Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Get Free Quotes Post Your Requirements

Iso 27004 2016 pdf free download

04/12/2021 Client: muhammad11 Deadline: 2 Day

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation Technologies de l’information — Techniques de sécurité — Management de la sécurité de l’information —

, mesurage, analyse et évaluation

INTERNATIONAL STANDARD

ISO/IEC 27004

Reference number ISO/IEC 27004:2016(E)

Second edition 2016-12-15

© ISO/IEC 2016

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ii © ISO/IEC 2016 – All rights reserved

COPYRIGHT PROTECTED DOCUMENT

© ISO/IEC 2016, Published in Switzerland

the requester.

Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47

www.iso.org

ISO/IEC 27004:2016(E)

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Foreword ........................................................................................................................................................................................................................................iv Introduction ..................................................................................................................................................................................................................................v 1 Scope ................................................................................................................................................................................................................................. 1 2 Normative references ...................................................................................................................................................................................... 1

..................................................................................................................................................................................... 1 4 Structure and overview ................................................................................................................................................................................. 1 5 Rationale ....................................................................................................................................................................................................................... 2

5.1 The need for measurement .......................................................................................................................................................... 2 ................................................................................................................... 3

.................................................................................................................................................................................. 3 .......................................................................................................................................................................................................... 3

6 Characteristics ........................................................................................................................................................................................................ 4 6.1 General ........................................................................................................................................................................................................... 4 6.2 What to monitor..................................................................................................................................................................................... 4 6.3 What to measure ................................................................................................................................................................................... 5

.................................................................................................... 6 ................................................................................................... 6

7 Types of measures .............................................................................................................................................................................................. 7 7.1 General ........................................................................................................................................................................................................... 7 7.2 Performance measures .................................................................................................................................................................... 7 7.3 Effectiveness measures .................................................................................................................................................................... 8

8 Processes ...................................................................................................................................................................................................................... 9 8.1 General ........................................................................................................................................................................................................... 9

........................................................................................................................................................ 10 8.3 Create and maintain measures ............................................................................................................................................... 11

8.3.1 General................................................................................................................................................................................... 11 .....................11

8.3.3 Develop or update measures .............................................................................................................................. 12 8.3.4 Document measures and prioritize for implementation ........................................................... 13 8.3.5 Keep management informed and engaged ............................................................................................. 13

8.4 Establish procedures ...................................................................................................................................................................... 14 8.5 Monitor and measure ..................................................................................................................................................................... 14

..................................................................................................................................................................................... 15 ................................................... 15

............15 8.9 Retain and communicate documented information ............................................................................................ 15

Annex A (informative) An information security measurement model ..........................................................................17 Annex B (informative) Measurement construct examples .........................................................................................................19 Annex C (informative) An example of free-text form measurement construction ............................................57 Bibliography .............................................................................................................................................................................................................................58

© ISO/IEC 2016 – All rights reserved iii

Contents Page

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

members of ISO or IEC participate in the development of International Standards through technical

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

constitute an endorsement.

as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.

The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

A total restructuring of the document because it has a new purpose – to provide guidance on ISO/IEC 27001:2013, 9.1 – which, at the time of the previous edition, did not exist.

(ISO/IEC 15939) remains the same and several of the examples given in the previous edition are preserved, albeit updated.

iv © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Introduction

can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement.

As with other ISO/IEC 27000 documents, this document should be considered, interpreted and adapted

This document is recommended for organizations implementing an ISMS that meets the requirements

© ISO/IEC 2016 – All rights reserved v

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation

1 Scope

This document provides guidelines intended to assist organizations in evaluating the information

2 Normative references

There are no normative references in this document.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/

— ISO Online browsing platform: available at http://www.iso.org/obp

4 Structure and overview

This document is structured as follows:

a) Rationale (Clause 5

b) Characteristics (Clause 6

Clause 7

d) Processes (Clause 8).

The ordering of these clauses is intended to aid understanding and map to ISO/IEC 27001:2013, 9.1 requirements, as is illustrated in Figure 1.

INTERNATIONAL STANDARD ISO/IEC 27004:2016(E)

© ISO/IEC 2016 – All rights reserved 1

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

In addition, Annex A between the components of the measurement model and the requirements of ISO/IEC 27001:2013, 9.1.

Annex B provides a wide range of examples. These examples are intended to provide practical guidance

Table 1. Annex C provides a further example using an alternative free-form text-based format.

Figure 1 — Mapping to ISO/IEC 27001:2013, 9.1 requirements

5 Rationale

5.1 The need for measurement

information within its scope. There are ISMS activities that concern the planning of how to do this, and

2 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Clause 7.

ISO/IEC 27001:2013, 9.1 further requires the organization to determine:

The mapping of these requirements is provided in Figure 1.

information as evidence of the monitoring and measurement results (See 8.9).

ISO/IEC 27001:2013, 9.1 also notes that methods selected should produce comparable and reproducible results in order for them to be considered valid (See 6.4).

5.3 Validity of results

ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring,

measures, taking the following points into consideration:

a) in order to get comparable results on measures that are based on monitoring at different points in

are situations where results are non-reproducible, but are valid when aggregated.

a) Increased accountability:

b) Improved information security performance and ISMS processes: Monitoring, measurement,

© ISO/IEC 2016 – All rights reserved 3

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

c) Evidence of meeting requirements:

standards) requirements, as well as applicable laws, rules, and regulations.

d) Support decision-making:

process. It can allow organizations to measure successes and failures of past and current

allocation for future investments.

6 Characteristics

6.1 General

and ISMS effectiveness.

missed altogether if suitable measures are not in place.

allow it to determine its information needs.

Organizations should next decide what measures are needed to support each discrete information

correspond to the information needs of the organization.

6.2 What to monitor

information need.

4 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

These monitoring activities produce data (event logs, user interviews, training statistics, incident

measured, additional monitoring can be required to provide supporting information.

Note that monitoring can allow an organization to determine whether a risk has materialized, and

of such controls to support measurement, organizations should ensure that the measurement process

6.3 What to measure

processes, activities, controls and groups of controls.

As an example, consider ISO/IEC 27001:2013, 7.2 c), which requires an organization to take action, where

who require training have received it and whether the training was delivered as planned. This can be

can be measured with a post-training questionnaire).

With regards to ISMS processes, organizations should note that there are a number of clauses in

ISO/IEC 27001:2013, 10.1 d) requires organizations to “review the effectiveness of any corrective action taken

this is explained in Clause 8.

ISMS processes and activities that are candidates for measurement include:

i) auditing.

controls are determined through the process of risk treatment and are referred to in ISO/IEC 27001 as

© ISO/IEC 2016 – All rights reserved 5

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

of attributes that can be measured, such as:

m) how long after the occurrence of an event does it take for the control to detect that the event has occurred.

6.4 When to monitor, measure, analyse and evaluate

case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked).

evaluation can proceed, an appropriate volume of data needs to be collected in order to provide

and evaluation can commence.

8.2. For example, if an organization is transitioning

Furthermore, a baseline is needed to compare two sets of measures taken at different points in time

activities into a measurement programme. It is important to note, however, that ISO/IEC 27001 has no requirement for organizations to have such a programme.

6.5 Who will monitor, measure, analyse and evaluate

Organizations (considering requirements of ISO/IEC 27001:2013, 9.1 and 5.3

measurement-related roles and responsibilities:

a) measurement client: the management or other interested parties requesting or requiring

c) measurement reviewer: the person or organizational unit that validates that the developed

6 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

d) information owner: the person or organizational unit that owns the information that provides

e) information collector: the person or organizational unit responsible for collecting, recording and

g) information communicator: the person or organizational unit responsible for communicating the

Individuals performing different roles and responsibilities throughout the processes can require diverse skill sets and associated awareness and training.

7 Types of measures

7.1 General

For the purposes of this guidance, the performance of planned activities and the effectiveness of the

a) performance measures: measures that express the planned results in terms of the characteristics

b) effectiveness measures: measures that express the effect that realization of the planned activities

Note that the terms “performance measures” and “effectiveness measures” should not be confused

effectiveness.

7.2 Performance measures

Performance measures can be used to demonstrate progress in implementing ISMS processes, associated

activities have been realised and intended results achieved, performance measures should concern the

ISMS activities.

reduce the cost and effort required and the potential for human error.

© ISO/IEC 2016 – All rights reserved 7

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Example 1

measurement activities can refocus on other controls in need of improvement.

Example 2

and other meetings that can be called. The planned (or intended) result in this case is full attendance

should reach and remain close to their planned targets. At this point, the organization should begin to focus its measurement efforts on effectiveness measures (see 7.3).

7.3).

According to ISO/IEC 27001:2013, 9.1, it is likewise important to also measure the effectiveness of

performance and effectiveness at planned intervals.

7.3 Effectiveness measures

Effectiveness measures should be used to describe the effectiveness and impact that the realisations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information

d) evaluate the degree to which ISMS processes, controls, or groups of controls have been implemented

h) interpret and report this data to decision makers.

8 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

These effectiveness measures combine information about the realisation of the risk treatment plan

and can be the ones that ought to be of most interest to top management.

Example 3

the greater the related risk exposure. An effectiveness measure can help an organization determine

Example 4

measure can help the organization to determine the extent to which each trainee has understood

8 Processes

8.1 General

In addition, there is an ISMS management process that covers the review and improvement of the above processes, see 8.8.

© ISO/IEC 2016 – All rights reserved 9

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

Figure 2 — Monitoring, measurement, analysis and evaluation processes

8.2 Identify information needs

d) the risk treatment plan.

e) examine the ISMS, its processes and other elements such as:

10 © ISO/IEC 2016 – All rights reserved

N or

m en

-D ow

nl oa

d- B

eu th

-M ax

P la

nc k

G es

el ls

ch af

t z ur

F ör

de ru

ng d

er W

is se

ns ch

af te

n- K

dN r.7

92 69

56 -L

fN r.7

89 49

26 00

1- 20

17 -0

3- 17

1 3:

49

http://mahdi.hashemitabar.com

ISO/IEC 27004:2016(E)

g) select a subset of information needs required to be addressed in measurement activities from the

h) document and communicate the selected information needs to all relevant interested parties.

8.3 Create and maintain measures

8.3.1 General

measures at planned intervals or when the ISMS’s environment undergoes substantial changes. Such changes can include, among others:

Creating or updating such measures can include, among others, the followings steps:

k) keep management informed and engaged.

Updating measures is expected to take less time and effort than the initial creation.

8.3.2 Identify current security practices that can support information needs

practices can include measurement associated with:

© ISO/IEC 2016 – All rights reserved 11

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!
Answer.docx Turnitin Report.pdf Contact Writer For Solution Contact Writer For Solution

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed
Order Now

6 writers have sent their proposals to do this homework:

Financial Hub
24/7 Assignment Help
Custom Coursework Service
Premium Solutions
Finance Homework Help
Online Assignment Help
Writer Writer Name Offer Chat
Financial Hub

ONLINE

Financial Hub

I am a professional and experienced writer and I have written research reports, proposals, essays, thesis and dissertations on a variety of topics.

 $38 Chat With Writer
24/7 Assignment Help

ONLINE

24/7 Assignment Help

I reckon that I can perfectly carry this project for you! I am a research writer and have been writing academic papers, business reports, plans, literature review, reports and others for the past 1 decade.

 $31 Chat With Writer
Custom Coursework Service

ONLINE

Custom Coursework Service

After reading your project details, I feel myself as the best option for you to fulfill this project with 100 percent perfection.

 $16 Chat With Writer
Premium Solutions

ONLINE

Premium Solutions

I am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message.

 $15 Chat With Writer
Finance Homework Help

ONLINE

Finance Homework Help

I am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message.

 $32 Chat With Writer
Online Assignment Help

ONLINE

Online Assignment Help

I am an academic and research writer with having an MBA degree in business and finance. I have written many business reports on several topics and am well aware of all academic referencing styles.

 $19 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Post your homework

Similar Homework Questions

The open boat quiz - Filipino tattoos ancient to modern pdf download - Reflections 01 Pre-work - Data nugget gene expression in stem cells quizlet - Holy cross high hamilton - Richard burton poetry recordings - Discussion: 5 Reasons Our Client's Sexuality is Important to Address in Counseling . - Business Strategy Discussion - Cell homeostasis virtual lab - Animal farm chapter 8 10 questions and answers - Special conditions in contract of sale property wa - Indiana university grade distribution - Jb hi fi extended warranty - Amp small shareholding sale facility - Excel assignment 2 - Lección 2 repaso pruebas de práctica - Managing police organizations 7th edition - Download ezcast for windows - History us - Assignment Help- Website hosting and Contenet management - "A" WORK DISCUSSION IN 18 HOURS - National early literacy panel 2008 - English Comp 2 Week 4 - Themes for the tempest - Uncommon service the zappos case study - Management - Chalk and wire saint leo university - Cybercrime - Mid digital hair recessive or dominant - Sensory profile scoring sample - Inside intel inside harvard case study - Bachelor of arts pathway to teaching primary uws - No child left behind thesis statement - Introduction to sociology seagull 10th edition pdf - Haworth building birmingham university - Neil mercer exploratory talk - What is a dress up in writing - HRMT PAPER - This is just to say by william carlos williams pdf - In mrs tilscher's class - Powerpoint presentation - Final Paper - Ex2200 24t 4g dc - Egg drop newton's laws - Unit 10 health and social care level 3 p4 - The lost man chapter summary - Gravimetric analysis questions and answers - Walmart in africa case study pdf - Electron configuration of phosphorus - What is a partial balance sheet - Granny and the wolf script - To measure the amount of acetic acid in vinegar - Embassy publishing company received a six chapter manuscript - Alice springs business directory - Eva bossenberger boone nc - Research paper on Miles Davis - Gangster disciples handshake tutorial - Self discipline plays an important role in leadership development because - Macquarie flexi 100 trust performance - Biology - What type of plate boundary does california straddle - Dateline on the outskirts of town youtube - Humanity Essay - Oh no inc sells three models - Bulletproof glass rosemary laing - Down under products ltd of australia has budgeted sales - Pr 6 5a accounting - 1 lambda to afr - What is the mass of 0.0250 mol of p2o5 - How to calculate tukey hsd - Explain the ladder of abstraction. Compare and contrast between philosophies, conceptual models, grand theories, nursing theories, and middle-range theories. - Define periodization and its components - Grandma's experiences leave a mark on your genes - Eric dunn hooray ranch net worth - Which agile development model uses timeboxing as a key element - Sunsuper for life guide - Discussion Board Forum 1 - Is scoria intrusive or extrusive - Research Paper In American Literature I(for fixing) - Marketing strategies business studies - How to find focal length of parabola - Kath murdoch inquiry cycle - Indian camp ernest hemingway character analysis - Discussion Post- Due today 10:00om ET - S&p 500 index gspc - Principles of managements and organization - Business and technical writing final exam - Ampm doctors high road - Observation of project - Hsbc signature mandate form - Multiphasic personality inventory test online - A basic dye is utilized to stain bacterial cells - Integrative and Distributive Negotiations - Airport transfer booking form - A plea for captain john brown sparknotes - Teams - Nau jobs for jacks - Examples of project plan - What is a tone in colour - "Identify and evaluate the social media/digital marketing strategy used by your company(Kylie Cosmetics)." Kylie cosmetics is owned by Kylie Jenner.