ISO 27004:2016

Monitoring, measurement, assessment and evaluation

What is ISO 27004?

ISO / IEC 27004:2016 – Monitoring, measurement, assessment and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework. ISO / IEC 27004:2016 explains how to establish and operate assessment systems, and also reviews and records the effects of a series of information security measures.

Hit your ISO 27001 deadline.

How to measure Information Security

As the old saying goes “If you can’t measure it you can’t manage it” but why do we need to measure Information security? To continually improve what methods, procedures, policies and so on that are in place to protect your organisation.  Information security is key to the success of any organisation, one wrong security breach and your reputation as a security serious organisation is damaged.

You really can’t be too vigilant when it comes to information security. Cyber-attacks are among the most significant threats that a company can face. The security of personal data and commercially sensitive information is essential. But how do you tell if your ISO / IEC 27001:2013 Information Security Management System (ISMS) is making a difference?

SO / IEC 27004:2016 is here to help you out.

ISO / IEC 27004:2016 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyse and disclose the effects of a set of information security metrics.

That is why ISO / IEC 27004:2016 offers critical and realistic help to the many companies that implement ISO / IEC 27001:2013 to protect themselves from the increasing diversity of security attacks that company is facing today.

Security metrics can provide insight into the efficiency of the ISMS and, as such, take centre stage. If you are an engineer or contractor responsible for security and management analysis, or an executive who wants better decision-making information, security metrics have become a critical vehicle for communicating the status of an organisation’s cyber risk posture.

Organisations need support to resolve the issue of whether the organisation’s investment in information security management is successful, suited to reacting, defending and reacting to the ever-changing cyber-risk climate.

The history of ISO/IEC 27004:2016

ISO 27004:2009 was first published in 2009 as part of the ISO 27000 family of standards, this was later revised in 2016 and became known as ISO 27004:2016. Both Standards are guidelines and not requirements, therefore are not necessary or can be certified against, but what it does do very well is work with the other ISO 27000 standards, which we will move onto.

ISO / IEC 27004:2016 can bring various advantages

ISO / IEC 27004:2016 shows how to create an information security measurement programme, how to choose what to calculate, and how to operate the appropriate measurement processes.

It provides detailed descriptions of various types of controls and how the efficiency of those controls can be measured.

Among the many advantages for organisations using ISO / IEC 27004:2016 are as follows:

  • Increased transparency
  • Improved efficiency of information management and ISMS processes
  • Evidence of conformity with the specifications of ISO / IEC 27001:2013, as well as relevant rules, legislation and regulations

ISO / IEC 27004:2016 replaced the 2009 edition and was modified to comply with the revised version of ISO / IEC 27001:2013 to give organisations excellent added value and trust.

Hit your ISO 27001 deadline

What clauses does ISO 27004 have?

ISO 27004 consists of 8 clauses and 3 annexes. ISO 27004:2016 has 4 key Clauses:

  • Rationale (Clause 5)
  • Characteristics (Clause 6)
  • Types of Measures (Clause 7)
  • Processes (Clause 8)

Along with 3 Annex A controls which are Informative:

  • An Information security measurement model
  • Measurement Construct Examples
  • An example of free-text form measurement construction

ISO/IEC 27004:2016 Clauses

Clause 1: Scope

Clause 2: Normative references

Clause 3: Terms and definitions

Clause 4: Structure and overview

Clause 5: Rationale

  • 5.1 The need for measurement
  • 5.2 Fulfilling the ISO/IEC 27001 requirements
  • 5.3 Validity of results
  • 5.4 Benefits

Clause 6: Characteristics

  • 6.1 General
  • 6.2 What to monitor
  • 6.3 What to measure
  • 6.4 When to monitor, measure, analyse and evaluate
  • 6.5 Who will monitor, measure, analyse and evaluate

Clause 7: Types of measures

  • 7.1 General
  • 7.2 Performance measures
  • 7.3 Effectiveness measures

Clause 8: Processes

  • 8.1 General
  • 8.2 Identify information needs
  • 8.3 Create and maintain measures
  • 8.4 Establish procedures
  • 8.5 Monitor and measure
  • 8.6 Analyse results
  • 8.7 Evaluate information security performance and ISMS effectiveness
  • 8.8 Review and improve monitoring, measurement, analysis and evaluation processes
  • 8.9 Retain and communicate documented information

ISO/IEC 27004:2016 Annex Clauses

Annex A: An information security measurement model

Annex B: Measurement construct examples

  • B.1 General
  • B.2 Resource allocation
  • B.3 Policy review
  • B.4 Management commitment
  • B.5 Risk exposure
  • B.6 Audit programme
  • B.7 Improvement actions
  • B.8 Security incident cost
  • B.9 Learning from information security incidents
  • B.10 Corrective action implementation
  • B.11 ISMS training or ISMS awareness
  • B.12 Information security training
  • B.13 Information security awareness compliance
  • B.14 ISMS awareness campaigns effectiveness
  • B.15 Social engineering preparedness
  • B.16 Password quality – manual
  • B.17 Password quality – automated
  • B.18 Review of user access rights
  • B.19 Physical entry controls system evaluation
  • B.20 Physical entry controls effectiveness
  • B.21 Management of periodic maintenance
  • B.22 Change management
  • B.23 Protection against malicious code
  • B.24 Anti-malware
  • B.25 Total availability
  • B.26 Firewall rules
  • B.27 Log files review
  • B.28 Device configuration
  • B.29 Pentest and vulnerability assessment
  • B.30 Vulnerability landscape
  • B.31 Security in third party agreements – a
  • B.32 Security in third party agreements – B
  • B.33 Information security incident management effectiveness
  • B.34 Security incidents trendB.35 Security event reporting
  • B.36 ISMS review processB.37 Vulnerability coverage

Annex C: An example of free-text form measurement construction
C.1 ‘Training effectiveness’ – effectiveness measurement construct

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102