ISO 27004 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyze and disclose the effects of a set of information security metrics. It provides guidelines to develop security metrics and these security metrics can provide insight into the effectiveness of how ISMS has been implemented (using ISO 27001). Without appropriate metrics, an organization will unable to define the posture of its information security and posture of how risks are being managed using ISO 27001. Without metrics, we will be unable to communicate the benefits of ISO 27001 to management. Metrics are the only mechanism that will act as a vehicle to drive the PDCA and continuous improvement cycle.
Iso 27004 Pdf
ISO 27004 is defined as - Monitoring, measurement, assessment, and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework.
So ISO 27004 provides guidelines on how to establish these metrics (choose what to measure), how to access controls using these metrics and how to record and communicate these metrics. It describes in detail how the efficiency of ISO 27002 controls can be measured. Recording and communicating the effectiveness of ISO 27001 is not only important for continuous improvement but for increased transparency as well.
First ISO 27004 guides on "What to Monitor" - Which controls and processes should be monitored. It may not be possible to monitor all controls hence our business requirements, regulatory and compliance requirements may define what to measure. Also, it may differ from organization to organization as the management deems.
Second ISO 27004 guides on "What to Measure" - Which controls and processes should be measured. Monitor differs from the measure. In measurement, we have to assign a tangible value whose progress or trend can be established.
Third ISO 27004 guides on "When to monitor, measure, analyze and evaluate" - The "when" term is dependent on the organization's requirement. Some controls may require ad-hoc monitoring while other controls may require continuous monitoring. Generally a periodic approach is followed which is weekly, monthly or quarterly. Accordingly reporting of these metrics is followed.
1. Performance:- The ISO 27004 defines 'performance measures' as expressing the results in terms of the level of accomplishment i.e. degree to which the ISO 27002 controls have been implemented.
ISO 27004 builds on ISO 27003 by suggesting ways to evaluate and monitor the security of your ISMS. It also helps organizations determine which of the controls in ISO 27002 might be useful for audit preparation.
There are a dozen other standards in the ISO 27000 series which are all designed to assist companies is securing their organizational information. These include ISO 27005 for organizations looking for more detail on how to carry out risk assessment and risk treatment and ISO 27004 which provide guidelines intended to help organizations with monitoring, measurement, analysis and evaluation of their information security performance and the effectiveness of their ISMS. 2ff7e9595c
Comments