ISO 27004:2016

What is ISO 27004?

ISO / IEC 27004:2016 – Monitoring, measurement, assessment and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework. ISO / IEC 27004:2016 explains how to establish and operate assessment systems, and also reviews and records the effects of a series of information security measures.

How to measure Information Security

As the old saying goes “If you can’t measure it you can’t manage it” but why do we need to measure Information security? To continually improve what methods, procedures, policies and so on that are in place to protect your organisation.  Information security is key to the success of any organisation, one wrong security breach and your reputation as a security serious organisation is damaged.

You really can’t be too vigilant when it comes to information security. Cyber-attacks are among the most significant threats that a company can face. The security of personal data and commercially sensitive information is essential. But how do you tell if your ISO / IEC 27001:2013 Information Security Management System (ISMS) is making a difference?

SO / IEC 27004:2016 is here to help you out.

ISO / IEC 27004:2016 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyse and disclose the effects of a set of information security metrics.

That is why ISO / IEC 27004:2016 offers critical and realistic help to the many companies that implement ISO / IEC 27001:2013 to protect themselves from the increasing diversity of security attacks that company is facing today.

Security metrics can provide insight into the efficiency of the ISMS and, as such, take centre stage. If you are an engineer or contractor responsible for security and management analysis, or an executive who wants better decision-making information, security metrics have become a critical vehicle for communicating the status of an organisation’s cyber risk posture.

Organisations need support to resolve the issue of whether the organisation’s investment in information security management is successful, suited to reacting, defending and reacting to the ever-changing cyber-risk climate.

The history of ISO/IEC 27004:2016

ISO 27004:2009 was first published in 2009 as part of the ISO 27000 family of standards, this was later revised in 2016 and became known as ISO 27004:2016. Both Standards are guidelines and not requirements, therefore are not necessary or can be certified against, but what it does do very well is work with the other ISO 27000 standards, which we will move onto.

ISO / IEC 27004:2016 can bring various advantages

ISO / IEC 27004:2016 shows how to create an information security measurement programme, how to choose what to calculate, and how to operate the appropriate measurement processes.

It provides detailed descriptions of various types of controls and how the efficiency of those controls can be measured.

Among the many advantages for organisations using ISO / IEC 27004:2016 are as follows:

• Increased transparency
• Improved efficiency of information management and ISMS processes
• Evidence of conformity with the specifications of ISO / IEC 27001:2013, as well as relevant rules, legislation and regulations

ISO / IEC 27004:2016 replaced the 2009 edition and was modified to comply with the revised version of ISO / IEC 27001:2013 to give organisations excellent added value and trust.