Scribd Logo
Upload

Welcome to Scribd!

  • Iso 27004 2016

    Uploaded by

    taek
    421 views66 pages

    Original Title

    ISO_27004_2016

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    421 views66 pages

    Iso 27004 2016

    Uploaded by

    taek

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 66

    I N TERNATIONAL ISO/IEC

    S TANDARD 2 7004

    Second editio n

    2 0 1 6- 1 2 - 1 5

    Information technology — Security


    techniques — Information security
    management — Monitoring,
    measurement, analysis and evaluation

    Technologies de l’information — Techniques de sécurité —


    Management de la sécurité de l’information —
    Surveillance, mesurage, analyse et évaluation

    Reference numb er

    I SO /I EC 2 7 0 0 4: 2 0 1 6(E )

    © I SO /I E C 2 0 1 6
    ISO/IEC 2 7004: 2 01 6(E)

    COPYRIGHT PROTECTED DOCUMENT

    © I SO /I EC 2 0 1 6, Publis hed in Switzerland

    All rights reserved. Unless otherwise specified, no part o f this publication may be reproduced or utilized otherwise in any form
    or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
    written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country o f
    the reques ter.

    ISO copyright o ffice


    Ch. de B lando nnet 8 • C P 40 1

    CH -1 2 1 4 Vernier, Geneva, Switzerland

    Tel. + 41 2 2 749 0 1 1 1

    Fax + 41 2 2 7 49 0 9 47

    copyright@iso.org
    www.iso. o rg

    ii © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Contents Page

    Foreword .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. iv

    Introduction . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . v

    1 Scope . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1

    2 Normative references . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1

    3 Terms and definitions . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . 1


    4 Structure and overview . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 1

    5 Rationale . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 2
    5 .1 The need for measurement . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 2

    5.2 Fulfilling the ISO/IEC 27001 requirements . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 3

    5.3 Validity o f results . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 3

    5.4 Benefits . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 3

    6 Characteristics . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . .. . . . . . . . 4
    6.1 General . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 4

    6.2 What to monitor. . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 4

    6.3 What to measure . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 5

    6.4 When to monitor, measure, analyse and evaluate . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 6

    6.5 Who will monitor, measure, analyse and evaluate . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 6

    7 Types of measures . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 7
    7 .1 General . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 7

    7 .2 Performance measures .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 7

    7 .3 E ffectiveness measures . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 8

    8 Processes . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. 9
    8 .1 General . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 9

    8.2 Identi fy information needs . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 10

    8 .3 C reate and maintain measures . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . 1 1

    8 .3 .1 General . . . . . . .. . . . . . . . . .. .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1 1

    8.3.2 Identi fy current security practices that can support information needs . . . . . . . . . .. . . . . . . . . . . 11

    8 .3 .3 D evelop or update measures .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 1 2

    8 .3 .4 D ocument measures and prioritize for implementation . . . .. . . . . . . . . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 1 3

    8 .3 .5 Keep management informed and engaged . . .. . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 1 3

    8 .4 E stab lish procedures . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . . 1 4

    8 .5 M onitor and measure . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . 1 4

    8.6 Analyse results . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 15

    8.7 Evaluate information security performance and ISMS e ffectiveness . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . 15

    8.8 Review and improve monitoring, measurement, analysis and evaluation processes . . .. . . . . . . . . 15

    8 .9 Retain and communicate documented information . .. . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 1 5

    Annex A (informative) An information security measurement model . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . 1 7

    Annex B (informative) Measurement construct examples . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . 1 9

    Annex C (informative) An example of free-text form measurement construction .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . 5 7

    Bibliography . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . . .. . . . . . . . 5 8

    © I SO /I E C 2 0 1 6 – All rights res erved iii


    ISO/IEC 2 7004: 2 01 6(E)

    Foreword

    I SO (the I nternational O rgani zation for Standardiz ation) and I E C (the I nternational E lec trotechnical

    Commission) form the specialized system for worldwide standardization. National bodies that are
    memb ers of I S O or I E C p ar ticip ate in the development of I nternational Standards through technical

    committees established by the respective organization to deal with particular fields o f technical
    activity. ISO and IEC technical committees collaborate in fields o f mutual interest. Other international
    organi zation s , governmental and non- governmental, in l iaison with I SO and I E C , al so take p ar t in the

    work. In the field o f in formation technology, ISO and IEC have established a joint technical committee,
    I SO/I EC J TC 1 .

    T he procedures used to develop this do cument and those intended for its fur ther maintenance are

    describ ed in the I S O/I EC D irec tives , Par t 1 . I n p ar ticu lar the di fferent approval criteria needed for

    the di fferent types o f document should be noted. This document was dra fted in accordance with the
    editorial ru les of the I SO/I E C D irec tives , Par t 2 (see www. iso . org/direc tives) .

    Attention is drawn to the possibility that some o f the elements o f this document may be the subject
    o f patent rights. ISO and IEC shall not be held responsible for identi fying any or all such patent
    rights. Details o f any patent rights identified during the development o f the document will be in the
    I ntro duc tion and/or on the I S O lis t of p atent declarations received (see www. iso . org/p atents) .

    Any trade name used in this document is in formation given for the convenience o f users and does not
    cons titute an endorsement.

    For an explanation on the meaning o f ISO specific terms and expressions related to con formity assessment,
    as well as information about I SO ’s adherence to the World Trade O rganization ( WTO) principles in the

    Technical B arriers to Trade (TB T ) see the following URL: www.iso.org/iso/foreword. html.

    T he com mittee res p ons ible for this do cument is I SO/I E C J TC 1 , Information technology, Sub committee
    SC 2 7, IT Security techniques.
    This second edition o f ISO/IEC 27004 cancels and replaces the first edition (ISO/IEC 27004:2009),
    which has been technically revised.
    This edition includes the following significant changes with respect to the previous edition:
    A total res truc turing of the do cument b ecause it has a new purp os e – to provide guidance on

    I SO/I EC 2 70 01 : 2 01 3 , 9.1 – which, at the time of the previous edition, did not exis t.

    The concepts and processes have been modified and expanded. However, the theoretical foundation
    (I SO/I EC 1 593 9) remains the s ame and several of the examples given in the previous edition are

    preser ved, alb eit up dated.

    iv © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Introduction

    T h i s do c u ment i s i ntende d to a s s i s t orga ni z ation s to eva luate the i n formation s e c urity p er forma nce

    and the e ffe c tivene s s o f an i n formation s e c u rity ma nagement s ys tem i n order to fu l fi l the re qu i rements

    o f I S O/I E C 2 70 01 : 2 01 3 , 9.1 : mon itori ng , me a s u rement, a na lys i s a nd eva luation .

    T he re s u lts o f mon itori ng a nd me as u rement o f a n i n formation s e c urity ma nagement s ys tem (I S M S )

    can b e s upp or tive of decis ions relating to I SM S governance, management, op erational effec tivenes s and

    continual improvement.

    As with other I SO/I EC 2 70 0 0 documents , this document shou ld b e cons idered, interpreted and adap ted

    to s u it e ach organ i z ation’s s p e c i fic s ituation . T he concep ts and appro ache s a re i ntende d to b e bro ad ly

    app l ic able but the p a r tic u l ar me as u re s that any p ar tic u lar orga n i z ation re qu i re s dep end on conte xtua l

    fac tors (s uch as its s i z e, s e c tor, matu rity, i n formation s e c urity ri s ks , compl i ance obl igation s a nd

    management s tyle) that va r y widely i n prac tice .

    T his document is recommended for organi z ations implementing an I SM S that meets the requirements

    o f I S O/I E C 2 70 01 . H owever, it do e s no t e s tabl i s h a ny new re qu i rements for I S M S wh ich con form to

    I S O/I E C 2 70 01 or i mp o s e any obl igation s up on organ i z ation s to ob s er ve the gu idel i ne s pre s ente d .

    © I SO /I E C 2 0 1 6 – All rights res erved v


    INTERNATIONAL STANDARD ISO/IEC 2 7004: 2 01 6(E)

    Information technology — Security techniques —


    Information security management — Monitoring,
    measurement, analysis and evaluation

    1 Scope

    T his do cument provides guidelines intended to as s is t organi zations in evaluating the information

    s e c u rity p er formance and the e ffe c ti vene s s o f a n i n formation s e c urity ma nagement s ys tem i n order to

    fu l fi l the re qu i rements o f I S O/I E C 2 70 01 : 2 01 3 , 9.1 . I t e s tabl i she s:

    a) the mon itori ng a nd me a s u rement o f i n formation s e c urity p er formance;

    b) the mon itori ng and me a s urement o f the e ffe c tivene s s o f a n i n formation s e c u rity management

    s ys tem (I S M S ) i nclud i ng its pro ce s s e s and control s;

    c) the ana lys i s a nd eva luation o f the re s u lts o f mon itori ng and me a s u rement.

    T h i s do c ument i s appl ic able to a l l typ e s and s i z e s o f organ i z ation s .

    2 Normative references

    T he fol lowi ng do c u ments are re ferre d to i n the tex t i n s uch a way th at s ome or a l l o f thei r content

    con s titute s re qu i rements o f th i s do c u ment. For date d re ference s , on ly the e d ition cite d appl ie s . For

    u ndate d re ference s , the late s t e d ition o f the re ference d do c ument (i nclud i ng a ny amend ments) appl ie s .

    T here are no normative references in this do cument.

    3 Terms and definitions


    For the pu r p o s e s o f th i s do c u ment, the term s and defi nition s given i n I S O/I E C 2 70 0 0 apply.

    I S O and I E C maintain term inological datab ases for use in s tandardiz ation at the fol lowing addres ses:

    — I EC E lec trop edia: avai lable at http://www. elec trop edia. org/

    — I SO O nl ine brows ing platform: avai lable at http://www. iso . org/obp

    4 Structure and overview

    T his do cument is s truc tured as fol lows:

    a) Rationale (C lause 5 ) ;

    b) C harac teris tics (C lause 6 ) ;

    c) Typ e s o f me a s u re s (C laus e 7 ) ;

    d) P ro ces s es (C lause 8) .

    T he ordering of these clauses is intended to aid unders tanding and map to I S O/I E C 2 70 01 : 2 01 3 , 9.1

    requirements , as is i l lus trated in Figure 1 .

    Star ti ng with the i n formation ne e de d to fu l fi l th at re qui rement, re ferre d to as i n formation ne e d s , the

    orga ni z ation de term i ne s the me a s ure s th at it wi l l u s e to fu l fi l tho s e i n formation ne e d s . T he pro ce s s

    © I SO /I E C 2 0 1 6 – All rights res erved 1


    ISO/IEC 2 7004: 2 01 6(E)

    o f mon itori ng a nd me as u rement pro duce s data wh ich i s then a na lys e d . T he re s u lts o f ana lys i s a re

    eva luate d i n fu l fi l ment o f the organ i z ation’s i n formation ne e d s .

    I n addition, Annex A de s c rib e s a me as u rement mo del for i n formation s e c u rity, i nclud i ng the relation s h ip

    b etween the comp onents of the meas urement model and the requirements of I S O/I EC 2 70 01 : 2 01 3 , 9.1 .

    Annex B provides a wide range of examples . T hese examples are intended to provide prac tical guidance

    on how organ i z ation s c an mon itor, me a s u re, ana lys e and eva luate thei r cho s en I S M S pro ce s s e s and

    are a s o f i n formation s e c u rity p er formance . T he s e e xample s u s e the s ugge s te d templ ate given i n Table 1 .

    Annex C provides a fur ther example us ing an alternative free-form text-b ased format.

    Figure 1 — Mapping to ISO/IEC 2 70 01: 2 013 , 9.1 requirements

    5 Rationale

    5 .1 The need for measurement

    T he overa l l obj e c tive o f an I S M S i s the pre s er vation o f con fidenti a l ity, i ntegrity a nd ava i labi l ity o f

    in formation within its scop e. T here are I SM S ac tivities that concern the planning of how to do this , and

    the i mplementation o f tho s e plan s . H owever, by them s elve s , the s e ac tivitie s c an no t gua rante e that the

    re a l i s ation o f tho s e plan s fu l fi l the i n formation s e c u rity obj e c tive s . T here fore, i n the I S M S a s defi ne d

    by I S O/I E C 2 70 01 , there a re s evera l re qui rements to eva luate i f the pl an s a nd ac tivitie s en s u re the

    fu l fi l ment o f the i n formation s e c u rity obj e c tive s .

    2 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    5 . 2 F u l fi l l i n g th e I S O / I E C 2 7 0 0 1 r e q u i re m e n ts

    ISO/IEC 27001:2013, 9.1 requires the organization to evaluate the in formation security per formance
    and the e ffectiveness o f the ISMS. Measure types able to fulfil these requirements can be found in
    C lause 7.

    I S O/I E C 2 70 01 : 2 01 3 , 9.1 fur ther requires the organiz ation to determine:

    a) what needs to be monitored and measured, including in formation security processes and controls;
    b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid
    results;
    c) when the monitoring and measuring shall be per formed;
    d) who shall monitor and measure;
    e) when the results from monitoring and measurement shall be analysed and evaluated; and
    f ) who shall analyse and evaluate these results.
    T he mapping of these requirements is provided in Figure 1 .

    Finally, ISO/IEC 27001:2013, 9.1 requires the organization to retain appropriate documented
    information as evidence of the monitoring and meas urement res u lts (S ee 8 .9) .

    I S O/I E C 2 70 01 : 2 01 3 , 9.1 al so notes that metho ds selec ted shou ld pro duce comp arable and repro ducible

    res u lts in order for them to b e cons idered val id (S ee 6 .4) .

    5 .3 Validity of results

    I S O/I E C 2 70 01 : 2 01 3 , 9.1 b) requires that organiz ations cho ose metho ds for meas urement, monitoring,

    analysis and evaluation to ensure valid results. The clause notes that to be valid, results should
    be comparable and reproducible. To achieve this, organizations should collect, analyse, and report
    meas ures , taking the fol lowing p oints into cons ideration:

    a) in order to get comp arable res u lts on meas ures that are b ased on monitoring at different p oints in

    times, it is important to ensure that scope and context o f the ISMS are not changed;
    b) changes in the methods or techniques used for measuring and monitoring do not generally lead to
    comparable results. In order to retain comparability, specific tests such as parallel application o f
    the original as well as the changed methods can be required;
    c) i f subjective elements are part o f the methods or techniques used for measuring and monitoring,
    specific steps can be needed to obtain reproducible results. As an example, questionnaire results
    should be evaluated against defined criteria; and
    d) in some situations, reproducibility can only be given in specific circumstances. For example, there
    are s ituations where res u lts are non-repro ducible, but are valid when aggregated.

    5 . 4 B e n e fi ts

    Fulfilling ISMS processes and controls and ensuring in formation security per formance can provide a
    number o f organizational and financial benefits. Major benefits can include:
    a) Increased accountability: Monitoring, measurement, analysis and evaluation can increase
    accountability for in formation security by helping to identi fy specific in formation security
    processes or controls that are implemented incorrectly, are not implemented, or are ine ffective.
    b) Improved information security performance and ISMS processes: Monitoring, meas urement,
    analysis and evaluation can enable organizations to quanti fy improvements in securing in formation

    © I SO /I E C 2 0 1 6 – All rights res erved 3


    ISO/IEC 2 7004: 2 01 6(E)

    within the scope o f their ISMS and demonstrate quantifiable progress in accomplishing the
    organization’s in formation security objectives.
    c) Evidence of meeting requirements: Monitoring, measurement, analysis and evaluation can
    provide documented evidence that helps demonstrate fulfilling o f ISO/IEC 27001 (and other
    s tandards) requirements , as wel l as appl icable laws , ru les , and regu lations .

    d) Support decision-making: Monitoring, measurement, analysis and evaluation can support risk-
    in formed decision-making by contributing quantifiable in formation to the risk management
    pro ces s . It can al low organi z ations to meas ure s ucces ses and fai lures of p as t and current

    in formation security investments, and should provide quantifiable data that can support resource
    al location for future inves tments .

    6 Characteristics

    6.1 General

    Monitoring and measurement is the first step in a process to evaluate in formation security per formance
    and I SM S effec tivenes s .

    Faced with a potentially overwhelming variety o f attributes o f in formation security-related entities


    that can be measured, it is not entirely obvious which ones should be measured. This is an important
    issue because it is impracticable, costly and counterproductive to measure too many or the wrong
    attributes. Aside from the obvious costs o f measuring, analysing and reporting numerous attributes,
    there is a distinct possibility that key issues can be obscured within a large volume o f in formation or
    mis sed altogether if s uitable meas ures are not in place.

    In order to determine what to monitor and measure, the organization should first consider what it
    wishes to achieve in evaluating in formation security per formance and ISMS e ffectiveness. This can
    al low it to determine its in formation needs .

    O rgani z ations shou ld next decide what meas ures are needed to s upp or t each discrete information

    need and what data are required to derive the requisite measures. Hence, measurement should always
    corres p ond to the information needs of the organi zation .

    6.2 What to monitor

    Monitoring determines the status o f a system, a process or an activity in order to meet a specified
    in formation need.

    Systems, processes and activities which can be monitored include, but are not limited to:
    a) implementation o f ISMS processes;
    b) incident management;
    c) vulnerability management;
    d) configuration management;
    e) security awareness and training;
    f ) access control, firewall and other event logging;
    g) audit;
    h) risk assessment process;
    i) risk treatment process;
    j) third party risk management;
    4 © I SO /I E C 2 0 1 6 – All rights res erved
    ISO/IEC 2 7004: 2 01 6(E)

    k) business continuity management;


    l) physical and environmental security management; and
    m) system monitoring.
    T hese monitoring ac tivities produce data (event logs , user inter views , training s tatis tics , incident

    in formation, etc.) that can be used to support other measures. In the process o f defining attributes to be
    meas ured, additional monitoring can b e required to provide s upp or ting in formation .

    Note that monitoring can al low an organiz ation to determ ine whether a risk has materiali zed, and

    thereby indicate what action it can take to treat such a risk itsel f. Note also that there can be certain
    types o f in formation security controls that have the explicit purpose o f monitoring. When using outputs
    of s uch control s to s upp or t meas urement, organiz ations shou ld ens ure that the meas urement proces s

    takes into account whether the data used was obtained be fore or a fter any treatment action was taken.

    6.3 What to measure

    Measurement is an activity undertaken to determine a value, status or trend in per formance or


    e ffectiveness to help identi fy potential improvement needs. Measurement can be applied to any ISMS
    pro ces ses , ac tivities , control s and groups of controls .

    As an example, cons ider I S O/I E C 2 70 01 : 2 01 3 , 7. 2 c) , which requires an organi zation to take ac tion, where

    applicable, to acquire necessary competence. An organization can determine whether all individuals
    who require training have received it and whether the training was delivered as planned. T his can b e

    measured by the number or percentage o f people trained. An organization can also determine whether
    the individuals who have been trained actually acquired and retained the necessary competence (which
    can b e meas ured with a p os t-training ques tionnaire) .

    With regards to I SM S pro ces ses , organi zations shou ld note that there are a numb er of claus es in

    ISO/IEC 27001 that explicitly require the e ffectiveness o f some activity to be determined. For example,
    I S O/I E C 2 70 01 : 2 01 3 , 10 .1 d) requires organiz ations to review the effectiveness of any corrective

    action taken ”.
    In order to per form such a review, the e ffectiveness o f corrective actions should first be
    determined in terms o f some defined form o f measure. In order to do this the organization should first
    define an appropriate in formation need and a measure, or measures, to satis fy it. The process for doing
    this is explained in C lause 8 .

    I SM S pro ces ses and ac tivities that are candidates for meas urement include:

    a) planning;
    b) leadership;
    c) risk management;
    d) policy management;
    e) resource management;
    f ) communicating;
    g) management review;
    h) documenting; and
    i) auditing.

    With regards to in formation security per formance, the most obvious candidates are the organization’s
    in formation security controls or groups o f such controls (or even the entire risk treatment plan). These
    control s are determ ined through the pro ces s of risk treatment and are referred to in I S O/I EC 2 70 01 as

    necessary controls. They can be ISO/IEC 27001:2013, Annex A controls, sector-specific controls (e.g. as
    defined in standards such as ISO/IEC 27010), controls specified by other standards and controls that

    © I SO /I E C 2 0 1 6 – All rights res erved 5


    ISO/IEC 2 7004: 2 01 6(E)

    have been designed by the organization. As the purpose o f a control is to modi fy risk, there are a variety
    of attributes that can b e meas ured, s uch as:

    j) the degree to which a control reduces the likelihood o f the occurrence o f an event;
    k) the degree to which a control reduces the consequence o f an event;
    l) the frequency o f events that a control can cope with be fore failure; and
    m) how long after the occurrence of an event do es it take for the control to detec t that the event has

    o ccurred.

    6.4 When to monitor, measure, analyse and evaluate

    Organizations should define specific time frames in which to monitor, measure, analyse, and evaluate,
    based on individual in formation needs, required measures, and the li fecycle o f data supporting
    individual measures. The data supporting measures can be collected more frequently than the analysis
    and reporting o f such measures to individual interested parties. For example, while data on security
    incidents can be collected continually, reporting o f such data to external interested parties should be
    based on specific requirements, such as severity (possibly requiring immediate notification as in the
    case of a rep or table breach) or aggregated values (as might b e the cas e for attemp ted intrus ions which

    were detec ted and blo cked) .

    Organizations should note that in order to satis fy certain in formation needs, be fore analysis and
    evaluation can pro ceed, an appropriate volume of data needs to b e col lec ted in order to provide

    a meaning ful basis for assessment and comparison (e.g. when conducting statistical analysis). In
    addition, the processes o f monitoring, measurement, analysis, and evaluation can need testing and
    fine-tuning be fore the resulting measures can be use ful to the organization. Organizations should
    there fore determine a limit to the duration o f any fine-tuning (so as to proceed with the real objective,
    measurement o f the ISMS) and for how long monitoring and collection should continue be fore analysis
    and evaluation can commence.

    Organizations can adjust their measurement time frames, as they update their measurement activities,
    to address specific environmental changes listed in 8 . 2 . For example, if an organiz ation is trans itioning
    from a manual data source to an automated source, a change in frequency o f collection can be required.
    Fur thermore, a b asel ine is needed to comp are two sets of meas ures taken at di fferent p oints in time

    and potentially by di fferent methods but aiming to fulfil the same in formation need.
    An organization can choose to structure their monitoring, measurement, analysis, and evaluation
    ac tivities into a meas urement programme. I t is imp or tant to note, however, that I SO/I EC 2 70 01 has no

    requirement for organiz ations to have s uch a programme.

    6.5 Who will monitor, measure, analyse and evaluate

    ) should speci fy who


    O rgani z ations (con s idering requirements of I SO/I E C 2 70 01 : 2 01 3 , 9.1 and 5 . 3

    monitors, measures, analyses and evaluates in terms o f individuals or roles. Monitoring, measurement,
    analysis, and evaluation can be per formed using either manual or automated means. Whether
    the measurement is per formed manually or automatically, organizations can define the following
    meas urement-related roles and res p ons ibi lities:

    a) meas urement client: the management or other interes ted p ar ties reques ting or requiring

    in formation about the e ffectiveness o f an ISMS, controls or group o f controls;


    b) measurement planner: the person or organizational unit that defines the measurement constructs
    that links measurable attributes to a specified in formation need;
    c) meas urement reviewer: the p erson or organi zational unit that validates that the develop ed

    measurement constructs are appropriate for evaluating in formation security per formance and the
    e ffectiveness o f an ISMS, controls or group o f controls;

    6 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    d) in formation owner: the p ers on or organi zational unit that owns the information that provides

    i nput i nto me a s u re s . T h i s p ers on i s re s p on s ible for provid i ng the data and i s a l s o fre quently ( but

    no t a lways) re s p on s ible for conduc ti ng me as u rement ac tivitie s;

    e) in formation col lec tor: the p ers on or organi zational unit res p ons ible for col lec ting, recording and

    s tori ng the data;

    f) i n formation ana lys t: the p ers on or orga ni z ationa l u n it re s p on s ible for ana lys i ng data; and

    g) in formation communicator: the p erson or organiz ational unit res p ons ible for communicating the

    re s u lts o f ana lys i s .

    O rga n i z ation s c an combi ne s ome, or p o s s ibly a l l , o f the s e role s .

    I ndividual s p erforming different roles and res p ons ibil ities throughout the pro ces ses can require

    diverse skil l sets and as so ciated awarenes s and training.

    7 Types of measures

    7.1 General

    For the purp oses of this guidance, the p erformance of planned ac tivities and the effec tivenes s of the

    re s u lts c an b e me as u re d by applyi ng the two fol lowi ng typ e s o f me as u re s:

    a) p erformance meas ures: meas ures that expres s the planned res u lts in terms of the charac teris tics

    o f the p lan ne d ac tivity, s uch as he ad cou nts , m i le s tone accompl i s h ment, or the degre e to wh ich

    i n formation s e c u rity control s h ave b e en i mplemente d;

    b) effec tivenes s meas ures: meas ures that expres s the effec t that reali zation of the planned ac tivities

    h as on the orga n i z ation’s i n formation s e c u rity obj e c tive s .

    T he s e me as u re s c an b e i n herently organ i z ation- s p e c i fic s i nce e ach organ i z ation ha s its own p a r tic u l ar

    i n formation s e c u rity obj e c tive s , p ol ic ie s a nd re qu i rements .

    Note that the terms “p erformance meas ures ” and “effec tivenes s meas ures ” should not b e confused

    with the I S O/I E C 2 70 01 : 2 01 3 , 9.1 re qui rement to eva luate i n formation s e c u rity p er formance a nd I S M S

    effec tivenes s .

    7.2 Performance measures

    Performance meas ures can b e used to demons trate pro gres s in implementing I S M S pro ces ses , as so ciated

    pro ce du re s and s p e ci fic s e c u rity control s . Where a s e ffe c tivene s s concern s the ex tent to wh ich pla n ne d

    ac tivities have b een real ised and intended res ults achieved, p erformance meas ures should concern the

    ex tent to wh ich i n formation s e c u rity pro ce s s e s and control s have b e en i mplemente d . T he s e me as u re s

    help de term i ne whe ther the I S M S pro ce s s e s a nd i n formation s e c u rity control s have b e en i mp lemente d

    as s p e c i fie d .

    Per formance me as u re s u s e data that ca n b e ob tai ne d from m i nute s , attenda nce re cord s , proj e c t plan s ,

    automate d s c a nn i ng to ol s and o ther com mon ly-u s e d me a n s o f do c u menti ng , re cord i ng , and mon itori ng

    I SM S ac tivities .

    T he col le c tion, ana lys i s , and rep or ti ng o f me a s u re s s hou ld b e automate d wherever p o s s ible, i n order to

    reduce the cos t and effor t required and the p otential for human error.

    © I SO /I E C 2 0 1 6 – All rights res erved 7


    ISO/IEC 2 7004: 2 01 6(E)

    E xample 1

    When measuring the degree o f implementation o f specific in formation security controls, such as
    the percentage o f laptops with hard disk encryption, the results o f this measure will likely be, at
    first, less than 100%. When the result reaches and remains at 100%, it can be concluded that the
    in formation systems have fully implemented the security controls addressed by this measure, and
    meas urement ac tivities can refo cus on other control s in need of improvement.

    E xample 2

    For a new ISMS, the organization should first seek to ensure that top management attends the review
    and other meetings that can b e cal led. T he planned (or intended) res u lt in this case is fu l l attendance

    at all meetings, barring sickness and permitted prior commitments. The measure is simply how
    many attend versus how many ought to attend, with a possible modifier that absence was for good
    reason. At first, the results o f these measures might indicate a shortfall. However, with time, results
    shou ld reach and remain clos e to their planned targets . At this p oint, the organi zation should b egin

    to fo cus its meas urement effor ts on effec tivenes s meas ures (see 7. 3 ) .

    After most per formance measures reach and remain at 100%, the organization should begin to focus its
    measurement e fforts on e ffectiveness measures. Organizations should never fully retire per formance
    measures because they can be help ful in pointing out specific security controls that are in need o f
    improvement; however, over time, the emphasis and resources being applied to measurement should
    shi ft away from these measures and towards e ffectiveness measures (see 7. 3 ) .
    According to I SO/I E C 2 70 01 : 2 01 3 , 9.1 , it is l ikewise imp or tant to also meas ure the effec tivenes s of

    the management system (discussed next). To operate a suitable ISMS, organizations should measure
    p erformance and effec tivenes s at planned inter val s .

    7.3 Effectiveness measures

    E ffec tivenes s meas ures should b e used to describ e the effec tivenes s and imp ac t that the realis ations of

    the I SM S risk treatment plan and I SM S proces ses and controls have on the organi zation’s information

    security objectives. These measures should be used to determine whether ISMS processes and
    in formation security controls are operating as intended and achieving their desired outcomes.
    Depending upon those objectives, e ffectiveness measures can be used to quanti fy, e.g.:
    a) cost savings produced by the ISMS or through costs incurred from addressing in formation security
    incidents;
    b) the degree o f customer trust gained/maintained by the ISMS; and
    c) the achievement o f other in formation security objectives.
    E ffectiveness measures can be created by combining data obtained from automated monitoring and
    evaluation tools with manually-derived data about ISMS activity. This can require tracking a variety
    o f measures across the organization in a manner that can be directly tied to the ISMS activities and
    in formation security events. To achieve this, an organization should have an established capability to:
    d) evaluate the degree to which I SM S proces ses , controls , or groups of controls have b een implemented

    through per formance measures;


    e) collect data from automated monitoring and evaluation tools;
    f ) manually collect data from ISMS activities;
    g) normalize and analyse data originating from multiple automated and manual sources; and
    h) interpret and rep or t this data to decis ion makers .

    8 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    T hese effec tivenes s meas ures combine information ab out the real is ation of the risk treatment plan

    with a variety o f in formation about resources and can provide inputs to the risk management process.
    They can also provide the most direct insight into the value o f in formation security to the organization
    and can b e the ones that ought to b e of mos t interes t to top management.

    E xample 3

    Exploitations o f known vulnerabilities are known to cause a large portion o f in formation security
    incidents. The greater the number o f known vulnerabilities and the longer that they are not
    addressed (e.g. patched), the greater the probability o f their exploitation by associated threats and
    the greater the related risk exp os ure. An effec tivenes s meas ure can help an organi z ation determine

    its risk exposure caused by such vulnerabilities.


    E xample 4

    A training course can have specific training objectives for each course module. An e ffectiveness
    meas ure can help the organi zation to determine the extent to which each trainee has unders too d

    each lesson and is able to apply their new knowledge and skills. These measures usually require
    multiple data points, such as: results o f post-training tests; examination o f incident data correlated
    with training topics; or analysis o f help desk calls correlated with training topics.

    8 Processes

    8.1 General

    Monitoring, measurement, analysis and evaluation (see Figure 2) consists o f the following processes:
    a) identi fy in formation needs;
    b) create and maintain measures;
    c) establish procedures;
    d) monitor and measure;
    e) analyse results; and
    f ) evaluate in formation security per formance and ISMS e ffectiveness.
    I n addition, there is an I SM S management pro ces s that covers the review and improvement of the ab ove

    pro ces ses , see 8 . 8 .

    © I SO /I E C 2 0 1 6 – All rights res erved 9


    ISO/IEC 2 7004: 2 01 6(E)

    Figure 2 — Monitoring, measurement, analysis and evaluation processes

    8.2 Identify information needs

    T he cre ation o f me a s ure s shou ld b egi n with identi fic ation o f i n formation ne e d s , wh ich c an a s s i s t i n the

    unders ta nd i ng o f the op erationa l ch arac teri s tics and/or p er formance o f any a s p e c t o f the I S M S , s uch as

    any o f the fol lowi ng:

    a) i ntere s te d p ar ty ne e d s;

    b) the s trate gic d i re c tion o f the orga ni z ation;

    c) i n formation s e c u rity p ol ic y a nd obj e c tive s; and

    d) the risk treatment plan .

    T he fol lowi ng ac tivitie s shou ld b e p er forme d to identi fy releva nt i n formation ne e d s:

    e) examine the I SM S , its proces ses and other elements s uch as:

    1) i n formation s e c u rity p ol ic y and obj e c ti ve s , control obj e c tive s a nd control s;

    2) lega l, re gu l ator y, contrac tua l and orga n i z ationa l re qui rements for i n formation s e c u rity; and

    3) the i n formation s e c urity ri s k management pro ce s s outcome s .

    f) prioriti z e the identi fie d i n formation ne e d s b as e d on c riteria, s uch as:

    1) ri sk tre atment prioritie s;

    10 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    2) c ap abi l itie s and re s ou rce s o f an organ i z ation;

    3) i ntere s te d p ar ty ne e d s;

    4) the i n formation s e c u rity p ol ic y and obj e c tive s , and control obj e c tive s;

    5) i n formation re qui re d to me e t organ i z ationa l, lega l, regu lator y, and contrac tua l obl igations; and

    6) the va lue o f the i n formation to b e ob tai ne d i n relation to the co s t o f me a s urement;

    g) s elec t a s ubs et of information needs required to b e addres sed in meas urement ac tivities from the

    prioriti z e d l i s t; a nd

    h) document and communicate the selec ted information needs to al l relevant interes ted p ar ties .

    8.3 Create and maintain measures

    8.3 .1 General

    O rgan i z ation s shou ld cre ate me a s ure s once a nd there a fter review a nd s ys tematic a l ly up date the s e

    meas ures at planned inter val s or when the I SM S ’s environment undergo es s ubs tantial changes . Such

    changes can include, among others:

    a) the s cop e o f the I S M S;

    b) organ i z ationa l s tr uc tu re;

    c) i ntere s te d p ar tie s i nclud i ng i ntere s te d p a r ty role s , re s p on s ibi l itie s a nd authoritie s;

    d) bu s i ne s s obj e c tive s a nd re qu i rements;

    e) lega l a nd re gu l ator y re qui rements;

    f) ach ievement o f de s i re d and s tab le re s u lts for s evera l s ub s e quent c ycle s; and

    g) i ntro duc tion or d i s p o s ition o f i n formation pro ce s s i ng te ch nolo gie s and s ys tem s .

    C reating or up dating s uch meas ures can include, among others , the fol lowings s tep s:

    h) identi fy c u rrent s e c u rity prac tice s th at c an s upp or t i n formation ne e d s;

    i) develop or up date me as u re s;

    j) do c u ment me as u re s and defi ne i mplementation priority; and

    k) keep management informed and engaged.

    Up dating meas ures is exp ec ted to take les s time and effor t than the initial creation .

    8.3 .2 Identify current security practices that can support information needs

    O nce an i n formation ne e d i s identi fie d , orga n i z ation s shou ld i nventor y exi s ti ng me as u rement a nd

    s e c u rity prac tice s as a p o tenti a l comp onent o f me a s u rement. E xi s ti ng me a s u rement and s e c u rity

    prac tices can include meas urement as so ciated with:

    a) ri s k management;

    b) proj e c t management;

    c) compl i ance rep or ti ng; and

    d) s e c u rity p ol icie s .

    © I SO /I E C 2 0 1 6 – All rights res erved 11


    ISO/IEC 2 7004: 2 01 6(E)

    8.3 .3 Develop or update measures

    Me as u re s shou ld re s p ond to the i n formation ne e d . T hey c an rely on the c u rrent prac tice s or they

    ne e d new one s . Newly identi fie d me as u re s ca n a l s o i nvolve an adap tation o f e xi s ti ng me a s ure s or

    me a s urement pro ce s s e s . I n any c a s e, the identi fie d me as u re s shou ld b e defi ne d i n s u fficient de tai l to

    enable these meas ures to b e implemented.

    E xample s o f data th at c an b e col le c te d to s upp or t s e c urity me a s ure s i nclude:

    a) output o f variou s lo gs and s c a n s;

    b) s tati s tic s on trai n i ng a nd o ther huma n re s ource ac tivitie s;

    c) releva nt s u r veys and que s tion na i re s;

    d) i ncident s tati s tics;

    e) re s u lts o f i nterna l aud its;

    f) re s u lts o f bu s i ne s s conti nu ity/d i s a s ter re cover y exerci s e s; a nd

    g) rep or ts from management reviews .

    T hes e and other p otential sources of data, which can b e of either of internal or external origin, shou ld

    b e exa m i ne d a nd typ e s o f ava i l able data identi fie d .

    T he s ele c te d me a s u re s shou ld s upp or t the priority o f the i n formation ne e d s a nd c an con s ider:

    h) e as e o f d ata col le c tion;

    i) avai labi l ity o f huma n re s ource s to col le c t a nd manage data;

    j) avai labi l ity o f appropri ate to ol s;

    k) nu mb er o f p o tentia l ly releva nt p er formance i nd ic ators s upp or te d b y the me as u re;

    l) e as e o f i nterpre tation;

    m) nu mb er o f u s ers o f develop e d me as u rement re s u lts;

    n) evidence s howi ng the me as u re’s fitnes s for pu rp o s e or i n formation ne e d; and

    o) co s ts o f col le c ti ng , managi ng , and a na lys i ng the data .

    O rgani z ations should do cument each meas ure in a form that ties the meas ure to the relevant

    i n formation ne e d (or ne e d s) and provide s s u ffic ient i n formation ab out the ch arac teri s tics de s c ribi ng

    the me a s ure a nd how to col le c t, a na lys e , a nd rep or t it. Sugge s te d i n formation de s crip tors are provide d

    in Table 1 .

    T he examples in Annex B use Table 1 as a template. Two examples have an additional in formation

    de s crip tor (c a l le d “ac tion” ) , wh ich defi ne s the ac tion to b e ta ken i n the event that the targe t i s no t me t.

    O rga ni z ation s may i nclude th i s i n formation de s crip tor i f they con s ider it u s e fu l . T here i s no s i ngle way

    to s p e c i fy s uch me as u rement con s tr uc ts and Annex C demons trates an alternative free-form approach.

    I t s hou ld b e no te d that d i fferent me as u re s may ne e d to b e provide d to me e t the ne e d s o f d i fferent

    meas urement clients (see Table 1) , which can b e internal or external . For example, meas ures for

    add re s s i ng top ma nagement i n formation ne e d s can d i ffer from tho s e for s ys tem ad m i ni s trator

    con s u mp tion (e . g. either i ntere s te d p ar ty c an h ave a s p e ci fic range or fo c u s , or gra nu larity) .

    E ach meas ure shou ld corres p ond to, at leas t, one information need, whi le a s ingle in formation need

    might require several meas ures .

    O rga ni z ation s s hou ld ta ke c are when u s i ng s ubj e c tive me a s u re s as me as u re s forme d b y combi n i ng two

    or more s ubj e c tive me as u re s c an advers ely a ffe c t the fi na l re s u lt.

    12 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Table 1 — E xample security measure descriptors

    I nformation
    Meaning or purpose
    descriptor

    M ea s u re I D Sp e c i fic identi fier.

    I n formation ne ed O ver-arch ing need for unders tandi ng to wh ich the me as ure contributes .

    S ta te m e n t o f m e a s u r e m e n t, ge n e r a l l y d e s c r i b e d u s i n g a wo r d s u c h a s “p e r c e n t a ge ”,
    M ea s u re
    “nu mb er ”, “ fre quenc y” a nd “average”.

    Formu la/s cori ng H ow the me as ure shou ld b e eva luated, ca lc u lated or s core d .

    D es i red res u lt of the meas urement, e. g. , a m i les tone or a s tati s tica l me as ure or a s et of

    Targe t th resholds . No te that ongoi ng monitori ng c an b e requi red to en s ure conti nued attainment

    of the ta rge t.

    I mplementation E vidence th at va l idate s that the me a s u rement i s p er forme d, help s identi fy p o s s ib le c au s e s

    evidence of p o or res u lts , and provides i nput to the pro ces s . D ata to provide i nput i nto the formu la .

    H ow fre quently the data shou ld b e col le c te d and rep or te d . T here ca n b e a re as on for havi ng
    Fre quenc y
    mu ltiple fre quencies .

    T h e p e r s o n re s p o n s i b l e fo r ga the r i n g a nd p r o c e s s i n g the me a s u r e . At th e l e a s t, a n
    Res p on s ible p ar ties
    I n for m ation O wner, I n for m ation C o l le c tor a nd M e a s u rement C l ient s ho u ld b e identi fie d .

    Po tentia l data s ources can b e datab as es , tracki ng to ol s , o ther p ar ts of, the organi z ation,
    D ata s ou rce
    e x ter n a l o rga n i z atio n s , or s p e c i fic i nd i vidu a l role s .

    Rep or ti ng How the meas u re shou ld b e col lec ted and rep or ted, e . g. , as text, nu merical ly, graphical ly (pie

    format char t, li ne char t, b ar graph etc.) , as p ar t of a ‘da shb o ard’ or ano ther form of pres entation .

    I t i s ver y i mp or tant to defi ne me as u re s i n s uch way a s to col le c t data once and u s e it for mu ltiple

    pu rp o s e s . I de a l ly, the s ame data shou ld s upp or t a varie ty o f me a s ure s that c a n re s p ond to d i fferent

    interes ted p ar ties ’ in formation needs . Note al so that what is eas ies t to meas ure need not b e mos t

    meaningful or mos t relevant.

    Targe ts s hou ld s tate the de s i re d end s tate s for s p e ci fic me as u re s with re s p e c t to the I S M S pro ce s s e s

    and control s , the ach ievement o f i n formation s e c urity obj e c tive s , and for the e ffe c tivene s s o f the I S M S

    to b e evaluated.

    E s tabl ishment of targets can b e faci l itated if his toric data that p er tains to develop ed or selec ted

    meas ures is avai lable. Trends ob ser ved in the p as t can in some cas es provide ins ight into ranges of

    p er forma nce that have e xi s te d previou sly and guide the c re ation of re a l i s tic targe ts . H owever,

    organi z ations should b e cautioned that without due cons ideration, setting targets b ased up on what

    wa s previou sly ach ieve d or previou s p er forma nce c an a l s o p erp e tuate a s tatu s quo or even i mp e de

    continual improvement.

    8.3 .4 Document measures and prioritize for implementation

    Fol lowi ng defi nition o f the re qui re d me as u re s , thei r compi lation s hou ld b e do c u mente d and prioriti z e d

    for i mplementation b a s e d on the priority o f e ach i n formation ne e d a nd fe a s ibi l ity o f ob tai n i ng the data .

    Per formance me as u re s s hou ld b e i mplemente d fi rs t to en s ure that I S M S pro ce s s e s a nd control s have

    b een implemented. O nce p erformance meas ures are pro ducing targeted values , effec tivenes s meas ures

    can b e implemented as wel l . S ee al so 6 .4 for guidance on when to p erform monitoring and related

    ac tivities .

    8.3 .5 Keep management informed and engaged

    M anagement on different organiz ational levels needs to b e involved in developing and implementing

    me as u re s , s o that the me as u re s refle c t management’s ne e d s . Fu r thermore, management s hou ld re ceive

    regu lar up date s i n appropriate formats and s tyle s , to en s u re th at it rema i n s i n forme d concern i ng the

    s e c u rity me a s u rement ac tivitie s th roughout the pro ce s s o f me a s ure s development, i mplementation

    and application.

    © I SO /I E C 2 0 1 6 – All rights res erved 13


    ISO/IEC 2 7004: 2 01 6(E)

    8.4 Establish procedures

    To i mp lement defi ne d a nd prioriti z e d me as u re s the fol lowi ng s tep s shou ld b e ta ken:

    a) i ntere s te d p ar tie s who s hou ld b e p ar tic ip ati ng i n the s e c u rity me a s u rement pro ce s s shou ld b e

    made awa re o f me a s u rement ac tivitie s and the rationa le b eh i nd it; a nd

    b) data col le c tion and a na lys i s to ol s shou ld b e identi fie d and , i f ne e de d, mo d i fie d, to e ffe c tively and

    e fficiently gather me a s u re s .

    O rga ni z ation s shou ld e s tabl i s h pro ce du re s for data col le c tion, a na lys i s , and rep or ti ng o f me as u re s , for
    example b y:

    c) data col le c tion, i nclud i ng s e c u re data s torage and veri fic ation . T he pro ce du re s s hou ld defi ne how

    data i s col le c te d, s tore d, veri fie d a nd wh ich contex t i n formation i s ne ce s s a r y for fu r ther pro ce s s i ng.
    D ata veri fic ation c an b e p er forme d b y applyi ng s uch te ch n ique s a s:

    1) en s u ri ng a va lue l ie s with i n a range o f p o s s ible va lue s;

    2) che cki ng aga i n s t a l i s t o f e xp e c te d va lue s; and

    3) cap turing contextual information, e. g. , the time at which a datum was col lec ted.

    d) data ana lys i s and rep or ti ng o f a na lys i s o f me a s ure s . T he pro ce du re s s hou ld s p e ci fy the data

    ana lys i s te ch n ique s and the fre quenc y for rep or ti ng the re s u lti ng me as u re s;

    e) rep or ting metho ds and formats , which can include:

    1) s core c ard s to provide s trategic i n formation b y i ntegrati ng h igh-level p er forma nce i nd ic ators;

    NO TE T he s e m ay b e terme d ‘ke y p er for m a nce i nd ic ators ’ (s e e the i n for m ation s e c u rity me a s u rement

    mo del i n Annex A) .

    2) exe c utive a nd op erationa l da shb o ard s fo c u s e d on s trategic obj e c tive s , rather tha n on s p e c i fic

    control s and pro ce s s e s;

    3) rep or ti ng formats ra ngi ng from s i mple and s tatic s tyle s , s uch a s a l i s t o f me as u re s for a given

    time p eriod, to more sophis ticated cros s-referencing rep or ts with nes ted groupings , rol l ing

    s um ma rie s , a nd dynam ic d ri l l-th rough or l i n ki ng. Rep or ts c an b e more u s e fu l when there i s a

    ne e d to pre s ent i ntere s te d p ar tie s with raw d ata i n a n e as y-to -re ad format; a nd

    4) gauge s to repre s ent dynam ic va lue s i nclud i ng a ler ts , add itiona l graph ic a l elements and

    lab el ling of end-p oints .

    8.5 Monitor and measure

    P ro ce du re s for mon itori ng and me a s urement accompl i she d b y either manua l or automate d me an s , and

    for s torage a nd veri fic ation, shou ld b e defi ne d . D ata veri fic ation c an b e p er forme d b y qua l i fyi ng the

    data col le c te d agai n s t a che ckl i s t to en s u re th at the e ffe c ts on the ana lys i s o f m i s s i ng data are m i n i ma l

    and th at the va lue s are corre c t or with i n re co gn i ze d b ou nd s . For the pu r p o s e o f ana lys i ng , s u fficient

    data s hou ld b e col le c te d to en s u re that the re s u lts o f a na lys i s are rel i able .

    O rga ni z ation s shou ld col le c t, ana lys e, eva luate a nd rep or t me as u re s to relevant i ntere s te d p ar tie s

    with e s tabl i she d p erio d icity. When any o f the cond ition s s tate d i n 8 . 3 .1 o ccur, the organi zation shou ld

    con s ider up dati ng its mon itori ng , me as u rement, ana lys i s , a nd eva luation pro ce s s e s .

    P rior to publishing information in rep or ts , dashb o ards , etc . , the organi zation should determine how

    col le c te d data and re s u lts ca n b e sh are d , a nd with whom, a s s ome i n formation s e c urity-relate d data

    ca n b e s en s itive from a con fidenti a l ity p ers p e c tive .

    14 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Moreover, there is benefit to having a process to check and evaluate the collection process to confirm
    that the right measures are being collected and in a manner such that they are repeatable, precise and
    cons i s tent.

    8.6 Analyse results

    Collected data should be analysed in relation to the target for each individual measure. Guidance for
    per forming statistical analysis can be found in ISO/TR 10017.
    The data analysis results should be interpreted. The person analysing the results (communicator)
    should b e able to draw some initial conclus ions b as ed on the res u lts . However, s ince the communicator(s)

    might not be directly involved in the technical and management processes, such conclusions need to be
    reviewed by other interested parties. All interpretations should take into account the context o f the
    meas ures .

    Data analysis should identi fy gaps between the expected and actual measurement results o f an
    implemented ISMS, controls or groups o f controls. Identified gaps can point to needs for improving the
    implemented ISMS, including its scope, policies, objectives, controls, processes and procedures.

    8.7 Evaluate information security performance and ISMS effectiveness

    I n accordance with 5 . 2 , organi zations shou ld:

    a) expres s their information needs in terms of the organiz ation’s ques tions concerning information

    security per formance and ISMS e ffectiveness; and


    b) expres s their meas ures in terms of those information needs .

    It there fore follows that the analysis o f the results o f monitoring and measurement will provide
    data which can be used to satis fy the in formation needs (see Annex A) . E valuation is the pro ces s of
    interpreting that data to answer the organization’s in formation security per formance and ISMS
    effec tivenes s ques tions .

    8.8 Review and improve monitoring, measurement, analysis and evaluation processes

    Monitoring, measurement, analysis, and evaluation processes should continually improve with the
    needs of the I SM S . C ontinual improvement ac tivities can include, among other things:

    a) soliciting feedback from interested parties;


    b) revising collection and analysis techniques, based on lessons learned and other feedback;
    c) revising implementation procedures; and
    d) in formation security benchmarking data.

    8.9 Retain and communicate documented information

    In order to fulfil the requirements o f ISO/IEC 27001:2013, 9.1, it is only necessary for organizations
    to retain do cumented information as evidence of the organi zation’s monitoring and meas urements .

    Organizations are at liberty to decide what is appropriate. Organizations can, for example, document
    the process and the methods used to analyse and evaluate the results.
    Rep or ts that are used to communicate meas urement res u lts to relevant interes ted p ar ties shou ld b e

    prepared using appropriate reporting formats. The conclusions o f the analysis should be reviewed by
    relevant interested parties to ensure proper interpretation o f the data. The results o f data analysis
    should b e do cumented for communication to interes ted p ar ties .

    © I SO /I E C 2 0 1 6 – All rights res erved 15


    ISO/IEC 2 7004: 2 01 6(E)

    T he i n formation com mu n icator s hou ld de term i ne how to com mun ic ate the i n formation s e c u rity

    meas urement res u lts , s uch as:

    a) wh ich me as u rement re s u lts shou ld b e rep or te d i nterna l ly and e xterna l ly;

    b) l i s ti ngs o f me as u re s corre s p ond i ng to i nd ividua l i ntere s te d p ar tie s , and i ntere s te d p a r tie s;

    c) s p e ci fic me a s urement re s u lts to b e provide d, a nd the typ e o f pre s entation, tai lore d to the ne e d s o f

    e ach group; a nd

    d) means for ob taining feedb ack from the interes ted p ar ties to b e used for evaluating the usefu lnes s

    o f me a s u rement re s u lts and the e ffe c tivene s s o f i n formation s e c u rity me as u rement.

    16 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Annex A
    (informative)

    An information security measurement model

    T he meas urement in formation model describ ed in Figure A.1 is presented and explained in

    I S O/I E C 1 593 9, and can b e applied to I SM S . I t describ es how attributes of relevant entities can b e

    quanti fie d a nd conver te d to i nd ic ators that provide a basis for de ci s ion ma ki ng. T he mo del is a

    s truc ture which s tar ts with l in king in formation needs to the relevant entities and attributes of concern .

    For e xample, the i n formation ne e d c an b e how wel l the employe e s are i n forme d ab out the i n formation

    s e c u rity p ol ic y. E ntitie s i nclude pro ce s s e s , control s , do c u mente d i n formation, s ys tem s , device s ,

    p ersonnel and resources . E xamples of relevant entities in an I SM S are: risk management proces s ,

    aud iti ng pro ce s s , i n formation cla s s i fic ation, management o f acce s s rights , i n formation s e c u rity p ol ic y,

    mobi le device p ol ic y, b ack- end computer, ad m i n i s trator and employe e .

    T he meas urement in formation mo del help s to determine what the meas urement planner needs to

    s p e ci fy du ri ng mon itori ng , me a s u rement, ana lys i s , and eva luation .

    I S O/I E C 2 70 01 : 2 01 3 , 9.1 re qu i re s that organ i z ation s eva luate the i n formation s e c u rity p er forma nce

    and the e ffe c tivene s s o f the I S M S . T h i s o ften i nvolve s the identi fic ation o f i nd icators , and from the s e,

    accord i ng to the s ign i fic ance a nd i mp or tance o f the i nd ic ators to the organ i z ation’s pu rp o s e s , key

    p er forma nce i nd ic ators (KPI – s ome ti me s a l s o re ferre d to as ‘key s ucce s s i nd icators ’ ) c a n b e identi fie d .

    To determine s uch indicators , an organi zation can es tablish b ase meas ures and derive a meas ure from

    them b y u s i ng a me as u rement fu nc tion that combi ne s two or more b as e me as u re s .

    T he meas urement mo del in this Annex (us ing b ase meas ure, derived meas ure, p erformance indicator

    and me a s urement re s u lt) i s an exa mple o f the appro ach to fu l fi l the I S M S re qu i rements for me a s u rement.
    T here a re o ther p o s s ible ways o f lo oki ng at the pro ce s s o f me as u rement, ana lys i s and eva luation .

    © I SO /I E C 2 0 1 6 – All rights res erved 17


    ISO/IEC 2 7004: 2 01 6(E)

    Figure A.1 — Key relationships in the measurement information model

    18 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Annex B
    (informative)

    Measurement construct examples

    B.1 General

    T he examples in Annex B fol low the principles set out in this do cument. T he table b elow

    map s me a s u rement con s truc t example s to s p e ci fic cl au s e s or control obj e c tive nu mb ers in

    I S O/I EC 2 70 01 : 2 01 3 .

    Related I SM S processes Measurement cons truct example names


    and controls
    (C lause or control number in
    I SO/IEC 2 70 01: 2 01 3 )

    5 .1 , 7.1 B . 2 Res ource a l lo c ation

    7. 5 . 2 , A. 5 .1 . 2 B . 3 Pol ic y review

    5 .1 , 9. 3 B .4 M anagement com m itment

    8.2 , 8.3 B . 5 Ri sk exp o s ure

    9. 2 , A .1 8 . 2 .1 B . 6 Aud it program me

    10 B .7 I mprovement ac tion s

    10 B . 8 S e c u rity i nc idents co s t

    10 , A.16 .1 . 6 B .9 L e a r n i n g for m i n for m atio n s e c u r ity i nc idents

    10 .1 B .10 C orre c tive ac tion i mplementation

    A.7. 2 B .11 I S M S trai n ing or I S M S awarenes s

    A.7. 2 . 2 B .1 2 I n fo r m ation s e c u rity tra i n i ng

    A.7. 2 .1 , A .7. 2 . 2 B .1 3 I n for m ation s e c u r ity awa rene s s comp l i a nce

    A.7. 2 . 2 B .14 I S M S awarenes s camp aigns effec tivenes s

    A.7. 2 . 2 , A.9. 3 .1 , A.16 .1 B .1 5 S o cia l engi neeri ng prep ared nes s

    A.9. 3 .1 B .16 P a s s wo rd qu a l ity – m a nu a l

    A.9. 3 .1 B .17 P a s s wo rd qu a l ity – autom ate d

    A.9. 2 . 5 B .1 8 Review of u s er acces s rights

    A.11 .1 . 2 B .19 Phys ic a l entr y control s s ys tem e va lu atio n

    A.11 .1 . 2 B . 2 0 Phys ic a l entr y control s e ffe c tivene s s

    A.11 . 2 .4 B . 2 1 M anagement of p erio d ic mai ntenance

    A.1 2 .1 . 2 B . 2 2 C hange management

    A.1 2 . 2 .1 B . 2 3 P ro tec tion agai ns t mal iciou s co de

    A.1 2 . 2 .1 B . 2 4 Anti-malware

    A.1 2 . 2 .1 , A .17. 2 .1 B . 2 5 To ta l ava i l ab i l ity

    A.1 2 . 2 .1 , A .1 3 .1 . 3 B . 2 6 Fi rewa l l r u les

    A.1 2 .4.1 B . 2 7 L o g fi le s re vie w

    A.1 2 . 6 .1 B . 2 8 D e vice co n figu ration

    A.1 2 . 6 .1 , A.1 8 . 2 . 3 B . 2 9 Pente s t a nd vu l nerab i l ity a s s e s s ment

    A.1 2 . 6 .1 B . 3 0 Vu l nerabi l ity l a nd s c ap e

    A.1 5 .1 . 2 B . 3 1 .1 /B . 3 1 . 2 S e c u r ity i n th i rd p a r ty agre ements

    © I SO /I E C 2 0 1 6 – All rights res erved 19


    ISO/IEC 2 7004: 2 01 6(E)

    Related I SM S processes Measurement cons truct example names


    and controls
    (C lause or control number in
    I SO/I EC 2 70 01: 2 01 3 )

    A .16 B.32 Security incident management e ffectiveness


    A .16 .1 B.33 Security incidents trend
    A 16 .1 . 3 B.34 Security event reporting
    A .1 8 . 2 .1 B . 3 5 I S M S review pro ces s

    A .1 8 . 2 . 3 B.36 Vulnerability coverage


    A cross re ference o f the relationship to clauses or control objective numbers in ISO/IEC 27001:2013
    is included for each example. I n addition, for two examples (B . 2 0 and B . 2 8) an additional information

    descriptor called “action” is included. This defines the action to be taken in the event that the target is
    not met. Organizations may include this in formation descriptor i f they consider it use ful. Indeed, there
    is no single way to speci fy such measurement constructs and Annex C demons trates an alternative
    free-form approach.

    B.2 Resource allocation

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Quanti fy resources which are being allocated to in formation security with respect
    to origi na l budge ts

    M eas u re Breakdown o f resources allocated to in formation security (internal personnel,


    contrac ted p ers on nel, hardware, s oftware, s er vices) with i n annua l budget

    Formu la/s cori ng Al lo cate d res ou rces/u s ed res ources with i n a budgeted p erio d of ti me

    Target 1

    I mplementation evidence In formation security resource monitoring


    Frequency Yearly
    Res p ons ible p ar ties In formation Owner: in formation security manager
    In formation Collector: in formation security manager
    I n formation Cu s tomer: b o a rd of di re c tors

    D ata s ou rce In formation security budget


    In formation security e ffective expenditure
    In formation security resources usage reports
    Rep or ti ng format Radar diagram with a resource category for each axis and the double indication o f
    a l lo c ated and us ed res ources

    Relationship I SO/I EC 2 70 01 : 2 01 3 , 5 .1 : Leadership and commitment

    I SO/I EC 2 70 01 : 2 01 3 , 7.1 : Resources

    20 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 Policy review

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To evaluate whether the policies for in formation security are reviewed at planned
    intervals or i f significant changes occur
    M ea s u re Percentage o f policy reviewed
    Formu la/s cori ng Number o f in formation security policies that were reviewed in previous year/
    Number o f in formation security policies in place * 100
    Targe t Green: >80, Orange >=40%, Red <40%
    I mplementation evidence Document history mentioning review o f document or document list indicating
    date of las t review

    Frequency Collect: a fter planned interval defined for reviews (e.g. yearly or a fter significant
    changes)

    Rep or t: for each col lec tion

    Res p on s ible p ar ties In formation owner: Policy owner who has approved management responsibility
    for the development, review and evaluation o f the policy

    I nformation col lec tor: I nterna l aud itor

    Measurement client: Chie f in formation security o fficer


    D ata s ource Review plan o f policies, history section o f a security policy, list o f documents
    Rep or ti ng format Pie chart for current situation and line chart for compliance evolution representation

    Relationship ISO/IEC 27001:2013, A.5.1.2: Review o f the policies for in formation security
    I SO/IEC 2 70 01: 2 01 3 , 7. 5 . 2 : C reating and updating of documented information

    © I SO /I E C 2 0 1 6 – All rights res erved 21


    ISO/IEC 2 7004: 2 01 6(E)

    B.4 Management commitment

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Assess management commitment and in formation security review activities
    regard i ng management review ac tivities

    M eas u re a) M anagement review meeti ngs comple te d to date

    b) Average p ar ticip ation rates i n management review me eti ngs to date

    Formu la/s cori ng a) Divide [management review meetings per formed] by [management review
    mee tings s chedu le d]

    b) C ompute mean and s tandard deviation of a l l p ar ticip ation rates to management

    review mee ti ngs

    Target Re s u l ti ng ratio o f i nd ic ato r a) s ho u ld fa l l b e twe en 0 .7 a nd 1 .1 to co nclude the

    achievement o f the control objective and no action. Even i f it fails, it should be still
    over 0 . 5 to conclude the lea s t ach ievement. With regard to i nd ic ator b) , C omputed

    confidence limits based on the standard deviation indicate the likelihood that an
    actual result close to the average participation rate will be achieved. Very wide
    confidence limits suggest a potentially large departure and the need for contingency
    planni ng to dea l with th i s outcome.

    I mplementation evidence 1 .1 C ount management review mee ti ngs s chedu le d to date

    1 . 2 Per management review mee ti ngs to date, count managers planned to attend

    and add a new entry with a de fault value for unplanned meetings per formed in an
    ad ho c manner

    2 .1 .1 C ount p lanne d management review me eti ngs held to date

    2 .1 . 2 C ou nt unplan ned management review meeti ngs held to date

    2 .1 . 3 C ount res chedu le d management review me eti ngs held to date

    2 . 2 Fo r a l l m a n agement re vie w me e ti ngs th at were held , co u nt the nu mb er o f

    managers who attende d

    Frequency Collect: Monthly


    Analysis: Quarterly
    Report: Quarterly
    Measurement revision: Review and update every 2 years
    Period o f measurement: Applicable 2 years
    Res p ons ible p ar ties In formation owner: Quality system manager (assuming combined management
    system o f QMS and ISMS)
    In formation collector: Quality manager; In formation security manager
    Measurement client: Managers responsible for ISMS; Quality system manager
    D ata s ou rce 1. In formation security management review plan/schedule
    2 . M anagement review m i nutes/re cord s

    Rep or ti ng format Line chart depicting indicator with criteria over several data collection and reporting

    p erio d s with the s tatement of me as urement res u lts . T he numb er of data col lec tion

    and reporting periods should be defined by the organization.

    Relationship I SO/I EC 2 70 01 : 2 01 3 , 9. 3 : M anagement review

    I SO/I EC 2 70 01 : 2 01 3 , 5 .1 : Leadership and commitment

    22 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.5 Risk exposure

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Assess exposure o f the organization to in formation security risks
    M ea s u re a) High and medium risks beyond acceptable threshold
    b) Timely review o f high and medium risks
    Formu la/s cori ng a) Threshold for high and medium risks should be defined and responsible parties
    aler te d i f the th reshold i s breached

    b) Numb er of ri sks without s tatu s up date

    Targe t 1

    I mplementation evidence Up dated ri sk regi s ter

    Frequency Collect: minimum quarterly


    Rep or t: e ach quar ter

    Res p on s ible p ar ties In formation owner: Security sta ff


    In formation collector: Security sta ff
    D ata s ource I nformation ri sk regi s ter

    Rep or ti ng format Trend of h igh ri sks

    Trend of accep ted h igh and me diu m ri sks

    Relationship ISO/IEC 27001:2013, 8.2: In formation security risk assessment


    ISO/IEC 27001:2013, 8.3: In formation Security Risk Treatment

    © I SO /I E C 2 0 1 6 – All rights res erved 23


    ISO/IEC 2 7004: 2 01 6(E)

    B.6 Audit programme

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d C ompletenes s of the aud it pro gram me

    Me as ure Total numb er of audit p erformed comp ared with the total numb er of audits planned

    Formu la/s cori ng (Total number o f audits per formed) / (Total number o f audits planned) * 100.
    Target >95%
    I mplementation evidence Aud it pro gram me and related rep or ts mon itori ng

    Frequency Yearly
    Res p ons ible p ar ties I n formation owner: Aud it manager

    I n formation col lec tor: Audit manager

    I n formation c u s tomer: Top ma nagement

    D ata s ource Aud it pro gram me and aud it rep or ts

    Rep or ti ng format Trend char t l i n ki ng the ratio of comple te d audits agai ns t the pro gram me for e ach

    sampled year

    Relationship I SO/I EC 2 70 01 : 2 01 3 , 9. 2 : I nternal audit

    ISO/IEC 27001:2013, A.18.2.1: Independent review o f in formation security

    24 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.7 Improvement actions

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Veri fy the status of improvement actions and their management according with plans
    M ea s u re Percentage o f actions on time, costs and quality (i.e. requirements) against all
    planne d ac tion s

    The actions should be the ones planned (i.e. opened, stand-by and in progress) in
    the b egi nni ng of the ti mefra me

    Formu la/s cori ng [(Actions on time, costs and quality) / (Number o f actions)] * 100
    Targe t 90%
    I mplementation evidence Status mon itori ng of e ach ac tion

    Frequency Quarterly
    Res p on s ible p ar ties In formation Owner: project management o ffice
    In formation Collector: project management o ffice
    In formation Customer: in formation security manager
    D ata s ource Relevant project plans
    Rep or ti ng format List o f all relevant actions and their status (actual time, costs and quality forecast
    against the planned ones) with the percentage o f actions on time, costs and quality
    agai n s t the relevant numb er of ac tions i n the timeframe

    Relationship I S O/I EC 2 70 01 : 2 01 3 , C lause 10 : I mprovement

    Note that this measure may be improved by weighting each action considering their criticality (e.g.,
    ac tions that addres s high risks) .

    A list o f all relevant actions should be together with the synthetic result, so that a high number o f non-
    critical but within accep table b oundaries won’t hide a low numb er of critical ac tions outs ide accep table

    b oundaries .

    © I SO /I E C 2 0 1 6 – All rights res erved 25


    ISO/IEC 2 7004: 2 01 6(E)

    B.8 Security incident cost

    Information descriptor Meaning or purpose

    Me as ure I D O rga n i z ation- de fi ne d

    I n formation nee d C on s ideratio n s ab out co s ts a r i s i ng from l ack o f i n fo rm ation s e c u r ity

    Me as ure Su m o f co s ts for e ach i n formation s e cu rity incident o cc u rre d in the s ampl i ng p erio d

    Formu la/s cori ng S u m (co s ts o f e ach i n fo r m ation s e c u rity i nc ident)

    Target L e s s th a n a n accep tab le th re s hold de fi ne d b y the o rga n i z atio n

    I mplementation evidence S ys tem atic gather i ng o f co s ts fo r e ach i n for m atio n s e c u r ity i nc idents

    Fre quenc y Qu a r terl y

    Res p ons ible p ar ties I n for m ation owner: C omp uter s e c u r ity i nc ident re s p on s e te a m (C S I RT )

    I n for m ation col le c tor: I n for m atio n s e c u r ity m a n ager

    I n formation c u s tomer: Top ma nagement

    D ata s ource I ncident rep or ts

    Rep or ti ng format C olu m n cha r t showi ng co s ts o f i n formation s e cu rity i ncidents for th i s and previou s

    s ampli ng p erio d s .

    It can be fo l lowe d b y a d r i l l- down with:

    — average co s t o f e ach i n fo r m ation s e c u rity i nc ident;

    — average co s t o f e ach i n fo r m atio n s e c u rity i nc ident for e ach i n for m ation

    s e c u r ity i nc ident c ate gor y (c ate go rie s s hou ld b e p re viou s l y de fi ne d) .

    Relationship I SO/I EC 2 70 01 : 2 01 3 , C lause 10 : I mprovement

    26 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.9 Learning from information security incidents

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Veri f y whether security incidents trigger actions for improving the
    current security situation
    M ea s ure Number o f security incidents that trigger in formation security improvement actions
    Formu la/s cori ng Sum o f security incidents that triggered actions/Sum o f security incidents
    Targe t Value should be higher than the threshold defined by the organization
    I mplementation evidence Action plan with link to security incidents
    Frequency Collect: Quarterly
    Report: Every semester
    Res p on s ible p ar ties In formation owner: Computer security incident response team (CSIRT)
    In formation collector: In formation security manager
    In formation customer: In formation security manager
    D ata s ource I ncident rep or ts

    Rep or ti ng format Column chart showing costs o f in formation security incidents for this and previous
    s ampl i ng p erio d s .

    It can be followed by a drill-down with:


    — average cost o f each in formation security incident;
    — average cost o f each in formation security incident for each in formation
    security incident category (categories should be previously defined).

    Relationship I S O/I EC 2 70 01 : 2 01 3 , C lause 10 : I mprovement

    ISO/IEC 27001:2013, A.16.1.6: Learning from in formation security incidents

    © I SO /I E C 2 0 1 6 – All rights res erved 27


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 0 Corrective action implementation

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d As s es s p erformance of correc tive ac tion i mplementation

    Me as ure a) Statu s expres s ed as a ratio of correc tive ac tion no t i mplemente d

    b) Status expres s ed as a ratio of correc tive ac tion not implemented without re as on

    c) Trend of s tatu s es

    Formu la/s cori ng a) Divide [Corrective action not implemented to date] by [Corrective actions
    planned to date]

    b) Divide [Corrective action not implemented without reason] by [Corrective


    ac tion s plan ned to date]

    c) C omp are Statu s es with P revious s tatu s es

    Target In order to conclude the achievement o f the objective and no action, the ratios o f
    indicator a) and b) should fall respectively between 0.4 and 0.0 and between 0.2
    and 0 . 0 , and Trend of i nd icator c) shou ld have b een de cl i ni ng for the las t 2 rep or t-

    i ng p erio d s . T he i nd ic ator c) s hou ld b e pre s ente d i n comp a r i s o n with previou s

    i nd ic ators s o that the trend in correc tive ac tion i mplementation c an b e exam i ned .

    I mplementation evidence 1 . C ount corre c tive ac tions planned to b e i mplemented to date

    2. Count corrective actions recorded as implemented by due date


    3 . C ount correc tive ac tions recorde d as plan ne d ac tion s no t ta ken with the reas on

    Frequency Collect: Quarterly


    Analysis: Quarterly
    Report: Quarterly
    Measurement Revision: Review annually
    Period o f Measurement: Applicable 1 year
    Res p ons ible p ar ties I n formation owner: M anagers res p on s ib le for I S M S

    I n formation col le c tor: M anagers res p on s ible for I S M S

    Measurement client: Managers responsible for ISMS; In formation security manager


    D ata s ource C orrec tive ac tion rep or ts

    Rep or ti ng format Stacked b ar chart with the s tatement of meas urement res ults including an executive

    summary o f findings and possible management actions, that depicts total number
    o f co r re c tive ac tio n s , s ep a rate d i nto i mp lemente d , no t i mp lemente d without a

    legitimate re as on, and no t i mplemented with a legiti mate re as on .

    Relationship ISO/IEC 27001:2013, 10.1: Noncon formity and corrective action

    28 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 1 ISMS training or ISMS awareness

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To measure how many employees received an ISMS related awareness training and
    establish control compliance with the organization’s in formation security policy
    M ea s ure Percentage o f employees having participated to an ISMS awareness training
    Formu la/s cori ng I1 = [Number o f employees who received ISMS training/number o f employees who
    have to receive ISMS training] * 100
    I2 = [Number o f employees who renewed their ISMS training in the last year /
    number o f employee in scope] * 100
    Targe t Green: i f I1>90 and I2>50%
    otherwise Yellow: i f I1>60% and I2>30%
    o ther wi s e Red

    Red – intervention is required, causation analysis must be conducted to determine


    rea s on s for non- compl iance and p o or p erformance

    Yellow – indicator should be watched closely for possible slippage to Red


    Green – no ac tion i s re qui red

    I mplementation evidence Participation lists o f all awareness trainings; count o f logs/registries with ISMS
    training field/row filler as “Received”
    Frequency Collect: Monthly, first working day o f the month
    Analysis: Quarterly
    Report: Quarterly
    Measurement Revision: Review annually
    Perio d of Me as urement: Annua l

    Res p on s ible p ar ties I nformation owner: Train i ng manager – Hu man res ources

    I nformation col lec tor: Tra in i ng management – Human res ource dep ar tment

    M e a s u r e m e n t c l i e n t: M a n a ge r s r e s p o n s i b l e fo r a n I S M S , C h i e f i n fo r m a t i o n

    security o fficer
    D ata s ource Employee database, training records, participation list o f awareness trainings
    Rep or ti ng format Bar graph with bars colour-coded based on target. Short summary of what the measure
    me ans and p o s s ible management ac tion s shou ld b e attached to the b ar char t.

    OR

    Pie chart for current situation and line chart for compliance evolution representation.

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.7. 2 : C omp etence.

    © I SO /I E C 2 0 1 6 – All rights res erved 29


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 2 Information security training

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To evaluate compliance with annual in formation security awareness training
    re qui rement

    M eas u re Percentage of personnel who received annual in formation security awareness training
    Formu la/s cori ng [Number o f employees who received annual in formation security awareness
    training/number o f employees who need to receive annual in formation security
    awareness training] * 100
    Target 0-60% - Red; 60-90% - Yellow; 90-100% Green. For Yellow, i f progress o f at least
    10% per quarter is not achieved, rating is automatically red.
    Red – intervention is required, causation analysis must be conducted to determine
    re as ons for non- compliance and p o or p erformance .

    Yellow – indicator should be watched closely for possible slippage to Red.


    Green – no ac tion i s requi red .

    I mplementation evidence Count o f logs/registries with annual in formation security awareness training field/
    row filler as “Received”
    Frequency Collect: Monthly, first working day o f the month
    Analysis: Quarterly
    Report: Quarterly
    Measurement Revision: Review annually
    Perio d of M e as urement: Annua l

    Res p ons ible p ar ties In formation owner: In formation security o fficer and Training manager
    I n formation col lec tor: Trai ni ng ma nagement – H uman res ou rce dep ar tment

    Measurement client: Managers responsible for an ISMS; Security management;


    Trai ni ng management

    D ata s ou rce Employee database, training records


    Rep or ti ng format Bar graph with bars colour-coded based on target. Short summary o f what the meas -
    u re me ans and p o s s ible management ac tions shou ld b e attached to the b ar char t.

    Relationship ISO/IEC 27001:2013, A.7.2.2: In formation security awareness, education and


    training.

    30 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 3 Information security awareness compliance

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Assess status o f compliance with organization security awareness policy among
    relevant p ers on nel

    M ea s u re 1 . P ro gres s to date

    2 . P ro gres s to date with s igni ng

    Formu la/s cori ng Derive the “progress to date” by adding status for all personnel having signed,
    planne d to b e comple te d to date

    Derive “progress to date with signing” by divide personnel having signed to date
    by personnel planned for signing to date
    a) [divide progress to date by (personnel planned to date times 100)] and progress
    to date with s igni ng

    b) C omp are s tatus with previous s tatu s es

    Targe t a) Resulting ratios should fall respectively between 0.9 and 1.1 and between 0.99
    and 1.01 to conclude the achievement o f the control objective and no action; and
    b) Trend shou ld b e up ward or s table

    I mplementation evidence 1 .1 . C o u nt nu mb e r o f p e r s o n ne l s che du le d to h ave s i g ne d a nd c o mp le te d the

    trai ni ng to date

    1 . 2 . Ask res p ons ible i nd ividua l for p ercent of p ers onnel who have completed the

    trai ni ng and s igned

    2.1. Count number o f personnel scheduled to have signed by this date


    2 . 2 . C ount nu mb er of p ers onnel havi ng s igned u s er agre ements

    Frequency Collect: Monthly, first working day o f the month


    Analysis: Quarterly
    Report: Quarterly
    Measurement Revision: Review annually
    Perio d of Me as urement: Annua l

    Res p on s ible p ar ties In formation owner: In formation security o fficer and Training manager
    In formation collector: Training management; Human resource department
    Measurement client: Managers responsible for an ISMS; Security management.
    trai ni ng management

    D ata s ource 1.1. Information security awareness training plan/schedule: Personnel identified in plan
    1 . 2 Pers on nel who have completed or in pro gres s i n the trai n ing: Pers on nel s tatus

    with rega rd to the trai ni ng

    2.1. Plan for signing user agreements/schedule: Personnel identified in plan for signing
    2 . 2 . Pers o n nel h avi ng s i gne d ag re ements : Pers o n nel s tatu s with re ga rd to the

    s igni ng of agre ements

    Rep or ti ng format Standard Font = Criteria have been met satis factorily
    Italic Font = Criteria have been met unsatis factorily
    B old Font = C riteria have no t b een met

    © I SO /I E C 2 0 1 6 – All rights res erved 31


    ISO/IEC 2 7004: 2 01 6(E)

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.7. 2 . 2 : M anagement res p ons ibi lities

    ISO/IEC 27001:2013, A.7.2.1: In formation security awareness, education and


    training

    32 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 4 ISMS awareness campaigns effectiveness

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To measure i f employees have understood content o f awareness campaign
    M ea s u re Percentage o f employees passing a knowledge test be fore and a fter ISMS awareness
    camp aign

    Formu la/s cori ng Choose a given number o f employees who were targeted by an awareness campaign
    and let them fill out a short knowledge test about topics o f the awareness campaign
    Percentage of p eople p as s e d the tes t

    Targe t Green: 90-100% o f people passed the test, Orange: 60-90% o f people passed the
    test, Red: <60% o f people passed the test
    I mplementation evidence Awareness campaign documents/in formation provided to employees; list o f
    employees who followed awareness campaign; knowledge tests
    Frequency C ol le c t: one month after awarenes s camp aign

    Rep or t: for each col lec tion

    Res p on s ible p ar ties I nformation owner: Hu man res ources

    I nformation col lec tor: Hu man res ources

    Measurement client: In formation security manager


    D ata s ource Employee database, awareness campaign in formation, knowledge test results
    Rep or ti ng format P ie cha r t for repres enti ng p ercentage of s taff memb ers p as s e d the tes t s ituation

    and li ne char t for evolution repres entation i f extra tra in i ng has b e en orga ni s ed

    for a specific topic

    Relationship ISO/IEC 27001:2013, A.7.2.2: In formation security awareness, education and


    training

    © I SO /I E C 2 0 1 6 – All rights res erved 33


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 5 Social engineering preparedness

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To evaluate whether sta ff is prepared to react properly in case o f some social
    engi neeri ng attacks

    M eas u re Percentage o f sta ff that react correctly to a test, e. g., who did not click on a link in
    a given tes t cons i s ti ng i n s endi ng a ph i sh i ng emai l to (a s elec te d p ar t of the) s taff

    Formu la/s cori ng a = Number of s taff having clicked on the link/number of s taff participating in the tes t

    b = 1-Numb er of s taff havi ng rep or te d the dangerou s emai l th rough appropriate

    channel s

    c = Numb er of s taff having fol lowed the i ns truc tion given when clicki ng on the li nk,

    i . e . s tar t revea l i ng a p as s word/numb er of s ta ff p ar ticip ati ng

    d = An appropriate weighted s um of the ab ove p arameter, dep end ing on the nature

    of the tes t

    Target d: 0 - 6 0 : Re d, 6 0 - 8 0 : Yel low, 9 0 -10 0 : Gre en

    I mplementation evidence Count o f activity on a simulated command and control addressed by the link. Take
    care to respect personnel privacy aspects, and to anonymise data so that test
    p ar ticip a nts do no t have to fe ar negative con s equences from th i s tes t.

    Frequency Collect: monthly to annually, depending on the criticality o f social engineering attacks
    Rep or t: for e ach col lec tion

    Res p ons ible p ar ties In formation owner: Chie f in formation security o fficer
    In formation collector: IT security o fficer trained to respect privacy aspects
    M ea s urement cl ient: Ri sk owner

    D ata s ou rce List o f sta ff, or users o f a given service; Awareness support, communication (email
    or i ntranet)

    Rep or ti ng format Test report indicating test details, measurements, analysis o f results, and
    re com mendation, b as ed on targe t a nd agree d treatment

    Relationship ISO/IEC 27001:2013, A.16.1: Management o f in formation security incidents


    and improvements

    I SO/I EC 2 70 01 : 2 01 3 , A.9. 3 .1 : Use of secret authentication information

    ISO/IEC 27001:2013, A.7.2.2: In formation security awareness, education and


    training

    34 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 6 Password quality – manual

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To assess the quality o f the passwords used by the Users to access the
    organization’s IT systems
    M ea s ure Total number o f passwords that comply with organization’s password quality policy
    a) Ratio o f passwords which meet organization’s password quality policy
    b) Trends o f compliance status regarding password quality policy
    Formu la/s cori ng C ou nt nu mb er of p as s word s in u s er p a s s word datab as e

    Determine the number o f passwords which satis fy organization’s password policy


    Σ o f [Total number o f passwords that comply with organization’s password quality
    policy for each user]
    a) Ratio o f passwords which meet organization’s password quality policy
    b) Trends o f compliance status regarding password quality policy
    c) D i vide [ To ta l nu mb er o f p a s s wo rd s co mp l ie d wi th o rga n i z atio n’s p a s s wo rd

    quality policy] by [Number o f registered passwords]


    d) C omp are ratio with the previous ratio

    Targe t Control objective is achieved and no action required i f the resulting ratio is above
    0.9. I f the resulting ratio is between 0.8 and 0.9 the control objective is not achieved,
    b ut p o s i ti ve tre nd i nd ic ate s i mp ro ve me nt. I f the r e s u l ti n g r atio i s b e l o w 0 . 8

    im me diate ac tion shou ld b e ta ken .

    I mplementation evidence 1 C ount numb er of p a s s word s on u s er p as s word datab as e

    2 Determine the number o f passwords which satis fy organization’s password policy


    Configuration file, password setting or configuration tool
    Frequency Collect: Depending on the criticality but minimum yearly
    Analysis: A fter each collection
    Report: A fter each analysis
    Measurement Revision: Yearly
    Period o f Measurement: Yearly
    Res p on s ible p ar ties In formation owner: System administrator
    In formation collector: Security sta ff
    Measurement client: Managers responsible for an ISMS, Security manager
    D ata s ource User password database; Individual passwords
    Rep or ti ng format Trend l i ne that depic ts the numb er of p a s s word s comp l iant with orga ni z ation’s

    password quality policy, superimposed with trend lines produced during previous
    rep or ti ng p erio d s .

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.9. 3 .1 : Use of secret authentication in formation

    © I SO /I E C 2 0 1 6 – All rights res erved 35


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 7 Password quality – automated

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To assess the quality o f the passwords used by the Users to access the
    organization’s IT systems
    M eas u re 1 To ta l nu mb er of p as s word s

    2 To ta l nu mb er of uncrackable p as s words

    Formu la/s cori ng 1 Ratio of p as s word s crackable with i n 4 hou rs

    2 Trend of the ratio 1

    a) Divide [Number o f uncrackable passwords] by [Total number o f passwords]


    b) C omp are ratio with the previous ratio

    Target Control objective is achieved and no action required i f the resulting ratio is above
    0.9. I f the resulting ratio is between 0.8 and 0.9 the control objective is not achieved,
    b u t p o s i ti ve tre nd i nd ic ate s i mp r o ve me nt. I f the re s u l ti n g ratio i s b e l o w 0 . 8

    i m med iate ac tion shou ld b e ta ken .

    I mplementation evidence 1 Run query on employee account records


    2 Run password cracker on employee system account records using hybrid attack
    Frequency Collect: Weekly
    Analysis: Weekly
    Report: Weekly
    Measurement revision: Review and update every year
    Period o f measurement: Applicable 3 years
    Res p ons ible p ar ties In formation owner: System administrator
    In formation collector: Security sta ff
    Measurement client: Managers responsible for an ISMS, Security manager
    D ata s ou rce Employee system account database
    Rep or ti ng format Trend line that depicts password crackability for all records tested superimposed
    with l i nes pro duce d duri ng previou s tes ts .

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.9. 3 .1 : Use of secret authentication information

    36 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 8 Review of user access rights

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Measure on how many systematic user access rights reviews are per formed on
    critical systems
    M ea s ure Percentage o f critical systems where user access rights are periodically reviewed
    Formu la/s cori ng [Number o f in formation systems classified as critical where periodic access rights
    reviews are performed/Total number of information systems classified as critical] * 100
    Targe t Green: 90-100%, Orange: 70-90%, Red <70%
    I mplementation evidence Proo fs o f reviews (e.g. email, ticket in ticketing system, formula proofing review
    comple tion)

    Frequency Collect: After any changes such as promotion, demotion or termination o f employment
    Rep or t: e ach s emes ter

    Res p on s ible p ar ties I nformation owner: Ri sk owner

    In formation collector: Chie f in formation security o fficer


    Measurement client: In formation security manager
    D ata s ource Asset inventory, system used to track i f reviews were performed, e.g., Ticketing system
    Rep or ti ng format Pie chart for current situation and line chart for compliance evolution representation

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.9. 2 . 5: Review of user acces s rights

    © I SO /I E C 2 0 1 6 – All rights res erved 37


    ISO/IEC 2 7004: 2 01 6(E)

    B.1 9 Physical entry controls system evaluation

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To show the existence, extent and quality o f the system used for access control
    Me as ure Strength o f physical entry controls system
    Formu la/s cori ng S c a le from 0 -5

    0 T here i s no access control s ys tem

    1 There is an access system where PI N co de (one factor system) is used for


    entry control
    2 T here i s an acces s control card system where pass card (one factor system) is
    used for entry control
    3 There is an access card system where p a s s c ard a nd PI N co de i s u s e d fo r
    entry control
    4 P revious + log functionality ac tivated

    5 Previous + PIN code is replaced by biometric authentication (fingerprint, voice


    re co gnition, reti na s c an e tc.)

    Target Value 3= satis factory


    I mplementation evidence Qualitative as ses s ment where each s ubset grade is a part of the grade ab ove. Control

    the type o f entry control system and inspect the following aspects:
    — Access control card system existence
    — PI N co de us age

    — Log functionality
    — B iometric authentic ation

    Frequency Collect: Yearly


    Analysis: Yearly
    Report: Yearly
    M ea s urement revi s ion: 1 2 month s

    Perio d of me as urement: Applic able 1 2 month s

    Res p ons ible p ar ties In formation owner: Facility manager


    I n formation col le c tor: I nterna l aud itor/externa l aud itor

    M ea s urement cl ient: M anagement com m ittee

    D ata s ou rce Identity management records


    Rep or ti ng format Graph s

    Relationship ISO/IEC 27001:2013, A.11.1.2: Physical entry controls

    38 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 0 Physical entry controls effectiveness

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed 1. Ensure an environment o f comprehensive security and accountability for
    p ers onnel, faci lities , and pro duc ts

    2. Integrate physical and in formation security protection mechanisms to ensure


    appropriate pro tec tion of the organi z ation’s i nformation res ources

    M ea s ure Number o f unauthorized entry into facilities containing in formation systems (subset
    o f physical security incidents)
    Formu la/s cori ng Current number o f physical security incidents allowing unauthorized entry into
    facilities containing in formation systems/previous value

    (Note that these measures need to take into account organization-specific context
    such as the total number o f physical security incidents)
    Targe t B elow 1 . 0

    I mplementation evidence Systematic analysis o f physical security incident reports and access control logs
    Frequency Quarterly for data gathering and reporting
    Res p on s ible p ar ties In formation owner: Physical security o fficer
    In formation collector: Computer security incident response team (CSIRT)
    In formation customer: Chie f in formation o fficer, Chie f in formation security o fficer
    D ata s ource Physical security incident reports
    Physical access control logs
    Rep or ti ng format Plot showing trend o f unauthorized entry into facilities containing in formation
    systems for the most recent sampling periods

    Relationship ISO/IEC 27001:2013, A.11.1.2: Physical entry controls


    Ac tion Review and improve physical security controls applied to in formation systems.

    © I SO /I E C 2 0 1 6 – All rights res erved 39


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 1 Management of periodic maintenance

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To eva luate ti mel i nes s of mai ntenance ac tivities i n relation to s chedu le

    Me as ure Maintenance delay per completed maintenance event


    For e ach completed event, s ub trac t [D ate of ac tua l mai ntenance] from [D ate of
    Formu la/s cori ng
    s che du led mai ntenance]

    1. Organization-specific, for example, i f average delay is consistently showing at


    over 3 days, the causes need to be examined
    2 . Ratio of comple te d maintenance events shou ld b e gre ater than 0 .9
    Target

    3 . Trend shou ld b e s tab le or clo s e to 0

    4. Trend shou ld b e s table or upward s

    1 D ates of s che du led mai ntenance

    2 D ates of completed mai ntenance


    I mplementation evidence
    3 To ta l nu mb er of planne d maintenance events

    4 To ta l nu mb er of comple te d mai ntenance events

    Collect: quarterly
    Frequency
    Report: annually
    In formation owner: System administrator
    Res p ons ible Par ties In formation collector: Security sta ff
    Measurement client: Security manager, IT manager
    1 Plan/schedule o f system maintenances
    D ata s ource
    2 Records o f system maintenances
    Line chart that depicts the average deviation o f maintenance delay, superimposed
    with lines produced during previous reporting periods and the numbers o f systems
    Format
    with i n the s cop e

    An explanation o f findings and recommendation for potential management action

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.11 . 2 .4: E quipment maintenance

    40 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 2 Change management

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Evaluate whether change management best practice as well hardening policy are
    res p ec ted

    M ea s u re Percentage o f new installed systems that were respected change management best
    practice and hardening policy
    Formu la/s cori ng Number o f newly installed applications or systems where evidences o f respecting
    the change management best practices are available/number o f newly installed
    appl ications

    Targe t All systems must follow the change management guidelines


    I mplementation evidence Ticketing system, e-mails, reports, checklist used for configuration
    Frequency Collect: Every semester
    Report: Yearly to management, each semester to In formation security manager
    Res p on s ible p ar ties I nformation owner: Ri sk owner

    I nformation col lec tor: Ri sk owner

    Measurement client: In formation security manager


    D ata s ource Ticketing system, e-mails, reports, checklist used for configuration, configuration
    review to ol rep or t

    Rep or ti ng format Pie chart for current situation and line chart for compliance evolution representation

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.1 2 .1 . 2 : C hange management

    © I SO /I E C 2 0 1 6 – All rights res erved 41


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 3 Protection against malicious code

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To assess the effectiveness of the protection system against malicious so ftware attacks
    Me as ure Trend of detec te d attacks that were no t b lo cked over mu ltiple rep or ting p erio d s

    Formu la/s cori ng Number o f security incidents caused by malicious so ftware/number o f detected
    and blocked attacks caused by malicious so ftware
    Target Trend line should remain under specified re ference, resulting in a downward or
    con s tant trend

    I mplementation evidence 1 Count number o f security incidents caused by malicious so ftware in the
    i ncident rep or ts

    2 C ount numb er of record s of blo cke d attacks

    Frequency Collect: Daily


    Analysis: Monthly
    Report: Monthly
    Measurement Revision: Review annually
    Period o f Measurement: Applicable 1 year
    Res p ons ible p ar ties I n formation owner

    I n formation col le c tor

    M ea s urement cl ient

    D ata s ou rce 1 I ncident rep or ts

    2 Lo gs of counterme as ure s oftware for ma liciou s s oftwa re

    Rep or ti ng format Trend l ine that depic ts ratio of ma licious s oftware detec tion and prevention with

    l i nes pro duce d duri ng previou s rep or ti ng p erio ds

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.1 2 . 2 .1 : C ontrol s agains t malware

    NOTE Organizations adopting this measure should consider the following issues that may lead to an
    incorrect analysis o f such measure:
    — “number o f detected and blocked attacks caused by malicious so ftware” can be very high; thus
    such measure can result in very small ratios;
    — i f in one period there is an increase o f spreading o f a specific virus, an organization may
    experience an increase o f malware attacks and incidents; in this case the ratio remains the same,
    even if the increase of incidents can rais e concern .

    42 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 4 Anti-malware

    I nformation descriptor Meaning or purpose

    M ea s u re I D O rga n i z ation- de fi ne d

    I n formation ne ed Nu mb er o f m a lwa re a ffe c te d s ys tem s wh ich do no t h ave a n up d ate d a nti-m a l wa re

    s olution

    M ea s u re Percentage o f m a lwa re a ffe c te d s ys tem s con ne c te d to the o rga n i z atio n’s ne twork

    with ob s olete (e . g. more than one we ek) antima lware s ignatures

    Formu la/s cori ng (Numb er of ob s ole te antivi ru s) / ( To ta l works tation)

    Targe t 0 o r a s m a l l va lue de c ide d b y the orga n i z ation

    I mplementation evidence M on ito ri n g o f a nti vi r u s ac ti vitie s i n e ach m a lwa re a ffe c te d s ys tem

    Fre quenc y Daily

    Res p on s ible p ar ties I nformation owner: I T op erations

    I nformation col lec tor: I T op erations

    I n fo r m ation c u s tomer: C h ie f i n for m atio n s e c u r ity o fficer

    D ata s ource M onitori ng to ol s

    Anti ma lware cons ole

    Rep or ti ng format Nu mb ers p er s ys tem cl a s s e s (wo rks tatio n s , s er vers , o/s)

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.1 2 . 2 .1 : C ontrol s agains t malware

    © I SO /I E C 2 0 1 6 – All rights res erved 43


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 5 Total availability

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Availability o f IT services for each service, compared with the defined maximum
    downti me

    Me as ure For each IT service the end-to-end availability is compared with the maximum
    availability (i.e., excluding the previously defined downtime windows)
    Formu la/s cori ng (Total availability)/(Maximum availability excluding downtime windows)
    Target Service availability target
    I mplementation evidence Monitoring o f end-to-end availability o f each IT service
    Frequency Monthly
    Res p ons ible p ar ties I n formation owner: I T op erations

    In formation collector: IT quality


    In formation customer: Chie f in formation o fficer
    D ata s ou rce M onitori ng to ol s

    Rep or ti ng format For e ach s er vice, two l i nes:

    1. line linking the actual availability (percentage) o f each sampled period


    2. line (for comparison purposes) showing the availability target

    Relationship ISO/IEC 27001:2013, A.17.2.1: Availability o f in formation processing facilities

    44 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 6 Firewall rules

    I nformation descriptor Meaning or purpose

    M ea s u re I D O rga n i z ation- de fi ne d

    I n formation ne ed E va lu ate c u r rent fi rewa l l p er for m a nce

    M ea s u re Unu s e d fi re wa l l r u le s on b o rder fi rewa l l s

    Formu la/s cori ng Count o f border firewall rules which have been used 0 times in the las t sampling period

    Targe t 0

    I mplementation evidence Re cord s o f u s age cou nters on e ach fi rewa l l r u le s

    Fre quenc y B i- a n nu a l or ye a rl y

    Res p on s ible p ar ties I n fo r m ation owner: ne twork m a n ager/i n for m atio n s e c u r ity m a n ager

    I n fo r m ation co l le c tor: ne twork a n a l ys t/s e c u rity a n a l ys t

    I n fo r m ation c u s tomer: ne twork m a n ager/i n for m atio n s e c u r ity m a n ager

    D ata s ource Fi rewa l l m a n agement con s ole , fi rewa l l re view rep o r t

    Rep or ti ng format C ou nt or l i s t o f u nu s e d fi rewa l l r u le s to b e m a rke d for review a nd p o s s ib le dele tion

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.1 3 .1 . 3 : S egregation in networks

    © I SO /I E C 2 0 1 6 – All rights res erved 45


    ISO/IEC 2 7004: 2 01 6(E)

    B . 2 7 L o g fi l e s r e vi e w

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To assess the status o f compliance o f the regular review o f critical system log files
    Me as ure Percentage o f audit log files reviewed when required per time period
    Formu la/s cori ng [# o f log files reviewed within specified time period/total # o f log files]*100
    Target Result below 20% should be examined for causes o f underper formance
    I mplementation evidence Add up total number o f log files listed in the review log list
    Frequency Collect: Monthly (depending on the criticality, it could go to daily or real-time)
    Analysis: Monthly (depending on the criticality, it could go to daily or real-time)
    Report: Quarterly
    Measurement Revision: Review and update every 2 years
    Period o f Measurement: Applicable 2 years
    Res p ons ible p ar ties In formation owner: Security manager
    In formation collector: Security sta ff
    Measurement client: Managers responsible for an ISMS, Security manager
    D ata s ource System; individual log files; evidence o f the log review
    Rep or ti ng format Line chart that depicts the trend with a summary o f findings and any suggested
    management ac tion s

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.1 2 .4.1 : E vent logging

    46 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B . 2 8 D e vi c e c o n fi g u ra ti o n

    I nformation descriptor Meaning or purpose

    M ea s u re I D O rga n i z ation- de fi ne d

    I n formation ne ed Va l id ate th at o u r de vice s a re conti nu a l ly s e c u rel y con fig u re d accord i ng to p ol ic y

    M ea s u re Percentage o f de vice s ( b y typ e) con figu re d acco rd i n g to p o l ic y

    Formu la/s cori ng [Nu mb er o f de vice s con figu re d cor re c tl y/to ta l # de vice s] * 10 0

    (to ta l nu mb er o f de vice s i s orga n i z ation- s p e c i fic a nd m ay i nclude a ny a nd a l l o f

    the fo l lowi ng: de vice s re gi s tere d i n con figu ration m a n agement datab a s e , de vice s

    fou nd b ut no t re gi s tere d i n con fig u ration m a n agement d atab a s e , de vice s r u n n i n g

    a s p e c i fic op erati n g s ys tem/vers ion , mob i le de vice s , e tc .)

    Targe t 10 0 %

    I mplementation evidence B a s e d o n au to m ate d s c a n n i n g: au th o r i t a ti ve d e v i c e i n ve n to r y; au th o r i t a ti ve

    s o ftwa re i nvento r y; con fig u ration s c a n n i ng re s u lts

    Fre quenc y S c a n e ver y 3 days; rep or t i m me d iatel y

    Res p on s ible Par ties I nformation owner: Ne twork management

    I nformation col lec tor: Ne twork management

    I n fo r m ation c u s tomer: C h ie f i n for m atio n o fficer

    D ata s ource C on fig u ration co ntrol b o a rd; i nventor y datab a s e; s c a n n i n g to ol s

    Rep or ti ng format L i ne ch a r t for trend s , vu l nerab le ho s ts b y n a me

    Ac tion D i s con ne c t u n ap pro ve d de vice s from the ne twork; p atch non- co mp l ia nt de vice s;

    re vie w a nd re vi s e a s ne ce s s a r y con fig u ration m a n agement gu idel i ne s; e tc .

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.1 2 .16 .1 : M anagement of technical vul nerabil ities

    © I SO /I E C 2 0 1 6 – All rights res erved 47


    ISO/IEC 2 7004: 2 01 6(E)

    B.2 9 Pentest and vulnerability assessment

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To evaluate whether in formation systems handling sensitive data (confidentiality,
    integrity) are vulnerable to malicious attacks
    M eas u re Percentage o f critical in formation systems where a penetration test or vulnerability
    assessment has been executed since their last major release
    Formu la/s cori ng [Number o f in formation systems quantified as critical and where a penetration
    test or vulnerability assessment has been done since their last major release/
    Number o f in formation systems quantified as critical] * 100, e.g. Green: 100%,
    Orange >=75%, Red <75%
    Target O range (Gre en wou ld b e to o p erfec t)

    I mplementation evidence Reports o f penetration tests or vulnerability assessments per formed on


    in formation systems compared to number o f in formation systems classified as
    critical in the asset inventory
    Frequency Collect: yearly
    Rep or t: for e ach col lec tion

    Res p ons ible p ar ties I n formation owner: Ri sk owner

    I n formation col lec tor: E xp er ts with the know-how to conduc t p ene tration tes ts or

    execute vulnerability assessments


    Measurement client: Chie f in formation security o fficer
    D ata s ou rce Asset inventory, penetration test reports
    Rep or ti ng format Pie chart for current situation and line chart for compliance evolution representation

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.1 2 . 6 .1 : M anagement of technical vul nerabil ities

    I SO/I EC 2 70 01 : 2 01 3 , A.18 . 2 . 3 : Technical compl iance review

    48 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 0 Vulnerability landscape

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed Evaluate the vulnerability level o f the organization’s in formation systems
    M ea s u re Weight of op en (unp atched) vu l nerabi l ities

    Formu la/s cori ng Open vulnerability severity value (e.g. CVSS) * number o f a ffected systems
    Targe t To be defined accordingly to the organization’s risk appetite
    I mplementation evidence Analysis on vulnerability assessment activities
    Frequency Monthly or quarterly
    Res p on s ible p ar ties In formation owner: in formation security analysts or contracted third parties
    In formation collector: in formation security analysts
    In formation customer: in formation security manager
    D ata s ource Vulnerability assessment reports
    Vulnerability assessment tools
    Rep or ti ng format Aggregated score values for homogeneous or sensitive systems (external/internal
    networks, Unix systems, etc.)

    Relationship I S O/I EC 2 70 01 : 2 01 3 , A.1 2 . 6 .1 : M anagement of technical vu lnerabi lities

    © I SO /I E C 2 0 1 6 – All rights res erved 49


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 1 Security in third party agreements – A

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d To evaluate the degree to which security is addressed in third party agreements
    Me as ure
    Average percent o f relevant security requirements addressed in third party
    agre ements

    [Su m of (for each agreement (numb er of requi red re qui rements - numb er of
    Formu la/s cori ng
    addressed requirements))/number o f agreements] * 100
    Target 100%
    I mplementation evidence Supplier datab as e, s uppl ier agre ement re cords

    Collect: quarterly
    Frequency
    Report: semi-annually
    In formation owner: Contract o ffice
    Res p ons ible Par ties In formation collector: Security sta ff
    Measurement client: Security manager, Business managers
    D ata s ource Supplier datab as e, s uppl ier agre ement re cords

    Line chart depicting a trend over multiple reporting periods; short summary o f
    Format
    findings and possible management actions

    Relationship ISO/IEC 27001:2013, A.15.1.2: Addressing security within supplier agreements

    NOTE This assumes that all security requirements are equal, whereas in practice this is not usually the case.
    An average can there fore hide significant variations and thereby present a false sense o f security. Likewise, the
    requirements that an organization places on its suppliers, and its suppliers’ ability to meet them, are likely to
    di ffer. This implies that suppliers should not all be measured in the same way. The supplier database should
    ideally include a security rating or category to ensure more accurate and meaning ful measurement.

    50 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 2 Security in third party agreements – B

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To evaluate the degree to which security is addressed in third party agreements
    of p ers ona l in formation pro ces s ing

    M ea s u re Average percent of relevant security requirements addressed in third party agreements


    Formu la/s cori ng Identi fy number of security requirements that have to be addressed in each agreement
    per policy (availability, ratio, response time, help desk level, maintenance level etc.)
    Sum of (for each agreement (number of required requirements - number of addressed

    requ i rements)) /numb er of agre ements

    1 Average ratio of di fference of s tandard requi rements to addres s ed requirements:

    Sum o f (for each agreement ([Security requirements addressed total] – [Standard


    security requirements total.]))/[Number o f third party agreements]
    2 Trend of the ratio: C omp are with previous i nd icator 1

    Targe t 1 I ndic ator 1 shou ld b e gre ater than 0 .9

    2 I ndic ator 2 shou ld b e s table or upward

    I mplementation evidence Identi fy number o f security requirements that have to be addressed in each
    agreement per policy
    Frequency Collect: Monthly
    Analysis: Quarterly
    Report: Quarterly
    Measurement revision: 2 years
    Period o f measurement: Applicable 2 years
    Res p on s ible p ar ties In formation owner: Contract o ffice
    In formation collector: Security sta ff
    Measurement client: Managers responsible for an ISMS, Security manager
    D ata s ource Third party agreements
    Rep or ti ng format Line chart depicting a trend over multiple reporting periods. Short summary o f
    findings and possible management actions.

    Relationship ISO/IEC 27001:2013, A.15.1.2: Addressing security within supplier agreements

    © I SO /I E C 2 0 1 6 – All rights res erved 51


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 3 Information security incident management effectiveness

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Assess the e ffectiveness o f In formation security incident management
    Me as ure I ncidents no t res olved i n targe t ti meframe

    Formu la/s cori ng a) Define security incident categories and target time frames in which security
    incidents should be resolved for each security incident category
    b) Define indicator thresholds for security incidents exceeding category given
    target timeframes

    c) Compare the number o f incidents which resolving time exceeds the category
    target ti me frames and comp are thei r cou nt with the i nd icator th reshold s

    Target Incidents exceeding category target time frames within defined green threshold
    I mplementation evidence Target indicators get reported monthly
    Frequency Collect: Monthly
    Analysis: Monthly
    Report: Monthly
    M ea s urement revi s ion: Si x month s

    Period o f measurement: Monthly


    Res p ons ible p ar ties I n formation owner: M anagers res p ons ible for a n I S M S

    I n formation col lec tor: I ncident management manager

    Measurement client: ISMS management committee; Managers responsible for an


    ISMS; Security management; Incident management
    D ata s ou rce ISMS; individual incident; incident report; incident management tool
    Rep or ti ng format Monthly target indicator values in table and trend diagram format

    Relationship ISO/IEC 27001:2013, A.16: In formation security incident management

    52 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 4 Security incidents trend

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed 1. Trend o f in formation security incidents
    2. Trend o f categories o f in formation security incidents
    M ea s u re 1. Number of in formation security incidents in a defined time frame (e.g., month)
    2. Number o f in formation security incidents o f a specific category in a defined
    timeframe (e. g. , month)

    Formu la/s cori ng C o mp a re average me a s u re va lue fo r the la s t two ti me fra me s with the average

    me as urement value of the las t 6 ti meframes

    Define threshold values for trend indicators, e.g.,


    <1.0 equals Green
    1 . 0 0 – 1 . 3 0 e qua l s Yel low

    >1 . 3 equa ls Red

    1. Per form analysis for all incidents


    2. Per form analysis for each specific category
    Targe t Green

    I mplementation evidence Indicator values are reported monthly


    Frequency Monthly
    Res p on s ible p ar ties In formation owner: Computer security incident response team (CSIRT)
    In formation collector: Computer security incident response team (CSIRT)
    In formation customer: Chie f in formation o fficer, Chie f in formation security o fficer
    D ata s ource In formation security incident reports
    Rep or ti ng format Table with indic ator va lues

    Trend d iagram

    Relationship ISO/IEC 27001:2013, A.16.1: Management o f in formation security incidents


    and improvements

    © I SO /I E C 2 0 1 6 – All rights res erved 53


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 5 Security event reporting

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Measure whether security events are reported and formally treated.
    Me as ure Sum o f security events reported to the Computer security incident response team
    (C S I RT ) i n relation to the s i ze of the orga ni z ation

    Formu la/s cori ng Sum o f security events that have been reported and formally treated to CSIRT/
    Number o f security roles defined by the organization
    Target At least one security event per security role per year
    I mplementation evidence Ticketing system used for treating security events
    Frequency Collect: Yearly
    Report: Yearly
    Res p ons ible p ar ties In formation owner: Computer security incident response team (CSIRT)
    In formation collector: In formation security manager
    In formation customer: In formation security manager, top management
    D ata s ou rce I ncident rep or ts

    Rep or ti ng format Trend li ne showi ng the evolution of rep or ted events over las t p erio d s

    Relationship ISO/IEC 27001:2013, A.16.1.3: Reporting in formation security weaknesses

    54 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 6 ISMS review process

    I nformation descriptor Meaning or purpose

    M ea s u re I D Organization-defined
    I n formation ne ed To assess the degree of accomplishment of independent review o f in formation security
    M ea s u re P ro gres s ratio of accompl i she d i ndep endent reviews

    Formu la/s cori ng Divide [Number o f conducted reviews by third party


    ] by [Total number o f planned third party reviews]
    Targe t Resulting ratio o f indicator should fall primarily between 0.8 and 1.1 to conclude
    the achievement o f the control objective and no action. And it should be over 0.6 i f
    it fails to meet the primary condition.
    I mplementation evidence 1 Count number o f report o f conducted regular reviews by third party
    2. Count total number o f planned third party reviews
    Frequency Collect: Quarterly
    Analysis: Quarterly
    Report: Quarterly
    Measurement Revision: Review and update every 2 years
    Period o f Measurement: Applicable 2 years
    Res p on s ible p ar ties I nformation owner: M anagers res p ons ible for an I S M S

    In formation collector: Internal audit; Quality manager


    Measurement client: Managers responsible for an ISMS, Quality system manager
    D ata s ource 1. Reports o f third party reviews
    2. Plans o f third party reviews
    Rep or ti ng format B ar graph depic ti ng compl iance over s everal rep or ti ng p erio d s in relation to the

    thresholds defined by target

    Relationship ISO/IEC 27001:2013, A.18.2.1: Independent review o f in formation security

    © I SO /I E C 2 0 1 6 – All rights res erved 55


    ISO/IEC 2 7004: 2 01 6(E)

    B.3 7 Vulnerability coverage

    Information descriptor Meaning or purpose

    Me as ure I D Organization-defined
    I n formation nee d Evaluate the current visibility on organization’s systems vulnerabilities
    Me as ure Ratio o f systems which have been object o f vulnerability assessment/penetration
    tes ti ng ac tivities

    Formu la/s cori ng Number o f systems object o f a vulnerability assessment in the last quarter or o f a
    penetration test in the last year / total systems
    Target 1

    I mplementation evidence Analysis on vulnerability assessment and penetration testing activities


    Frequency Quarterly
    Res p ons ible p ar ties In formation owner: in formation security analysts or contracted third parties
    In formation collector: in formation security analysts
    In formation customer: in formation security manager
    D ata s ource Vulnerability assessment reports
    Vulnerability assessment tools
    Pene tration tes t rep or ts

    Rep or ti ng format Aggregate pie chart and homogeneous or sensitive systems arrays-wide pie chart
    showi ng the ob tai ned ratio s

    Relationship I SO/I EC 2 70 01 : 2 01 3 , A.18 . 2 . 3 : Technical compl iance review

    56 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    Annex C
    (informative)

    An example of free-text form measurement construction

    C.1 ‘Training effectiveness’ – effectiveness measurement construct

    In this example a ‘free text’ approach is taken to determine whether formalized training is a better way
    to convey in formation security objectives than just making the policy available online.
    As s ume al l memb ers of s taff (S1) are required to read the on line vers ion of the organi zation’s

    in formation security policy as a part o f their terms o f employment (contract).


    At any time, S2 = total number o f sta ff who have acknowledged reading the policy online (i.e. they have
    gone on l ine and at leas t s crol led-through to the end of the text) .

    S3 = number o f employees who have attended specific in formation security policy awareness training.
    (S3 will always be a sub-set o f S2, since the course will require their prior online reading o f the policy).
    All sta ff who have at least read the policy are required to take an online test, including those who have
    attended the formal training.

    S 4P = number o f sta ff who have taken the test a fter only reading the intranet policy and who achieve
    the p as s mark.

    S 4F = number o f people who have taken the test a fter only reading the intranet policy and who fail to
    achieve the p as s mark.

    S5 P = numb er of p eople who have taken the s ame tes t after attending the formal training and who

    achieve the p as s mark.

    S5 F = numb er of p eople who have taken the s ame tes t after attending the training and who fai l to

    achieve the p as s mark.

    E1=S1 - S2, the number o f sta ff yet to have any exposure to the in formation security policy.
    ), i.e. the proportion o f sta ff who have only read the policy and who have a good
    E 2 = S 4 P / (S 4 P + S 4 F

    comprehension o f it (that being determined by the pass threshold).


    E3 = S5 P / (S5 P + S5 F ) , as ab ove, for S5 , but for those s taff who have attended the formal training.

    E 4 = E3/E2 , i . e. the effec tivenes s ratio of training vers us plain sel f-ins truc tion .

    S1 - S2 is also a use ful measure, indicating how many sta ff members have yet to read the online policy.
    T his can have a threshold which triggers something an aler t when either (or b oth) of a prop or tion of

    total numbers o f sta ff is exceeded, but can also accommodate a duration within which the online policy
    must be read, in that there has to be a practical period o f time from when an employee begins and their
    initial introductory actions are to be completed.
    One can imagine that over time, as the in formation security awareness and culture advance, the
    threshold might be raised as trends are identified, as can analysis o f questions failed, which might lead
    to more e ffective expression o f the policy, or the setting o f more realistic goals.

    © I SO /I E C 2 0 1 6 – All rights res erved 57


    ISO/IEC 2 7004: 2 01 6(E)

    Bibliography

    [1] I S O/ TR 10 017, Guidance on statistical techniques for ISO 9001:2000

    [2 ] I S O/I EC 1 593 9, Systems and software engineering – Measurement process

    [3 ] I S O/I EC 2 70 0 0 , Information technology — Security techniques — Information security management

    systems — Overview and vocabulary

    [4] I S O/I EC 2 70 01 : 2 01 3 , Information technology — Security techniques — Information security

    management systems — Requirements

    [5 ] N I S T Sp ecial P ublication 8 0 0 -5 5 , Revision 1 , Performance Meas urement Guide for I nformation

    S ecurity, Ju ly 2 0 0 8 . http://csrc. nis t. gov/publications/nis tpubs/8 0 0 -55 -Rev1/SP8 0 0 -5 5 -rev1 .p df

    58 © I SO /I E C 2 0 1 6 – All rights res erved


    ISO/IEC 2 7004: 2 01 6(E)

    ICS  03.100.70; 35.030


    Price b as ed o n 5 8 pages

    © I SO /I EC 2 0 1 6 – All rights reserved

    You might also like