ISO/IEC 27004:2016 – Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation (2nd edition)
A key part of ISO/IEC 27004 is on the measurement or assessment of information security management: it is commonly referred to as security metrics (if not within ISO/IEC JTC 1/SC 27!).
Scope and Objectives
It is intended to help organizations evaluate the performance of their ISO27k Information Security Management Systems, as well as provide information to help them manage their ISMSs and (where need be) improve them. It provides a significant expansion on clause 9.1 regarding monitoring, measurements, analyses and evaluation according to ISO/IEC 27001 standards.
The main sections are:
– Rationale: this describes the importance of measuring stuff, for instance, to improve accountability and performance;
– Characteristics: what to estimate, monitor, analyze, and evaluate, when to carry them out, and who to do them;
– Types of measures: efficiency (performance) and effectiveness;
– Processes: defining, implementing and analyzing metrics.
Many of the theoretical measurement models for the standard’s 2009 version are contained in Annex A.
In Annex B, 35 measurements of varying utility and quality are listed, according to the definition of a typical metric.
A pseudo-mathematical way of describing a metric, or rather a ‘construct for measuring effectiveness’ (!) is shown in Annex C.
Current status of the standard
In 2009, the standard was published for the first time.
The second edition was substantially revised (rewritten) in 2016.
A corrigendum is now being prepared to correct minor typographical errors.
While the 2009 standard was more academic/theoretical, the second edition for 2016 is much more pragmatic, making it more useful to practitioners of information security.
An ISMS is worthless without adequate metrics (hence the need for ISO/IEC 27001 to be listed as a normative or essential standard). However, information security metrics are valuable for all organizations, whether or not they have ISO27k ISMS systems. In my view, there are several important reasons why the revised 27004 standard aligns specifically with 27001: the standard’s narrow scope and focus will increase the probability of completion and publication within a reasonable timeframe (a challenge in the original version of 27004, and which delayed the 27005 revision). That however leaves a gap for standards of a broader scope, such as general risk and security metrics standard, or even an entire book.
Annexe B presents several metrics, not all of which are well described. You should not utilize them unless they are specifically tailored to your information needs. When it comes to security metrics, there are better measures.
Several metrics-related terms appear in the ISO/IEC 27000, however, most of them are no longer relevant. The next time 27000 is updated, they might be removed.
DIN, Germany’s standards body, suggested adding GQM (Goal-Question-Metric) to the standard – a great idea, however, it came too late in the revision process to improve the standard in 2016. The next revision should bring it back to the surface.