................................................................19 Annex C (informative) An example of free-text form measurement construction ............................................57 Bibliography .............................................................................................................................................................................................................................58
© ISO/IEC 2016 – All rights reserved iii
Contents Page
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
members of ISO or IEC participate in the development of International Standards through technical
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
constitute an endorsement.
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
A total restructuring of the document because it has a new purpose – to provide guidance on ISO/IEC 27001:2013, 9.1 – which, at the time of the previous edition, did not exist.
(ISO/IEC 15939) remains the same and several of the examples given in the previous edition are preserved, albeit updated.
iv © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Introduction
can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement.
As with other ISO/IEC 27000 documents, this document should be considered, interpreted and adapted
This document is recommended for organizations implementing an ISMS that meets the requirements
© ISO/IEC 2016 – All rights reserved v
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation
1 Scope
This document provides guidelines intended to assist organizations in evaluating the information
2 Normative references
There are no normative references in this document.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
4 Structure and overview
This document is structured as follows:
a) Rationale (Clause 5
b) Characteristics (Clause 6
Clause 7
d) Processes (Clause 8).
The ordering of these clauses is intended to aid understanding and map to ISO/IEC 27001:2013, 9.1 requirements, as is illustrated in Figure 1.
INTERNATIONAL STANDARD ISO/IEC 27004:2016(E)
© ISO/IEC 2016 – All rights reserved 1
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
In addition, Annex A between the components of the measurement model and the requirements of ISO/IEC 27001:2013, 9.1.
Annex B provides a wide range of examples. These examples are intended to provide practical guidance
Table 1. Annex C provides a further example using an alternative free-form text-based format.
Figure 1 — Mapping to ISO/IEC 27001:2013, 9.1 requirements
5 Rationale
5.1 The need for measurement
information within its scope. There are ISMS activities that concern the planning of how to do this, and
2 © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Clause 7.
ISO/IEC 27001:2013, 9.1 further requires the organization to determine:
The mapping of these requirements is provided in Figure 1.
information as evidence of the monitoring and measurement results (See 8.9).
ISO/IEC 27001:2013, 9.1 also notes that methods selected should produce comparable and reproducible results in order for them to be considered valid (See 6.4).
5.3 Validity of results
ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring,
measures, taking the following points into consideration:
a) in order to get comparable results on measures that are based on monitoring at different points in
are situations where results are non-reproducible, but are valid when aggregated.
a) Increased accountability:
b) Improved information security performance and ISMS processes: Monitoring, measurement,
© ISO/IEC 2016 – All rights reserved 3
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
c) Evidence of meeting requirements:
standards) requirements, as well as applicable laws, rules, and regulations.
d) Support decision-making:
process. It can allow organizations to measure successes and failures of past and current
allocation for future investments.
6 Characteristics
6.1 General
and ISMS effectiveness.
missed altogether if suitable measures are not in place.
allow it to determine its information needs.
Organizations should next decide what measures are needed to support each discrete information
correspond to the information needs of the organization.
6.2 What to monitor
information need.
4 © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
These monitoring activities produce data (event logs, user interviews, training statistics, incident
measured, additional monitoring can be required to provide supporting information.
Note that monitoring can allow an organization to determine whether a risk has materialized, and
of such controls to support measurement, organizations should ensure that the measurement process
6.3 What to measure
processes, activities, controls and groups of controls.
As an example, consider ISO/IEC 27001:2013, 7.2 c), which requires an organization to take action, where
who require training have received it and whether the training was delivered as planned. This can be
can be measured with a post-training questionnaire).
With regards to ISMS processes, organizations should note that there are a number of clauses in
ISO/IEC 27001:2013, 10.1 d) requires organizations to “review the effectiveness of any corrective action taken
this is explained in Clause 8.
ISMS processes and activities that are candidates for measurement include:
i) auditing.
controls are determined through the process of risk treatment and are referred to in ISO/IEC 27001 as
© ISO/IEC 2016 – All rights reserved 5
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
of attributes that can be measured, such as:
m) how long after the occurrence of an event does it take for the control to detect that the event has occurred.
6.4 When to monitor, measure, analyse and evaluate
case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked).
evaluation can proceed, an appropriate volume of data needs to be collected in order to provide
and evaluation can commence.
8.2. For example, if an organization is transitioning
Furthermore, a baseline is needed to compare two sets of measures taken at different points in time
activities into a measurement programme. It is important to note, however, that ISO/IEC 27001 has no requirement for organizations to have such a programme.
6.5 Who will monitor, measure, analyse and evaluate
Organizations (considering requirements of ISO/IEC 27001:2013, 9.1 and 5.3
measurement-related roles and responsibilities:
a) measurement client: the management or other interested parties requesting or requiring
c) measurement reviewer: the person or organizational unit that validates that the developed
6 © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
d) information owner: the person or organizational unit that owns the information that provides
e) information collector: the person or organizational unit responsible for collecting, recording and
g) information communicator: the person or organizational unit responsible for communicating the
Individuals performing different roles and responsibilities throughout the processes can require diverse skill sets and associated awareness and training.
7 Types of measures
7.1 General
For the purposes of this guidance, the performance of planned activities and the effectiveness of the
a) performance measures: measures that express the planned results in terms of the characteristics
b) effectiveness measures: measures that express the effect that realization of the planned activities
Note that the terms “performance measures” and “effectiveness measures” should not be confused
effectiveness.
7.2 Performance measures
Performance measures can be used to demonstrate progress in implementing ISMS processes, associated
activities have been realised and intended results achieved, performance measures should concern the
ISMS activities.
reduce the cost and effort required and the potential for human error.
© ISO/IEC 2016 – All rights reserved 7
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Example 1
measurement activities can refocus on other controls in need of improvement.
Example 2
and other meetings that can be called. The planned (or intended) result in this case is full attendance
should reach and remain close to their planned targets. At this point, the organization should begin to focus its measurement efforts on effectiveness measures (see 7.3).
7.3).
According to ISO/IEC 27001:2013, 9.1, it is likewise important to also measure the effectiveness of
performance and effectiveness at planned intervals.
7.3 Effectiveness measures
Effectiveness measures should be used to describe the effectiveness and impact that the realisations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information
d) evaluate the degree to which ISMS processes, controls, or groups of controls have been implemented
h) interpret and report this data to decision makers.
8 © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
These effectiveness measures combine information about the realisation of the risk treatment plan
and can be the ones that ought to be of most interest to top management.
Example 3
the greater the related risk exposure. An effectiveness measure can help an organization determine
Example 4
measure can help the organization to determine the extent to which each trainee has understood
8 Processes
8.1 General
In addition, there is an ISMS management process that covers the review and improvement of the above processes, see 8.8.
© ISO/IEC 2016 – All rights reserved 9
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
Figure 2 — Monitoring, measurement, analysis and evaluation processes
8.2 Identify information needs
d) the risk treatment plan.
e) examine the ISMS, its processes and other elements such as:
10 © ISO/IEC 2016 – All rights reserved
N or
m en
-D ow
nl oa
d- B
eu th
-M ax
P la
nc k
G es
el ls
ch af
t z ur
F ör
de ru
ng d
er W
is se
ns ch
af te
n- K
dN r.7
92 69
56 -L
fN r.7
89 49
26 00
1- 20
17 -0
3- 17
1 3:
49
http://mahdi.hashemitabar.com
ISO/IEC 27004:2016(E)
g) select a subset of information needs required to be addressed in measurement activities from the
h) document and communicate the selected information needs to all relevant interested parties.
8.3 Create and maintain measures
8.3.1 General
measures at planned intervals or when the ISMS’s environment undergoes substantial changes. Such changes can include, among others:
Creating or updating such measures can include, among others, the followings steps:
k) keep management informed and engaged.
Updating measures is expected to take less time and effort than the initial creation.
8.3.2 Identify current security practices that can support information needs
practices can include measurement associated with:
© ISO/IEC 2016 – All rights reserved 11
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
ONLINE |
Financial HubI am a professional and experienced writer and I have written research reports, proposals, essays, thesis and dissertations on a variety of topics. |
$38 | Chat With Writer |
ONLINE |
24/7 Assignment HelpI reckon that I can perfectly carry this project for you! I am a research writer and have been writing academic papers, business reports, plans, literature review, reports and others for the past 1 decade. |
$31 | Chat With Writer |
ONLINE |
Custom Coursework ServiceAfter reading your project details, I feel myself as the best option for you to fulfill this project with 100 percent perfection. |
$16 | Chat With Writer |
ONLINE |
Premium SolutionsI am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message. |
$15 | Chat With Writer |
ONLINE |
Finance Homework HelpI am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message. |
$32 | Chat With Writer |
ONLINE |
Online Assignment HelpI am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles. |
$19 | Chat With Writer |
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.