Newly updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of information security management system standard ISO/IEC 27001.
ISO/IEC 27004:2016 explains how to develop and operate measurement processes, while also assessing and reporting the results of a set of information security metrics.
Replacing the 2009 edition of the standard, ISO/IEC 27004:2016 has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations increased value and confidence.
Edward Humphreys, convenor of the working group that developed the standard, said cyber attacks are among the greatest risks an organization can face.
“This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today,” Humphreys said.
ISO/IEC 27004:2016 details how to construct an information security measurement program, select what to measure, and operate the necessary measurement processes. The standard also includes examples of different types of measures, and how to assess their effectiveness.
Benefits of implementing ISO/IEC 27004 include:
- Increased accountability
- Improved information security performance and ISMS processes
- Evidence of meeting the requirements of ISO/IEC 27001, applicable laws, rules, and regulations