ISO 27004:2016 on Security Measurements

ISO 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, is available.

ISO 27004:2016 provides guidelines to assist organizations in evaluating the information security performance and the effectiveness of an information security management system to meet the requirements of ISO 27001:2013, clause 9.1.

It establishes:

a) the monitoring and measurement of information security performance;
b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;
c) the analysis and evaluation of the results of monitoring and measurement.

The results of monitoring and measurement of an information security management system (ISMS) can be supportive of decisions relating to ISMS governance, management, operational effectiveness, and continual improvement.

The 58 page ISO 27004:2016 standard can be purchased at this ISO web page for about $180.

ISO 27004:2016 Outline:

1 Scope
2. Normative references
3. Terms and definitions

4. Structure and overview
5. Rationale
6. Characteristics
7. Types of measures
8. Processes

Annex A: An information security measurement model
Annex B: Measurement construct examples (37)
Annex C: An example of free-text form measurement construction

Please view our 1.5 day ISO 27001:2013 Requirements course description at this web page.