ISO 27004:2016

ISO/IEC 27004:2016 provides guidance on how to monitor, measure, analyse, and evaluate the performance of an Information Security Management System (ISMS) based on ISO/IEC 27001. It helps organisations assess the effectiveness of their security controls and drive continual improvement in information security.

Book a demo
Author
Mark Sharron
Updated 1 April 2025
LinkedIn Twitter Twitter

What is ISO 27004?

ISO / IEC 27004:2016 – Monitoring, measurement, assessment and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework. ISO / IEC 27004:2016 explains how to establish and operate assessment systems, and also reviews and records the effects of a series of information security measures.

How to measure Information Security

As the old saying goes “If you can’t measure it you can’t manage it” but why do we need to measure Information security? To continually improve what methods, procedures, policies and so on that are in place to protect your organisation. Information security is key to the success of any organisation, one wrong security breach and your reputation as a security serious organisation is damaged.

You really can’t be too vigilant when it comes to information security. Cyber-attacks are among the most significant threats that a company can face. The security of personal data and commercially sensitive information is essential. But how do you tell if your ISO / IEC 27001:2013 Information Security Management System (ISMS) is making a difference?

SO / IEC 27004:2016 is here to help you out.

ISO / IEC 27004:2016 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyse and disclose the effects of a set of information security metrics.

That is why ISO / IEC 27004:2016 offers critical and realistic help to the many companies that implement ISO / IEC 27001:2013 to protect themselves from the increasing diversity of security attacks that company is facing today.

Security metrics can provide insight into the efficiency of the ISMS and, as such, take centre stage. If you are an engineer or contractor responsible for security and management analysis, or an executive who wants better decision-making information, security metrics have become a critical vehicle for communicating the status of an organisation’s cyber risk posture.

Organisations need support to resolve the issue of whether the organisation’s investment in information security management is successful, suited to reacting, defending and reacting to the ever-changing cyber-risk climate.

The history of ISO/IEC 27004:2016

ISO 27004:2009 was first published in 2009 as part of the ISO 27000 family of standards, this was later revised in 2016 and became known as ISO 27004:2016. Both Standards are guidelines and not requirements, therefore are not necessary or can be certified against, but what it does do very well is work with the other ISO 27000 standards, which we will move onto.

ISO / IEC 27004:2016 can bring various advantages

ISO / IEC 27004:2016 shows how to create an information security measurement programme, how to choose what to calculate, and how to operate the appropriate measurement processes.

It provides detailed descriptions of various types of controls and how the efficiency of those controls can be measured.

Among the many advantages for organisations using ISO / IEC 27004:2016 are as follows:

  • Increased transparency
  • Improved efficiency of information management and ISMS processes
  • Evidence of conformity with the specifications of ISO / IEC 27001:2013, as well as relevant rules, legislation and regulations

ISO / IEC 27004:2016 replaced the 2009 edition and was modified to comply with the revised version of ISO / IEC 27001:2013 to give organisations excellent added value and trust.



Manage all your compliance in one place

ISMS.online supports over 100 standards
and regulations, giving you a single
platform for all your compliance needs.

Book a demo


What clauses does ISO 27004 have?

ISO 27004 consists of 8 clauses and 3 annexes. ISO 27004:2016 has 4 key Clauses:

  • Rationale (Clause 5)
  • Characteristics (Clause 6)
  • Types of Measures (Clause 7)
  • Processes (Clause 8)

Along with 3 Annex A controls which are Informative:

  • An Information security measurement model
  • Measurement Construct Examples
  • An example of free-text form measurement construction

ISO/IEC 27004:2016 Clauses

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Structure and overview

Clause 5: Rationale

  • 5.1 The need for measurement
  • 5.2 Fulfilling the ISO/IEC 27001 requirements
  • 5.3 Validity of results
  • 5.4 Benefits

Clause 6: Characteristics

  • 6.1 General
  • 6.2 What to monitor
  • 6.3 What to measure
  • 6.4 When to monitor, measure, analyse and evaluate
  • 6.5 Who will monitor, measure, analyse and evaluate

Clause 7: Types of measures

  • 7.1 General
  • 7.2 Performance measures
  • 7.3 Effectiveness measures

Clause 8: Processes

  • 8.1 General
  • 8.2 Identify information needs
  • 8.3 Create and maintain measures
  • 8.4 Establish procedures
  • 8.5 Monitor and measure
  • 8.6 Analyse results
  • 8.7 Evaluate information security performance and ISMS effectiveness
  • 8.8 Review and improve monitoring, measurement, analysis and evaluation processes
  • 8.9 Retain and communicate documented information

ISO/IEC 27004:2016 Annex Clauses

Annex A: An information security measurement model

Annex B: Measurement construct examples

  • B.1 General
  • B.2 Resource allocation
  • B.3 Policy review
  • B.4 Management commitment
  • B.5 Risk exposure
  • B.6 Audit programme
  • B.7 Improvement actions
  • B.8 Security incident cost
  • B.9 Learning from information security incidents
  • B.10 Corrective action implementation
  • B.11 ISMS training or ISMS awareness
  • B.12 Information security training
  • B.13 Information security awareness compliance
  • B.14 ISMS awareness campaigns effectiveness
  • B.15 Social engineering preparedness
  • B.16 Password quality – manual
  • B.17 Password quality – automated
  • B.18 Review of user access rights
  • B.19 Physical entry controls system evaluation
  • B.20 Physical entry controls effectiveness
  • B.21 Management of periodic maintenance
  • B.22 Change management
  • B.23 Protection against malicious code
  • B.24 Anti-malware
  • B.25 Total availability
  • B.26 Firewall rules
  • B.27 Log files review
  • B.28 Device configuration
  • B.29 Pentest and vulnerability assessment
  • B.30 Vulnerability landscape
  • B.31 Security in third party agreements – a
  • B.32 Security in third party agreements – B
  • B.33 Information security incident management effectiveness
  • B.34 Security incidents trend
  • B.35 Security event reporting
  • B.36 ISMS review process
  • B.37 Vulnerability coverage

Annex C: An example of free-text form measurement construction

  • C.1 ‘Training effectiveness’ – effectiveness measurement construct

Jump to topic

Mark Sharron

Mark is the Head of Search & Generative AI Strategy at ISMS.online, where he develops Generative Engine Optimised (GEO) content, engineers prompts and agentic workflows to enhance search, discovery, and structured knowledge systems. With expertise in multiple compliance frameworks, SEO, NLP, and generative AI, he designs search architectures that bridge structured data with narrative intelligence.

Twitter

Explore other standards within the ISO 27k family

  1. The ISO 27000 Family
  2. ISO 27001
  3. ISO 27002
  4. ISO 27003
  5. ISO 27004
  6. ISO 27005
  7. ISO 27008
  8. ISO 27009
  9. ISO 27010
  10. ISO 27013
  11. ISO 27014
  12. ISO 27016
  13. ISO 27017
  14. ISO 27018
  15. ISO 27019
  16. ISO 27038
  17. ISO 27039
  18. ISO 27040
  19. ISO 27050
  20. ISO 27102
ISMS Platform Tour

Interested in an ISMS.online platform tour?

Start your free 2-minute interactive demo now and experience the magic of ISMS.online in action!

Try it for free

We’re a Leader in our Field

Users Love Us
Grid Leader - Spring 2025
Momentum Leader - Spring 2025
Regional Leader - Spring 2025 UK
Regional Leader - Spring 2025 EU
Best Est. ROI Enterprise - Spring 2025
Most Likely To Recommend Enterprise - Spring 2025

"ISMS.Online, Outstanding tool for Regulatory Compliance"

-Jim M.

"Makes external audits a breeze and links all aspects of your ISMS together seamlessly"

-Karen C.

"Innovative solution to managing ISO and other accreditations"

-Ben H.

SOC 2 is here! Strengthen your security and build customer trust with our powerful compliance solution today!