ISO
27004 provides guidance and describes a set of best practices for measuring the
result of ISMS in an organization. The standard specifies how to set up a
measurement program, what parameters to measure, when to measure, how to
measure and helps organizations to decide on how to set performance targets and
success criteria.
27004 provides guidance and describes a set of best practices for measuring the
result of ISMS in an organization. The standard specifies how to set up a
measurement program, what parameters to measure, when to measure, how to
measure and helps organizations to decide on how to set performance targets and
success criteria.
Need for
measuring security
It
is often quoted that it is impossible to manage something that you cannot
measure accurately. This applies to information security as it does for other
fields. Effectiveness measurements will help an organization to determine
whether any ISMS processes or controls need to be improved or managed in a
better way. Good metrics produce quantifiable values in the form of numbers and
percentages that are necessary to facilitate management attention and analysis.
is often quoted that it is impossible to manage something that you cannot
measure accurately. This applies to information security as it does for other
fields. Effectiveness measurements will help an organization to determine
whether any ISMS processes or controls need to be improved or managed in a
better way. Good metrics produce quantifiable values in the form of numbers and
percentages that are necessary to facilitate management attention and analysis.
Measurements
provide single-point-in-time views of specific, discrete factors, while metrics
are derived by comparing to a predetermined baseline two or more measurements
taken over time. Technical security metrics provide an assurance in the
capability of systems or products in detecting, protecting and responding to
security threats.
provide single-point-in-time views of specific, discrete factors, while metrics
are derived by comparing to a predetermined baseline two or more measurements
taken over time. Technical security metrics provide an assurance in the
capability of systems or products in detecting, protecting and responding to
security threats.
According
to the ISO 27004 standard, the kind of measurements that are required would
depend on the size and complexity of the organization, cost benefit to the
organization and the level of integration of information security in the
overall business processes of the organization.
to the ISO 27004 standard, the kind of measurements that are required would
depend on the size and complexity of the organization, cost benefit to the
organization and the level of integration of information security in the
overall business processes of the organization.
How to
measure security
ISO
27004 defines how data should be collected and analyzed, how measurements
should be constructed and how the measurement program should be documented and
integrated into the ISMS. The standard provides model for measurement of
security where:
27004 defines how data should be collected and analyzed, how measurements
should be constructed and how the measurement program should be documented and
integrated into the ISMS. The standard provides model for measurement of
security where:
·
Plan phase
consists of integration with the ISMS and identification of the objects to be
measured
Plan phase
consists of integration with the ISMS and identification of the objects to be
measured
·
Do phase consist
of the actual implementation of the security metric
Do phase consist
of the actual implementation of the security metric
·
Check phase consists
of the monitoring and review of results
Check phase consists
of the monitoring and review of results
·
Act phase consists
of improvements to ISMS measurement and implementation
Act phase consists
of improvements to ISMS measurement and implementation