INTERNATIONAL STANDARD
Informationtechnology-Security management-Monitoring techniques-Informationsecurity measurement analysisandevaluation
Management de la securite de I'information - Technologies de l’information -Techniques de securite -Surveillance mesurage analyse et evaluation
COPYRIGHTPROTECTEDDOCUMENT
@ ISO/IEC 2016 Published in Switzerland
All rights reserved. Unless otherwise specified no part of this publication may be reproduced or utilized otherwise in any formor by any means electronic or mechanical including photocopying or posting on the internet or an intranet without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country ofthe requester.
ISO copyright officeCh. de Blandonnet 8 • CP 401 CH-1214 Vernier Geneva SwitzerlandTel. 41 22 749 01 11 Fax 41 22 749 09 47copyright@
Contents
Page
5.1 The need for measurement. 25.2 Fulfilling the ISO/IEC 27001requirements. Validity of results. 35.3 5.4 Benefits. 3
6.1 6.2 What to monitor. General. 4 46.3 6.4 What to measure. When to monitor measure analyse and evaluate. 56.5 Who will monitor measure analyse and evaluate. 6 6
.7
Types of measures. General.7.1 7.2 Performance measures. 7 77.3 Effectiveness measures. 8
Processes. 8.1 General. 6°8.2 8.3 Identify information needs. Create and maintain measures. 10 118.3.1 General. 118.3.2 8.3.3 Identify current security practices that can support information needs. Develop or update measures. 11 128.3.4 8.3.5 Keep management informed and engaged. Document measures and prioritize for implementation. 13 138.4 Establish procedures. 148.5 8.6 Monitor and measure. Analyse results. 14 158.7 8.8 es Review and improve monitoringmeasurement analysis and evaluation processes. 15 158.9 Retain and municate documented information. 15
Annex A (informative) An information security measurement model. 17
Bibliography 58
Foreword
ISO (the International Organization for Standardization) and IEC (the International ElectrotechnicalCommission) form the specialized system for worldwide standardization. National bodies that aremembers of ISO or IEC participate in the development of International Standards through technicalorganizations governmental and non-governmental in liaison with ISO and IEC also take part in the activity. ISO and IEC technical mittees collaborate in fields of mutual interest. Other internationalwork. In the field of information technology ISO and IEC have established a joint technical mittee ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance arethe different types of document should be noted. This document was drafted in accordance with theeditorial rules of the ISO/IEC Directives Part 2 (see
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent Attention is drawn to the possibility that some of the elements of this document may be the subjectIntroduction and/or on the ISO list of patent declarations received (see rights. Details of any patent rights identified during the development of the document will be in the
Any trade name used in this document is information given for the convenience of users and does notconstitute an endorsement.
For an explanation on the meaning of ISO specificterms and expressions related to conformity assessment as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL:
SC 27 IT Security techniques.
This second edition of ISO/IEC 27004 cancels and replaces the first edition (ISO/IEC 27004:2009) which has been technically revised.
This edition includes the following significant changes with respect to the previous edition:
ISO/IEC 27001:2013 9.1 which at the time of the previous edition did not exist.
The concepts and processes have been modified and expanded. However the theoretical foundation(ISO/IEC i5939) remains the same and several of the examples given in the previous edition arepreserved albeit updated.
Introduction
This document is intended to assist organizations to evaluate the information security performanceand the effectiveness of an information security management system in orderto fulfilthe requirementsof ISO/IEC 27001:2013 9.1: monitoring measurement analysis and evaluation.
The results of monitoring and measurement of an information security management system (ISMS)continual improvement.
q aq o ppuau ae sadde pue sdau au uns ads sueuo qea ns o applicable but the particular measures that any particular organization requires depend on contextual
This document is remended for organizations implementing an ISMS that meets the requirementsof ISO/IEC 27001. However it does not establish any new requirements for ISMS which conform toISO/IEC 27001 or impose any obligations upon organizations to observe the guidelines presented.
