ISO/IEC 27001 - How to measure the effectiveness of information security?

How can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference?

You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.

The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.

Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”

Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken centre stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber-risk posture.

In Prof. Humphreys’ own words: “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”

ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.

Among the many benefits to organizations of using ISO/IEC 27004 are: 

·   Increased accountability

·   Improved information security performance and ISMS processes

·   Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules and regulations 

ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations with greater added value and confidence.

ISO/IEC 27004:2016 was developed by joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, whose secretariat is held by DIN, the ISO member for Germany. It is available from your national ISO member or through the ISO Store.

Source: www.iso.org


Related News

Food safety management systems ISO 22000:2018
Food safety management systems ISO 22000:2018
08/04/2020

14313 Views

ISO 22000:2018, Food safety management systems – Requirements for any organization in the food chain, sets out the requirements for a food safety management system. It defines what an organization must do to demonstrate its ability to control food safety hazards and ensure that food is safe for consumption.
The ISO Survey of Management System Standard Certifications 2016
The ISO Survey of Management System Standard Certifications 2016
04/10/2017

11736 Views

The ISO Survey of Certifications is an annual survey of the number of valid certificates to ISO management system standards worldwide
ISO 45001 is now published
ISO 45001 is now published
13/03/2018

20052 Views

The world’s much anticipated International Standard for occupational health and safety (OH&S) has just been published, and is set to transform workplace practices globally
IDENTIFYING OHS HAZARDS AND MANAGING RISKS
IDENTIFYING OHS HAZARDS AND MANAGING RISKS
03/06/2025

105 Views

How do health and safety incidents impact your business? If a worker is injured or becomes unwell, what kind of disruption does it cause? Is your productivity affected? What is the impact on other workers, be it in terms of workload or psychological health and well-being?
ISO 45001:2016 - Occupational health and safety
ISO 45001:2016 - Occupational health and safety
18/11/2016

8609 Views

ISO 45001 is an International Standard that specifies requirements for an occupational health and safety (OH&S) management system, with guidance for its use, to enable an organization to proactively improve its OH&S performance in preventing injury and ill-health.
STANDARDS TO SUPPORT ISO 9001 HAVE JUST BEEN UPDATED.
STANDARDS TO SUPPORT ISO 9001 HAVE JUST BEEN UPDATED.
04/05/2021

1040 Views

Improved quality, performance, efficiencies and business relationships are just some of the benefits of implementing a quality management system (QMS) such as ISO 9001
BUILDING A SUSTAINABLE PATH TO ESG REPORTING
BUILDING A SUSTAINABLE PATH TO ESG REPORTING
31/10/2024

300 Views

An effective ESG report not only helps businesses enhance their social and environmental responsibility but also strengthens their brand position in the marketplace.
What is IATF16949:2016?
What is IATF16949:2016?
01/07/2022

1055 Views

What is IATF 16949:2016? The IATF maintains strong cooperation with ISO by continuing liaison committee status ensuring continued alignment with ISO 9001.
Vote starts on final draft of ISO 45001 for occupational health and safety
Vote starts on final draft of ISO 45001 for occupational health and safety
21/12/2017

4876 Views

ISO 45001 Occupational health and safety management systems – Requirements with guidance for use

Comment
  • Your review