INTERNATIONAL STANDARD
ISO/IEC 27004 Second edition 2016-12-15
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Technologies de l’information — Techniques de sécurité — Management de la sécurité de l’information — , mesurage, analyse et évaluation
Reference number ISO/IEC 27004:2016(E)
© ISO/IEC 2016
ISO/IEC 27004:2016(E)
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2016, Published Published in Switzerland Switzerland the requester reques ter.. Ch. de Blandonnet 8 • CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 www.iso.org
ii
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Contents
Page
........................................................................................................................................................................................................................................ .................................................iv Foreword .......................................................................................................................................................................................
Introduction ................................................................................................................................................................................. .................................................................................................................................................................................................................................. ................................................. v
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
1
Scope ........................................................................................................................................................................................................................... ................................................................................................................................................................................................................................. ......1
2
Normative references .................................................................................................................................................................................... ........................................................................................................................................................................................1
.................................................................................................................................................................................... ......................................................................................................................................................................................1
4
Structure and overview .................................................................................................................................................................................1
5
Rationale ...................................................................................................................................................................................................................... .......................................................................................................................................................................................................................2 . 5.1 The need for measurement ..........................................................................................................................................................2 ................................................................................................................... 3 ..................................................................................................................................................................................3 . .........................................................................................................................................................................................................3
6
Characteristics ........................................................................................................................................................................................................4 6.1 General ...........................................................................................................................................................................................................4 6.2 What to monitor.....................................................................................................................................................................................4 6.3 What to measure ...................................................................................................................................................................................5 .................................................................................................... 6 ................................................................................................... 6
7
Types of measures ..............................................................................................................................................................................................7 7.1 General ...........................................................................................................................................................................................................7 7.2 Performance measures ....................................................................................................................................................................7 7.3 Effectiveness measures. ...................................................................................................................................................................8
8
........................................................................................................................................................................................................................9 Processes .................................................................................................................................................................................................................... 8.1 General ...........................................................................................................................................................................................................9 . .......................................................................................................................................................10 8.3 Create and maintain measures...............................................................................................................................................11 11 8.3.1 General...................................................................................................................................................................................11 11 ..................... 11 8.3.3 Develop or update measures ..............................................................................................................................12 8.3.4 Document measures and prioritize for implementation ........................................................... 13 8.3.5 Keep management informed and engaged .............................................................................................13 8.4 Establish procedur procedures es ......................................................................................................................................................................14 8.5 Monitor and measure .....................................................................................................................................................................14 .....................................................................................................................................................................................15 ................................................... 15 ............ 15 8.9 Retain and communicate documented information ............................................................................................15
Annex A (informative) (informative) An An information security measurement model ..........................................................................17 Annex B (informative) (informative) Measurement Measurement construct examples .........................................................................................................19 Annex C (informative) (informative) An An example of free-text form measurement construction ............................................57 Bibliography ........................................................................................................................................................................................................................... ...............................................................................................................................................................................................................................58
© ISO/IEC 2016 – All rights reserved
iii
ISO/IEC 27004:2016(E)
Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical members of ISO or IEC participate in the development of International Standards through technical organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives www.iso.org/directives). ). Introduction and/or on the ISO list of patent pat ent declarations received (see www.iso.org/patents www.iso.org/patents). ). constitute an endorsement. 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade Trade (TBT) (TBT ) see the t he following URL: www.iso.org/iso/foreword.html . The committee responsible for this document is ISO/IEC JTC 1, Information technology , Subcommittee SC 27, IT Security techniques. A total restructuring of the document because it has a new purpose – to provide guidance on ISO/IEC ISO /IEC 27001:20 27001:2013, 13, 9.1 – which, at the time t ime of the previous prev ious edition, did not exi st. (ISO/IEC 15939) remains the same and several of the examples given in the previous edition are preserved, albeit updated.
iv
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Introduction can be supportive of decisions relating to ISMS governance, management, operational effectiveness and continual improvem i mprovement. ent. As with w ith other ISO/IEC 27000 27000 documents, this t his document should be considered, interpreted a nd adapted This document is recommended for organizations implementing an ISMS that meets the requirements
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
© ISO/IEC 2016 – All rights reserved
v
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
INTERNATIONAL ST STANDARD ANDARD
ISO/IEC 27004:2 27004:2016(E) 016(E)
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation 1 Scope This document provides guidelines intended to assist organizations in evaluating the information
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
2 Normative references There are no normative references in this document.
ISO and IEC maintain terminological databases for use in standardization at the following addresses: — IEC Electr Electropedia: opedia: available at http://www.electropedia.org/ — ISO Online browsing platform: available at http://www.iso.org/obp
4 Structu Structure re and overview This document is structured as follows: a)
Rationale (Clause 5 5
b)
Characteristics (Clause 6 6
Clause 7 7
d) Processes (Clause 8). 8). The ordering of these clauses is intended to aid understanding and map to ISO/IEC 27001:2013, 9.1 requirements, requirem ents, as is illustrated in Figure 1. 1. © ISO/IEC 2016 – All rights reserved
1
ISO/IEC 27004:2016(E)
In addition, Annex A A between t he components of the t he measurement model and the requirements r equirements of ISO/IEC 27001: 27001:201 2013, 3, 9.1. Annex B provides B provides a wide range of examples. These examples are intended to provide practic al guidance Table 1. 1. Annex C provides C provides a further example using an alternative free-form text-based format.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Figure 1 — Mapping to ISO/IEC 27001:2013, 9.1 requirements
5 Rationale 5.1
The need for measureme measurement nt
information within its scope. There are ISMS activities that concern the planning of how to do this, and
2
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Clause 7. 7. ISO/IEC 2700 27001:20 1:2013, 13, 9.1 9.1 further fur ther requires requir es the organization orga nization to t o determine:
The mapping of these requirements is provided in Figure 1. 1. information as evidence of the monitoring and measurement results (See 8.9 8.9). ). 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
ISO/IEC 27001: 27001:201 2013, 3, 9.1 also notes that methods selected selec ted should produce comparable c omparable and reproducible results in order for them to be considered valid (See 6.4 6.4). ).
5.3
Validity of results
ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring, measures, taking the following points into consideration: a)
in order order to get comparable comparable results on measures that are based on monitoring at diff different erent points in
are situations where results are non-reproducible, but are valid when aggregated.
a)
Increased accountability: accountability:
b) Improved information security performance and ISMS processes: Monitoring, measurement,
© ISO/IEC 2016 – All rights reserved
3
ISO/IEC 27004:2016(E)
c)
Evidence of meeting requirements: requirements: standards) requirements, as well as applicable laws, rules, and regulations.
d) Support decision-making: decision-making: process. It can allow organizations to measure successes and failures of past and current allocation allocatio n for f uture investments.
6 6.1
Characteristics General
and ISMS effectiveness.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
missed altogether if suitable measures are not in place. allow it to determine its information needs. Organizations should next decide what measures are needed to support each discrete information correspond to the information needs of the organization.
6.2
What to monitor
information need.
4
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
These monitoring activities produce data (event logs, user interviews, training statistics, incident measured, additional monitoring can be required to provide supporting information. Note that monitoring can allow an organization to determine whether a risk has materialized, and of such controls to support measurement, organizations should ensure that the measurement process
6.3
What to measure
processes, activities, controls and groups of controls.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
As an example, consider ISO/IEC ISO/IEC 27001:20 27001:2013, 13, 7.2 7.2 c), which requires require s an organization organ ization to t o take action, where who require training have received it and whether the training was delivered as planned. This can be can be measured with a post-training questionnaire). With regards to ISMS processes, organizations should note that there are a number of clauses in ISO/IEC 27001:2013, 10.1 d) requires organizations to “ review the effectiveness of any corrective action taken this is explaine explained d in Clause 8. 8. ISMS processes and activities that are candidates for measurement include:
i)
auditing.
controls are determined through the process of risk treatment and are referred to in ISO/IEC 27001 as © ISO/IEC 2016 – All rights reserved
5
ISO/IEC 27004:2016(E)
of attributes that can be measured, such as:
m) how long long after the occurrence of an event does it take for the control to detect that the event has occurred.
6.4
When to monitor, measure, analyse and evaluate
case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked).
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
evaluation can proceed, an appropriate volume of data needs to be collected in order to provide and evaluation can commence. 8.2 8.2.. For example, if an organization is transitioning Furthermore, a baseline is needed to compare two sets of measures taken at different points in time activities into a measurement programme. It is important to note, however, that ISO/IEC 27001 has no requirement for organizations to have such a programme.
6.5
Who will monitor, measure, analyse and evaluate
Organizations (considering requirements of ISO/IEC 27001:2013, 9.1 and 5.3 5.3 measurement-related measurementrelated roles and responsibilities: a)
measurement client: the management or other other interested parties part ies requesting or requiring
c)
measurement reviewer: the person or organizat organizational ional unit that validates that the developed developed
6
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
d) information owner: the person or organizat organizational ional unit that owns the informat information ion that provides e)
information collector: the person or organizat organizational ional unit responsible for collecti collecting, ng, recording and
g)
information communicator: the person or organizat organizational ional unit responsible for communicating the
Individuals performing different roles and responsibilities throughout the processes can require diverse skill sets and associated awareness and training.
7 Types of measures 7.1 General For the purposes of this guidance, the performance of planned activities and the effectiveness of the 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
a)
performance measures: measures measures that express the planned result resultss in terms of of the characteristics characterist ics
b) effectiveness effec tiveness measures: measures that express the effec effectt that realization of the planned activ ities Note that the terms “performance measures” and “effectiveness measures” should not be confused effectiveness.
7.2
Performance Performanc e measures
Performance measures can ca n be used to demonstrate progress in implementing ISMS processes, associated activities have been realised and intended results achieved, performance measures should concern the ISMS activities. reduce the cost and effort required and the potential for human error.
© ISO/IEC 2016 – All rights reserved
7
ISO/IEC 27004:2016(E)
Example 1 measurement activities can refocus on other controls in need of improvement. Example 2 and other meetings that can be called. The planned (or intended) result in this case is full attendance should reach and remain close to their planned targets. At this point, the organization should begin to focus its measurement efforts on effectiveness measures (see 7.3 .3). ).
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
7.3 .3). ). According to ISO/IEC 27001:2013, 9.1, it is likewise important to also measure the effectiveness of performance and effectiveness at planned intervals.
7.3
Effectiveness measures
Effectiveness measures should be used to describe the effectiveness and impact that the realisations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information
d) evaluate the degree to which ISMS processes, controls, or or groups of controls controls have been implemented implemented
h) interpret and report this data to decision makers. 8
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
These effectiveness measures combine information about the realisation of the risk treatment plan and can be the ones that ought to be of most interest to top management. Example 3 the greater the related risk exposure. An effectiveness measure can help an organization determine Example 4 measure can help the organization to determine the extent to which each trainee has understood
8 Processes 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
8.1 General
In addition, there is an ISMS I SMS management process that covers the review and improvement of the above processes, see 8.8 8.8..
© ISO/IEC 2016 – All rights reserved
9
ISO/IEC 27004:2016(E)
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Figure 2 — Monitoring, measurement, analysis and evaluation processes
8.2
Identify information needs
d) the risk treat treatment ment plan. e)
examine the ISMS, its processes and other elements elements such as:
10
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
g)
select a subset of of information needs required to be addressed in measurement acti activities vities from the
h) document and communicate the selected information needs to all relevant relevant interested parties.
8.3
Create and maintain measures
8.3.1
General
measures at planned intervals or when the ISMS’s environment undergoes substantial changes. Such changes can include, among others:
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Creating or updating such measures can include, among others, the followings steps:
k) keep management informed and engaged. Updating measures measures is expected to take less time and effort t han the initial creation. 8.3.2
Identify current security practices that can support information needs
practices can include measurement associated with:
© ISO/IEC 2016 – All rights reserved
11
ISO/IEC 27004:2016(E)
8.3.3
Develop or update measures
enable these measures to t o be implemented.
g) reports from management reviews. These and other potential sources of data, which can be of either of internal or external origin, should 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Organizations should document each measure in a form that ties the measure to the relevant in Table 1. 1. The examples in Annex B B use Table 1 1 as a template. Two examples have an additional information Annex C demonstrates C demonstrates an alternative free-form approach. measurement clients (see Table 1), 1), which can be internal or external. For example, measures for Each measure should correspond to, at least, one information need, while a single information need might require several measures. 12
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Table 1 — Example security measure descriptors Information descriptor
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Meaning or purpose
Measure ID
Infor Inf orma matio tion n need need
Over Ov er-ar -archi ching ng need need for for unde understa rstandi nding ng to whic which h the meas measure ure con contrib tribut utes. es.
Measure
Form Fo rmula ula/ /sco scorin ring g
How Ho w the the meas measure ure sh shoul ould d be be eval evalua uated, ted, cal calcul culate ated d or or sco scored red..
Target
Desired result of the measurement, e.g., a milestone or a statistical measure or a set of thresholds. Note that ongoing ongoing monitoring can be required to ensure continued atta inment of the target.
Implementation evidence
of poor results, and provides input to the process. Data to provide input into the formula.
multiple frequencies.
Responsible parties
The person responsible for gathering and processing the measure. At the least, an
Data source
Potential data sources can be databases, tracking tools, other parts of, the organization,
Reporting format
chart, line chart, bar graph etc.), as part of a ‘dashboard’ or another form of presentation.
interested parties’ information needs. Note also that what is easiest to measure need not be most meaningful or most relevant. to be evaluated. Establishment of targets can be facilitated if historic data that pertains to developed or selected measures is available. Trends observed in the past can in some cases provide insight into ranges of organizations should be cautioned that without due consideration, setting targets based upon what continual improvem i mprovement. ent. 8.3.4
Document measures and prioritize for implementat implementation ion
been implemented. Once performance measures are producing targeted values, effectiveness measures can be implemented as well. See also 6.4 6.4 for guidance on when to perform monitoring and related activities. 8.3.5
Keep management informed and engaged
Management on different organizational levels needs to be involved in developing and implementing and application.
© ISO/IEC 2016 – All rights reserved
13
ISO/IEC 27004:2016(E)
8.4
Establish Establis h procedures
3) captur capturing ing contextu contextual al information, e.g., the time at which a datum was collected.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
e)
reporting methods and formats, which can include: model in Annex A). A).
time period, to more sophisticated cross-referencing reports with nested groupings, rolling labelling of end-points.
8.5
Monitor and measure
8.3.1 8.3.1 occur, occur, the organization should Prior to publishing information in reports, dashboards, etc., the organization should determine how
14
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
consistent.
8.6
Analyse results
should be able to draw some initial initia l conclusions based on the resu lts. However, However, since the t he communicator(s) communicator(s) measures.
8.7
Evaluate informat information ion security performan performance ce and ISMS effectiveness
In accordance with 5.2 5.2,, organizations should: 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
a)
express their information needs in terms of the organization’s questions concerning concerning information
b) express their measures in terms of of those information needs. needs. Annex A). A). Evaluation is the process of effectiveness questions.
8.8
Review and improve monitori monitoring, ng, measurement measurement,, analysis and evaluation processes
needs of the ISMS. Continual improvement activities can include, among other things:
8.9
Retain and communicate documented information
to retain documented information as evidence of the organization’s monitoring and measurements. Reports that are used to communicate measurement results to relevant interested parties should be should be documented for communication to interested parties.
© ISO/IEC 2016 – All rights reserved
15
ISO/IEC 27004:2016(E)
measurement results, such as:
d) means for obtaini obtaining ng feedback from the interested parties to be used for evaluati evaluating ng the usefulness
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
16
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Annex A (informative) An information security measurement measurement model
The measurement information model described in Figure A.1 A.1 is presented and explained in ISO/IEC 15939, and can be applied to ISMS. It describes how attributes of relevant entities can be structure which starts start s with linking information needs needs to t he relevant relevant entities and attributes att ributes of concern. concern. personnel and resources. Examples of relevant entities in an ISMS are: risk management process, The measurement information model helps to determine what the measurement planner needs to
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
To determine such indicators, an organization can establish base measures and derive a measure from The measurement model in this Annex (using base measure, derived measure, performance indicator
© ISO/IEC 2016 – All rights reserved
17
ISO/IEC 27004:2016(E)
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Figure A.1 — Key relationships in the measurement information model
18
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Annex B (informative) Measurement Measureme nt construct examples
B.1 General The examples in Annex B follow the principles set out in this document. The table below ISO/IEC 27001 27001:2013. :2013.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Related ISMS processes and controls (Clause or control number in ISO/IEC 27001:2013)
Measurement construct example names
5.1, 7.1
B.2 Resource allocat ion
7.5.2, A.5.1.2
5.1, 9.3
B.4 Management commit ment
8 .2 , 8 . 3
B.5 R isk exposure
9.2, A.18.2.1
B.6 Audit programme
10
B.7 Improvement act ions
10
10, A.16.1.6
10.1
B.10 Correct ive action implementation
A .7.2
B.11 ISMS training or ISMS awareness
A.7.2.2
A.7.2.1, A.7.2.2
A .7.2.2
B.14 ISMS awareness campaigns ef fectiveness
A .7 .7.2.2, A .9 .9.3.1, A .1 .16.1
B.15 Social engineering preparedness
A.9.3.1
A.9.3.1
A .9.2.5
B.18 Review of user access right s
A.11.1.2
A.11.1.2
A .11.2.4
B.21 Management of periodic maintenance
A .12.1.2
B.22 Change management
A .12.2.1
B.23 Protection against malicious code
A .12.2.1
B.24 Anti-malware
A.12.2.1, A.12.2 .1, A.17.2.1 A.17.2.1
A .12.2.1, A .13.1.3
B.26 Firewall rules
A.12.4.1
A.12.6.1
A.12.6.1, A.18.2.3
A.12.6.1
A.15.1.2
© ISO/IEC 2016 – All rights reserved
19
ISO/IEC 27004:2016(E)
Related ISMS processes and controls (Clause or control number in ISO/IEC 27001:2013)
Measurement construct example names
A.16
A.16.1
A 16.1.3
A.18.2.1
B.35 ISMS review process
A.18.2.3
is included for each example. In addition, for two examples ( B.20 B.20 and and B.28 B.28)) an additional information Annex C C demonstrates an alternative free-form approach.
B.2 Resource allocation
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
to original budgets
Measure
contracted personnel, personnel, hardware, softwa re, services) within a nnual budget
Form rmul ula a/scori rin ng
Allloca Al cate ted d res eso our urcces es/ /us used ed res eso our urcces wi with thin in a budg dget eted ed peri rio od of ti tim me
Target
1
Implementation evidence
Responsible parties
Information Customer: board of directors
Data source
Reporting format
allocated and used resources
Relat ionship
ISO/IEC 27001:2013, 5.1: Leadership and commit ment ISO/IEC 27001:2013, 7.1: 7.1: Resources Resou rces
20
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.3 Policy review Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Target
Implementation evidence
date of last review
changes) Report: for each collection
Responsible parties
Information collector: Internal auditor
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
Pie chart for current situation and line char t for compliance evolution evolution representation representation
Relationship
ISO/IEC 27001:2013, 7.5.2: Creating and updating of documented information
© ISO/IEC 2016 – All rights reserved
21
ISO/IEC 27004:2016(E)
B.4 Management commitment Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
regarding management management review act ivities
Measure
a) Management review meetings completed to date b) Average participation rates in management review meetings to date
Formula/scoring
meetings scheduled] b) Compute mean and standar d deviation of all participation rates to management review meetings
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
Resulting ratio of indicator a) should fall between 0.7 and 1.1 to conclude the over 0.5 to conclude the least achievement. Wit h regard to t o indicator b), Computed Computed planning to deal with this outcome.
Implem Imp lementa entation tion evid evidenc ence e
1.1 Coun Countt manag manageme ement nt revie review w meetin meetings gs sch schedul eduled ed to date 1.2 Per management review meetings to date, count managers planned to attend ad hoc manner 2.1.1 Count planned management review meetings held to date 2.1.2 Count unplanned management review meetings held to date 2.1.3 Count rescheduled management review meetings held to date 2.2 For all management review meetings that were held, count the number of managers who attended
Responsible parties
Data source
2. Management review minutes/records
Reporting format
Line chart depicting indicator with criteria over several several data collection and reporting periods with the s tatement of measurement measurement results. The number of data collection
Relationship
ISO/IEC 27 27001:2013, 9. 9.3: Ma Management re rev iew ISO/IEC 27001:2013, 5.1: Leadership and commitment
22
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.5 Risk exposure Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
alerted if the threshold is breached b) Number of risks without status update
Target
1
Impl Im plem emen enta tatio tion n ev evid iden ence ce
Upda Up date ted d ris risk k re regis giste terr
Report: each quarter
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Informat ion risk register
Repor ting format
Trend of high risks Trend of accepted high and medium risks
Relationship
© ISO/IEC 2016 – All rights reserved
23
ISO/IEC 27004:2016(E)
B.6 Audit programme Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Completeness of the audit programme
Measure
Total number of audit performed compar ed with the t he total number of audits planned
Formula/scoring
Target
Impl Im plem emen entati tation on evid eviden ence ce
Audit Au dit pro program gramme me and and rel relate ated d reports reports mon monito itorin ring g
Responsible pa par ti ties
Information ow ow ne ner: Au Audit ma manager Information collector: Audit manager Information customer: Top management
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Audit programme and audit report s
Repo Re port rtin ing g fo form rmat at
Tre ren nd ch char artt li link nkin ing g th the e ra rati tio o of co com mplet eted ed au audi dits ts ag agai ains nstt th the e pro rogr gram amm me fo forr ea each ch
Relationship
ISO/IEC 27001:2013, 9.2: Internal audit
24
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.7 Improvement actions Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
planned actions
the beginning of the timeframe Formula/scoring
Target
Impl Im plem emen entati tation on evi evide denc nce e
Status Sta tus mo monit nitor oring ing of eac each h acti action on
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
against the relevant number of actions in the timeframe
Relat ionship
ISO/IEC 27001:2013, Clause 10: Improvement
actions that address high risks). critical but within acceptable boundaries won’t hide a low number of critical actions outside acceptable boundaries.
© ISO/IEC 2016 – All rights reserved
25
ISO/IEC 27004:2016(E)
B.8 Security incident cost Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Formula/scoring
Target
Implementation evidence
Responsible parties
Information customer: Top management
Dat a source
Incident repor ts
Reporting format
sampling periods.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Relat ionship
26
ISO/IEC 27001:2013, Clause 10: Improvement
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.9 Learning from information security incidents Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Target
Implementation evidence
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Dat a source
Incident report s
Reporting format
sampling periods.
Relat ionship
ISO/IEC 27001:2013, Clause 10: Improvement
© ISO/IEC 2016 – All rights reserved
27
ISO/IEC 27004:2016(E)
B.10 Corrective action implementation Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Inform rma ati tio on need
Asssess perf As rfo orman ancce of correct ctiive act ctiion implementa tati tio on
Measure
a) Stat us expressed as a rat io of corrective act ion not implemented b) Status expressed expr essed as a ratio of correct ive action not implemented without reason
c) Trend of statuses Formula/scoring
planned to date] actions planned to date]
c) Compare Compare Statuses wit h Previous statuses
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
and 0.0, and Trend of indicator c) should have been declining for the last 2 reporting periods. The indicator c) should be presented in comparison with previous indicators so that the trend in corrective action implementation can be examined.
Implem Imp lementa entation tion evid evidenc ence e
1. Coun Countt correcti corrective ve actio actions ns plan planned ned to be imp implem lemente ented d to to date date 3. Count corrective actions recorded as planned actions not taken with the reason
Res esp ponsi sib ble par parti ties es
Inf nfo orm rmat atiion own wne er: Ma Man nag age ers re resspons nsiible fo forr ISMS Information collector: Managers responsible for ISMS
Dat a source
Corrective action repor ts
Reporting format
Stacked bar chart with wit h the statement of measurement measurement results including an executive of corrective actions, separated into implemented, not implemented without a legitimate reason, and not implemented with a legitimate reason.
Relationship
28
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.11 ISMS training or ISMS awareness Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Target
otherwise Red reasons for non-compliance and poor performance
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Green – no action is required Implementation evidence
Period of Measurement: Annual
Resspons Re nsiible par parti ties es
Inf nfo orm rma ati tio on own owne er: Tra rain inin ing g man manag age er – Hum Human an res eso our urcces Information collector: Training management – Human resource department Measurement client: Managers responsible for an ISMS, Chief information
Data source
Reporting format
means and possible management actions should be attached to the bar chart.
OR Pie chart for current curr ent situation and line chart for compliance evolution evolution representation.
Relat ionship
ISO/IEC 27001:2013, A .7.2: Competence.
© ISO/IEC 2016 – All rights reserved
29
ISO/IEC 27004:2016(E)
B.12 Information security training Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
requirement
Measure
Formula/scoring
Target
reasons for non-compliance and poor performance.
Green – no action is required.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Implementation evidence
Period of Measurement: Annual
Responsible parties
Information collector: Training management – Human resource department Training management
Data source
Reporting format
-ure means and possible management actions should be attached to the bar chart.
Relationship
training.
30
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.13 Information Information security awareness compliance Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
relevant personnel
Measure
1 . P r og re s s t o d at e 2. Progress to date with signing
Formula/scoring
planned to be completed to date
to date with signing
b) Compare Compare status with previous statuses Target
b) Trend Trend should be upward upwa rd or stable st able
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Implementation evidence
1.1. Count number of personnel scheduled to have signed and completed the training to date
1.2. Ask responsible individual for percent of personnel who have completed the training and signed 2.2. Count number of personnel having signed user agreements
Period of Measurement: Annual
Responsible parties
training management
Data source
1.2 Personnel who have completed or in progress progress in the training: tr aining: Personnel status st atus with regard to the training 2.2. Personnel having signed agreements: Personnel status with regard to the signing of agreements
Reporting format
Bold Font = Criteria have not been met
© ISO/IEC 2016 – All rights reserved
31
ISO/IEC 27004:2016(E)
Relationship
ISO/IEC 27001:2013, A .7 .7.2.2: Management responsibilit ie ies training
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
32
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.14 ISMS awareness campaigns effectiveness Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
campaign
Formula/scoring
Percentage of people passed the test Target
Implementation evidence
Collect: one month after awareness campaign Report: for each collection
Responsible par arti tie es 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Inform rma ati tio on own wne er: Human resources Information collector: Human resources
Data source
Rep Re porti rting ng fo form rmat at
Pie ch Pie chart art fo forr re rep pre rese sent ntin ing g pe perc rcen enta tage ge of st staff aff mem embe bers rs pa pass ssed ed th the e te test st si situ tuat atio ion n and line chart for evolution representation if extra training has been organised
Relationship
training
© ISO/IEC 2016 – All rights reserved
33
ISO/IEC 27004:2016(E)
B.15 Social engineering prepar preparedness edness Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
engineering attacks
Measure
a given test consisting in sending a phishing email to (a selected part of the) staff
Formula/scoring
a = Number Number of staff having clicked on the link/number of staff participat par ticipating ing in the test
b = 1-Number of staff having reported the dangerous email through appropriate channels c = Number Number of staff having havin g followed the instr uction given when clicking on the link, i.e. star t revealing a password/number password/number of staff participating d = An appropriate weighted sum su m of the above parameter, depending on the natur e of the test
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
d: 0-60: Red, 60-80: Yellow, 90-100: Green
Implementation evidence
participants do not have to fear negative consequences from this test.
Report: for each collection Responsible parties
Measurement client: Risk owner
Data source
or intranet)
Reporting format
recommendation, based on target and agreed treatment
Relationship
and improvem i mprovements ents ISO/IEC ISO /IEC 27001:201 27001:2013, 3, A.9 A .9.3.1: .3.1: Use of secret sec ret authentication aut hentication information i nformation training
34
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.16 Password quality – manual Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Count number of pa passwords in user password da dat ab abase
c) Divide [Total number of passwords complied with organization’s password 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
d) Compare ratio with the previous ratio Target
but positive trend indicates improvement. If the resulting ratio is below 0.8 immediate action should be taken.
Impl Im plem emen entati tation on evid eviden ence ce
1 Coun Countt numb number er of of passwo passwords rds on on user user passwo password rd datab database ase
Responsible parties
Data source
Reporting format
Trend line that depicts the number of passwords compliant with organization’s reporting periods.
Relati tio onship
ISO/IEC 27001:2013, A. A.9 9.3 .3..1: Use of secret auth the enti tica cati tio on inform rma ati tio on
© ISO/IEC 2016 – All rights reserved
35
ISO/IEC 27004:2016(E)
B.17 Password quality – automated Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
1 Tot al number of passwords 2 Total number of uncrackable passwords
Formula/scoring
1 Rat io of passwords crackable within 4 hours 2 Trend of the ratio 1 b) Compare ratio with the previous ratio
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
but positive trend indicates improvement. If the resulting ratio is below 0.8 immediate action should be taken.
Implementation evidence
Responsible parties
Data source
Reporting format
with lines produced during previous tests.
Relati tio onship
ISO/IEC 27001:2013, A. A.9 9.3 .3..1: Use of secret auth the enti ticcati tio on informati tio on
36
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.18 Revie Review w of user access rights Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Target
Implementation evidence
completion)
Report: each semester Responsible part ie ies
Information owner: R is isk owner
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
Pie chart for current situation and line char t for compliance evolution evolution representation representation
Relat ionship
ISO/IEC 27001:2013, A .9 .9.2.5: Rev iew of us user access right s
© ISO/IEC 2016 – All rights reserved
37
ISO/IEC 27004:2016(E)
B.19 Physical entry controls system evaluation Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Formula/scoring
Scale f rom 0-5 0 There is no access control system 1 PIN code
2 There is an access control card card 3 pass card and PIN code is used for
4 Previous + log functionality activated functionality activated biometric authentication 5
recognition, retina scan etc .) 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
Implementation evidence
Qualitative assessment where each subset grade is a pa rt of the t he grade above. Control
— PIN code usage — Biometric authentication
Measurement revision: 12 months Period of measurement: Applicable 12 months
Responsible parties
Information collector: Internal auditor/external auditor Measurement client: Management committee
Data source
Reporting format
Graphs
Relationship
38
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.20 Physical entry controls effectiveness Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
personnel, facilities, and products appropriate protection of the organization’s information resources
Measure
Formula/scoring
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
Below 1.0
Implementation evidence
Responsible parties
Data source
Reporting format
Relationship
Action
© ISO/IEC 2016 – All rights reserved
39
ISO/IEC 27004:2016(E)
B.21 Management of periodic maintenance Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Inf nfo orm rma ati tio on nee need d
To eva evallua uate te ti tim meli lin nes esss of of mai main nte ten nan ance ce act ctiivi viti tie es in in re relati tio on to to sch sched edul ule e
Measure
Formula/scoring
For each completed event, subtract [Date of actual maintenance] from [Date of scheduled maintenance]
Target
2. Ratio of completed maintenance events should be greater than 0.9 3. Trend should be stable or close to 0 4. Trend should be stable or upwards 1 Dates of scheduled maintenance
Implementation evidence
2 Dates of completed maintenance 3 Total number of planned maintenance events 4 Total number of completed maintenance events
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Responsible Parties
Data source
Format
within the scope
Relationship
40
ISO/IEC 27001:2013, A .1 .11.2.4: Equipment maintenance
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.22 Change management Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
respected
Measure
Formula/scoring
applications
Target
Implementation evidence
Responsible part ie ies
Information owner: R is isk owner Information collector: Risk owner
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
review tool report
Reporting format
Pie chart for current situation and line char t for compliance evolution evolution representation representation
Relat ionship
ISO/IEC 27 27001:2013, A. A.12.1.2: Ch Change ma management
© ISO/IEC 2016 – All rights reserved
41
ISO/IEC 27004:2016(E)
B.23 Protection against malicious code Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Trend of detected at tack s that were not blocked over mult iple reporting periods
Formula/scoring
Target
constant trend
Implementation evidence
incident reports 2 Count number of records of blocked attacks
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Responsible part ies
Information owner Information collector Measurement client
Data source
1 Incident repor ts 2 Logs of countermeasure software for malicious software
Repo Re porti rting ng fo form rmat at
Tre ren nd li lin ne th that at de dep pic icts ts ra rati tio o of ma mali lici cio ous so softw ftwar are e det etec ecti tio on an and d pre rev vent ntio ion n wi with th lines produced during previous reporting periods
Relationship
ISO/IEC 27001:2013, A .1 .12.2.1: Cont rols against malware
even if the increase of incidents can raise concern.
42
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.24 Anti-malware Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
solution
Measure
with obsolete (e.g. more than one week) antimalware signatures
Form rmul ula a/scorin ing g
(Nu (N umber of obsolete an anti tivi viru russ) / (T (To ota tall works ksta tati tio on)
Target
Implementation evidence
Responsible pa parties
Information ow owner: IT IT op operations Information collector: IT operations
Data source
Monitoring tools Antimalware console
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Reporting format
Relat ionship
ISO/IEC 27001:2013, A .12.2.1: Controls against malware
© ISO/IEC 2016 – All rights reserved
43
ISO/IEC 27004:2016(E)
B.25 Total Total availability Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
downtime
Measure
Formula/scoring
Target
Implementation evidence
Responsible pa part ie ies
Informat io ion ow ne ner: IT IT op operat io ions
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Dat a source
Monitoring tools
Reporting format
For each ser vice, t wo lines:
Relationship
44
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.26 Firewall rules rul es Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Formula/scoring
Target
0
Implementation evidence
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
Relat ionship
ISO/IEC 27001:2013, A .13.1.3: Segregat ion in net wo work s
© ISO/IEC 2016 – All rights reserved
45
ISO/IEC 27004:2016(E)
Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Formula/scoring
Target
Implementation evidence
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
management actions
Relat ionship
ISO/IEC 27001:2013, A .12.4.1: Event logging
46
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Information descriptor Measure ID
Meaning or purpose
Information need
Measure
Formula/scoring
Target
Implementation evidence
Responsible Par arti tie es
Inform rma ati tio on own wne er: Netw two ork man ana agement Information collector: Network management
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Reporting format
Action
Relati tio onshi hip p
ISO/IEC 27001:2013, A. A.12.16.1: Management of of te technica call vu vullnerabiliti tie es
© ISO/IEC 2016 – All rights reserved
47
ISO/IEC 27004:2016(E)
B.29 Pente Pentest st and vulnerability assessment Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Formula/scoring
Target
Orange (Green would be too perfect)
Implementation evidence
Report: for each collection
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Responsible par ti ties
Informat io ion ow ne ner: R is isk ow ne ner Information collector: Experts w ith the know-how to conduct conduct penetration tests or
Data source
Reporting format
Pie chart for current situation and line char t for compliance evolution evolution representation representation
Relati tio onship
ISO/IEC 27001:2013, A. A.1 12.6.1: Management of technica call vu vullnerabiliti tie es ISO/IEC ISO /IEC 270 27001: 01:201 2013, 3, A .18.2.3: Technical compliance review rev iew
48
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.30 Vulnerability landscape Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Weight of open (unpatched) vulnerabilities
Formula/scoring
Target
Implementation evidence
Responsible parties
Data source
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Reporting format
Relati tio onship
ISO/IEC 27001:2013, A. A.1 12.6.1: Management of te tecchnical vu vullnerabil iliiti tie es
© ISO/IEC 2016 – All rights reserved
49
ISO/IEC 27004:2016(E)
B.31 Security in third party agreements – A Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
agreements
Formula/scoring
[Sum of (for each agreement (number of required requirements - number of
Target
Impl Im plem emen entati tation on evid eviden ence ce
Supp Su ppli lier er datab database ase,, suppl supplie ierr agreem agreemen entt recor records ds
Responsible Parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Data source
Supplier dat abase, supplier agreement records
Format
Relationship
50
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.32 Security in third party agreements – B Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
of personal information processing
Measure
Formula/scoring
Sum of (for each agreement (number (number of required requirements r equirements - number of addressed requirements))/number requirements))/ number of agre ements 1 Average ratio of difference of standard requi rements to addressed requirements:
2 Trend of the ratio: Compare with previous indicator 1 Target
1 Indicator 1 should be greater t han 0.9 2 Indicator 2 should be stable or upward
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Implementation evidence
Responsible parties
Data source
Reporting format
Relationship
© ISO/IEC 2016 – All rights reserved
51
ISO/IEC 27004:2016(E)
B.33 Information security incident management effectiv effectiveness eness Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
Incident s not resolved in t arget t imeframe
Formula/scoring
target timeframes target time frames and compare their count with the indicator thresholds
Target
Implementation evidence
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Measurement revision: Six months Res esp ponsi sib ble par parti ties es
Inf nfo orm rmat atiion own owne er: Man Manag age ers re resspons nsiible fo for an an IS ISMS Information collector: Incident management manager
Data source
Reporting format
Relationship
52
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.34 Security incidents trend Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need Measure
timeframe (e.g., month)
Formula/scoring
Compare average measure value for the last two timeframes with the average measurement value of the last 6 timeframes
1.00 – 1.30 equals Yellow >1.3 equals Red
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Target
Gr e e n
Implementation evidence
Responsible parties
Data source
Repor ting format
Table w ith indicator values Trend diagram
Relationship
and improvements
© ISO/IEC 2016 – All rights reserved
53
ISO/IEC 27004:2016(E)
B.35 Security event reporting Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
(CSIRT) in relation to the size of the organization
Formula/scoring
Target
Implementation evidence
Responsible parties
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Dat a source
Incident repor ts
Report rtin ing g fo form rma at
Tre ren nd lin line e sh showi win ng th the ev evoluti tio on of of re report rted ed events over las lastt pe peri rio ods
Relationship
54
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
B.36 ISMS review process p rocess Info In form rmat atiion des escr crip ipto torr
Mea eani ning ng or pur urpo pose se
Measure ID
Information need
Measure
Progress ratio of accomplished independent reviews
Formula/scoring
Target
Implementation evidence
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Resspons Re nsiible par parti ties es
Inf nfo orm rma ati tio on own owne er: Man anag age ers re resp spo ons nsiible fo for an an IS ISMS
Data source
Rep Re porti rting ng fo form rmat at
Bar gr Bar grap aph h de dep pic icti ting ng co com mpli lian ance ce over se sev ver eral al re repo porti rtin ng pe peri riod odss in re rela lati tio on to th the e
Relationship
© ISO/IEC 2016 – All rights reserved
55
ISO/IEC 27004:2016(E)
B.37 Vulnerabili Vulnerability ty coverage Info In form rma ati tion on des escr criipt ptor or
Mea eani ning ng or pur urp pos ose e
Measure ID
Information need
Measure
testing activities
Formula/scoring
Target
1
Implementation evidence
Responsible parties
Data source
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Penetration test reports Reporting format
showing the obtained ratios
Relationship
ISO/IEC 27001:2013, A .1 .18.2.3: Technical compliance rev ie iew
56
© ISO/IEC 2016 – All rights reserved
ISO/IEC 27004:2016(E)
Annex C (informative) An example example of free-text free-text form form measurement measurement construction
C.1 ‘Training effectiveness’ – effectiveness measurement construc construct t Assume all members of staff (S1) are required to read the online version of the organization’s gone online and at least scrolled-through to the end of the text). 9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
attended the formal training. S4P the pass mark. S4F achieve the pass mark. S5P = number of people who have taken the same test after attending the formal training and who achieve the pass mark. S5F = number of people who have taken the same test after attending the training and who fail to achieve the pass mark. E2= S4P / (S4P + S4F E3= S5P / (S5P + S5F), as above, for S5, but for those staff who have attended the formal training. E4 = E3/E2, i.e. the effectiveness ratio of training versus plain self-instruction. This can have a threshold which triggers something an alert when either (or both) of a proportion of
© ISO/IEC 2016 – All rights reserved
57
ISO/IEC 27004:2016(E)
Bibliography
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
[1]
ISO/TR ISO/T R 10017 10017,, Guidan Guidance ce on statistical st atistical techniques t echniques for ISO 9001:2000 9001:2000
[2]
ISO/IEC 15939 15939,, Systems and software engineering – Measurement process
[3]
ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary
[4]
ISO/IEC 27001 27001:2013, :2013, Information technology — Security techniques — Information security managementt systems managemen syst ems — Requirements
[5]
NIST Special Publication 800-5 800-55, 5, Revision 1, Performance Measuremen Measurementt Guide for Information 2008. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
58
© ISO/IEC 2016 – All rights reserved
This page is intentionally blank.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
This page is intentionally blank.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
This page is intentionally blank.
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
ISO/IEC 27004:2016(E)
9 4 : 3 1 7 1 3 0 7 1 0 2 1 0 0 6 2 9 4 9 8 7 . r N f L 6 5 9 6 2 9 7 . r N d K n e t f a h c s n e s s i W r e d g n u r e d r ö F r u z t f a h c s l l e s e G k c n a l P x a M h t u e B d a o l n w o D n e m r o N
Price based on 58 pages © ISO/IEC 2016 – All rights reserved