ISO/IEC 27001 - How to measure the effectiveness of information security?

How can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference?

You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.

The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.

Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”

Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken centre stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber-risk posture.

In Prof. Humphreys’ own words: “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”

ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.

Among the many benefits to organizations of using ISO/IEC 27004 are: 

·   Increased accountability

·   Improved information security performance and ISMS processes

·   Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules and regulations 

ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations with greater added value and confidence.

ISO/IEC 27004:2016 was developed by joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, whose secretariat is held by DIN, the ISO member for Germany. It is available from your national ISO member or through the ISO Store.

Source: www.iso.org


Related News

KMR HAPPY NEW YEAR  2021 AND ANNOUNCE  LUNAR NEW YEAR HOLIDAY
KMR HAPPY NEW YEAR 2021 AND ANNOUNCE LUNAR NEW YEAR HOLIDAY
03/02/2021

1432 Views

KMR VN would like to announce schedule for 2021 Lunar New Year holiday
ISO/IEC 27001:2022
ISO/IEC 27001:2022
06/04/2026

703 Views

Information security, cybersecurity and privacy protection — Information security management systems — Requirements certification ISO 27001:2022.
7 Quality Management Principles - Part 2/2
7 Quality Management Principles - Part 2/2
05/01/2017

16810 Views

The revious 8 Quality Management Principles have been revised and republiced as 7 within ISO 9001:2015
ISO 22000 CERTIFICATI PROCESS: A STRUCTURED ROADMAP FOR FOOD BUSINESSES
ISO 22000 CERTIFICATI PROCESS: A STRUCTURED ROADMAP FOR FOOD BUSINESSES
23/03/2026

849 Views

In the context of increasingly strict controls on food safety and quality, ISO 22000 certification is not only a mandatory requirement of many partners but also a “passport” that enhances a company’s credibility and competitiveness in the market. However, many organizations still wonder: Where should implementation begin? How should it be carried out? How long does it take to achieve certification?
7 Quality Management Principles - Part 1/2
7 Quality Management Principles - Part 1/2
30/12/2016

39114 Views

The QMPs can be used as a foundation to guide an organization’s performance improvement. They were developed and d by international experts of ISO/TC 176, which is responsible for developing and maintaining ISO’s quality management standards.
ISO 45001 – All you need to know
ISO 45001 – All you need to know
28/05/2018

10020 Views

Given that ISO 45001 will become part of the business norm, regardless of whether organizations choose to adopt it or not, it’s important for companies to stay abreast of the latest developments
What is ISO 14001:2015?
What is ISO 14001:2015?
29/01/2019

21644 Views

ISO 14001:2015 certification -An environmental management system helps organizations identify, manage, monitor and control their environmental issues in a holistic manner
The changes from ISO/TS 16949:2009 to IATF 16949:2016
The changes from ISO/TS 16949:2009 to IATF 16949:2016
16/02/2017

13697 Views

What are the changes from ISO/TS 16949:2009 to IATF 16949:2016?
ISO 45001:2016 - Occupational health and safety
ISO 45001:2016 - Occupational health and safety
18/11/2016

9989 Views

ISO 45001 is an International Standard that specifies requirements for an occupational health and safety (OH&S) management system, with guidance for its use, to enable an organization to proactively improve its OH&S performance in preventing injury and ill-health.

Comment
  • Your review