ISO/IEC 27004 explained
ISO/IEC 27004 Information Technology – Security techniques – Information Security Management – Measurement. It is part of a family of standards of information security management system (ISMS), which is a systematic approach to securing sensitive information,[1] of ISO/IEC. It provides standards for a robust approach to managing information security (infosec) and building resilience.[2] It was published on December 7, 2009 and revised in December 2016. It is currently not certifiable and is not translated into Spanish.
This standard appears in ISO/IEC 27000-series (more information can be found in ISO/IEC 27000). The ISO/IEC 27004 standard provides guidelines intended to assist organizations to evaluate the performance of information security and the efficiency of a management system in order to meet the requirements of the ISO/IEC 27001.[3]
What does the standard establish?
This standard establishes:[4]
- Monitoring and measuring of information security performance.
- Monitoring and measuring the effectiveness of an Information Security Management System (ISMS), including processes and controls.
- Analysis and evaluating of monitoring and measurement results.
This standard is applicable to all types of organizations regardless of size.
Terms and structure
The terms and definitions given in this standard are defined within the standard ISO/IEC 27000. The ISO/IEC 27004 standard is structured as follows:[5]
- Logic Base
- Characteristics - this section defines, among other things, what to monitor, who and what to measure, when to monitor, measure and evaluate it.
- Types of measures - this section describes the two main types of measures: performance and effectiveness.
- Processes - this section defines the types of processes to follow.
In addition to that, it has 3 annexes (A, B, C):
- Annex A - describes an information security measurement model which includes the relationship of the components of the measurement model and the requirements of ISO/IEC 27001.
- Annex B - provides a wide range of examples that are used as a guide.
- Annex C - provides a more complete example.
References
- Web site: BS EN ISO/IEC 27001 Information Security Management – Precise definition of ISMS. www.iso.org. 7 April 2020.
- Web site: BS EN ISO/IEC 27001 Information Security Management – More about ISMS in ISO/IEC 27001. www.bsigroup.com. 3 April 2020.
- Web site: BS EN ISO/IEC 27004:2016 – What is ISO 27004?. www.iso.org. 3 April 2020.
- Web site: BS EN ISO/IEC 27004 Information Security Management – What ISO/IEC 27004 establishes?. webstore.iec.ch. 7 April 2020.
- Web site: BS EN ISO/IEC 27004:2016 – Preview of contents of ISO/IEC 27004:2016. www.iso.org. 3 April 2020.
External links