Iso-iec-27004-2016-english 36211e

INTERNATIONAL STANDARD

ISO/IEC 27004 Second edition 2016-12-15

Normen--Beuth-Max Planck Gesellschaft zur Förderung der Wissenschaften-KdNr.7926956-LfNr.7894926001-2017-03-17 13:49

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation Technologies de l’information — Techniques de sécurité — Management de la sécurité de l’information — —”˜‡‹ŽŽƒ…‡, mesurage, analyse et évaluation

Reference number ISO/IEC 27004:2016(E)

http://mahdi.hashemitabar.com

© ISO/IEC 2016


ISO/IEC 27004:2016(E)

COPYRIGHT PROTECTED DOCUMENT © ISO/IEC 2016, Published in Switzerland ŽŽ”‹‰Š–•”‡•‡”˜‡†ǤŽ‡••‘–Š‡”™‹•‡•’‡…‹ϐ‹‡†ǡ‘’ƒ”–‘ˆ–Š‹•’—„Ž‹…ƒ–‹‘ƒ›„‡”‡’”‘†—…‡†‘”—–‹Ž‹œ‡†‘–Š‡”™‹•‡‹ƒ›ˆ‘” ‘” „› ƒ› ‡ƒ•ǡ ‡Ž‡…–”‘‹… ‘” ‡…Šƒ‹…ƒŽǡ ‹…Ž—†‹‰ ’Š‘–‘…‘’›‹‰ǡ ‘” ’‘•–‹‰ ‘ –Š‡ ‹–‡”‡– ‘” ƒ ‹–”ƒ‡–ǡ ™‹–Š‘—– ’”‹‘” ™”‹––‡’‡”‹••‹‘Ǥ‡”‹••‹‘…ƒ„‡”‡“—‡•–‡†ˆ”‘‡‹–Š‡” ƒ––Š‡ƒ††”‡••„‡Ž‘™‘” ǯ•‡„‡”„‘†›‹–Š‡…‘—–”›‘ˆ the requester. …‘’›”‹‰Š–‘ˆϐ‹…‡ Ch. de Blandonnet 8 • 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 …‘’›”‹‰Š–̷‹•‘Ǥ‘”‰ www.iso.org

ii


© ISO/IEC 2016 – All rights reserved

ISO/IEC 27004:2016(E)

Contents

Page

Foreword ........................................................................................................................................................................................................................................ iv


Introduction..................................................................................................................................................................................................................................v 1

Scope ................................................................................................................................................................................................................................. 1

2

Normative references ...................................................................................................................................................................................... 1

͵

‡”•ƒ††‡ϐ‹‹–‹‘• ..................................................................................................................................................................................... 1

4

Structure and overview ................................................................................................................................................................................. 1

5

Rationale ....................................................................................................................................................................................................................... 2 5.1 The need for measurement .......................................................................................................................................................... 2 ͷǤʹ —Žϐ‹ŽŽ‹‰–Š‡ Ȁ ʹ͹ͲͲͳ”‡“—‹”‡‡–• ................................................................................................................... 3 ͷǤ͵ ƒŽ‹†‹–›‘ˆ”‡•—Ž–• .................................................................................................................................................................................. 3 ͷǤͶ ‡‡ϐ‹–• .......................................................................................................................................................................................................... 3

6

Characteristics ........................................................................................................................................................................................................ 4 6.1 General ........................................................................................................................................................................................................... 4 6.2 What to monitor..................................................................................................................................................................................... 4 6.3 What to measure ................................................................................................................................................................................... 5 ͸ǤͶ Š‡–‘‘‹–‘”ǡ‡ƒ•—”‡ǡƒƒŽ›•‡ƒ†‡˜ƒŽ—ƒ–‡ .................................................................................................... 6 ͸Ǥͷ Š‘™‹ŽŽ‘‹–‘”ǡ‡ƒ•—”‡ǡƒƒŽ›•‡ƒ†‡˜ƒŽ—ƒ–‡ ................................................................................................... 6

7

Types of measures .............................................................................................................................................................................................. 7 7.1 General ........................................................................................................................................................................................................... 7 7.2 Performance measures .................................................................................................................................................................... 7 7.3 Effectiveness measures.................................................................................................................................................................... 8

8

Processes ...................................................................................................................................................................................................................... 9 8.1 General ........................................................................................................................................................................................................... 9 ͺǤʹ †‡–‹ˆ›‹ˆ‘”ƒ–‹‘‡‡†•........................................................................................................................................................ 10 8.3 Create and maintain measures............................................................................................................................................... 11 8.3.1 General................................................................................................................................................................................... 11 ͺǤ͵Ǥʹ †‡–‹ˆ›…—””‡–•‡…—”‹–›’”ƒ…–‹…‡•–Šƒ–…ƒ•—’’‘”–‹ˆ‘”ƒ–‹‘‡‡†•..................... 11 8.3.3 Develop or update measures .............................................................................................................................. 12 8.3.4 Document measures and prioritize for implementation ........................................................... 13 8.3.5 Keep management informed and engaged ............................................................................................. 13 8.4 Establish procedures ...................................................................................................................................................................... 14 8.5 Monitor and measure ..................................................................................................................................................................... 14 ͺǤ͸ ƒŽ›•‡”‡•—Ž–• ..................................................................................................................................................................................... 15 ͺǤ͹ ˜ƒŽ—ƒ–‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ† ‡ˆˆ‡…–‹˜‡‡•• ................................................... 15 ͺǤͺ ‡˜‹‡™ƒ†‹’”‘˜‡‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘’”‘…‡••‡• ............ 15 8.9 Retain and communicate documented information ............................................................................................ 15

Annex A (informative) An information security measurement model ..........................................................................17 Annex B (informative) Measurement construct examples .........................................................................................................19 Annex C (informative) An example of free-text form measurement construction ............................................57 Bibliography ............................................................................................................................................................................................................................. 58



iii

ISO/IEC 27004:2016(E)

Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical ‘‹••‹‘Ȍ ˆ‘” –Š‡ •’‡…‹ƒŽ‹œ‡† •›•–‡ ˆ‘” ™‘”Ž†™‹†‡ •–ƒ†ƒ”†‹œƒ–‹‘Ǥ ƒ–‹‘ƒŽ „‘†‹‡• –Šƒ– ƒ”‡ of ISO or IEC participate in the development of International Standards through technical …‘‹––‡‡• ‡•–ƒ„Ž‹•Š‡† „› –Š‡ ”‡•’‡…–‹˜‡ ‘”‰ƒ‹œƒ–‹‘ –‘ †‡ƒŽ ™‹–Š ’ƒ”–‹…—Žƒ” ϐ‹‡Ž†• ‘ˆ –‡…Š‹…ƒŽ ƒ…–‹˜‹–›Ǥ ƒ† –‡…Š‹…ƒŽ…‘‹––‡‡•…‘ŽŽƒ„‘”ƒ–‡‹ϐ‹‡Ž†•‘ˆ—–—ƒŽ‹–‡”‡•–Ǥ–Š‡”‹–‡”ƒ–‹‘ƒŽ organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the ™‘”Ǥ –Š‡ϐ‹‡Ž†‘ˆ‹ˆ‘”ƒ–‹‘–‡…Š‘Ž‘‰›ǡ ƒ† Šƒ˜‡‡•–ƒ„Ž‹•Š‡†ƒŒ‘‹––‡…Š‹…ƒŽ…‘‹––‡‡ǡ ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for –Š‡†‹ˆˆ‡”‡––›’‡•‘ˆ†‘…—‡–•Š‘—Ž†„‡‘–‡†ǤŠ‹•†‘…—‡–™ƒ•†”ƒˆ–‡†‹ƒ……‘”†ƒ…‡™‹–Š–Š‡ editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). ––‡–‹‘ ‹• †”ƒ™ –‘ –Š‡ ’‘••‹„‹Ž‹–› –Šƒ– •‘‡ ‘ˆ –Š‡ ‡Ž‡‡–• ‘ˆ –Š‹• †‘…—‡– ƒ› „‡ –Š‡ •—„Œ‡…– ‘ˆ ’ƒ–‡– ”‹‰Š–•Ǥ ƒ† •ŠƒŽŽ ‘– „‡ Š‡Ž† ”‡•’‘•‹„Ž‡ ˆ‘” ‹†‡–‹ˆ›‹‰ ƒ› ‘” ƒŽŽ •—…Š ’ƒ–‡– ”‹‰Š–•Ǥ‡–ƒ‹Ž•‘ˆƒ›’ƒ–‡–”‹‰Š–•‹†‡–‹ϐ‹‡††—”‹‰–Š‡†‡˜‡Ž‘’‡–‘ˆ–Š‡†‘…—‡–™‹ŽŽ„‡‹–Š‡ Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).


›–”ƒ†‡ƒ‡—•‡†‹–Š‹•†‘…—‡–‹•‹ˆ‘”ƒ–‹‘‰‹˜‡ˆ‘”–Š‡…‘˜‡‹‡…‡‘ˆ—•‡”•ƒ††‘‡•‘– constitute an endorsement. ‘”ƒ‡š’Žƒƒ–‹‘‘–Š‡‡ƒ‹‰‘ˆ •’‡…‹ϐ‹…–‡”•ƒ†‡š’”‡••‹‘•”‡Žƒ–‡†–‘…‘ˆ‘”‹–›ƒ••‡••‡–ǡ as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. Š‹• •‡…‘† ‡†‹–‹‘ ‘ˆ Ȁ ʹ͹ͲͲͶ …ƒ…‡Ž• ƒ† ”‡’Žƒ…‡• –Š‡ ϐ‹”•– ‡†‹–‹‘ ȋ Ȁ ʹ͹ͲͲͶǣʹͲͲͻȌǡ ™Š‹…ŠŠƒ•„‡‡–‡…Š‹…ƒŽŽ›”‡˜‹•‡†Ǥ Š‹•‡†‹–‹‘‹…Ž—†‡•–Š‡ˆ‘ŽŽ‘™‹‰•‹‰‹ϐ‹…ƒ–…Šƒ‰‡•™‹–Š”‡•’‡…––‘–Š‡’”‡˜‹‘—•‡†‹–‹‘ǣ A total restructuring of the document because it has a new purpose – to provide guidance on ISO/IEC 27001:2013, 9.1 – which, at the time of the previous edition, did not exist. Š‡ …‘…‡’–• ƒ† ’”‘…‡••‡• Šƒ˜‡ „‡‡ ‘†‹ϐ‹‡† ƒ† ‡š’ƒ†‡†Ǥ ‘™‡˜‡”ǡ –Š‡ –Š‡‘”‡–‹…ƒŽ ˆ‘—†ƒ–‹‘ (ISO/IEC 15939) remains the same and several of the examples given in the previous edition are preserved, albeit updated.

iv



ISO/IEC 27004:2016(E)

Introduction Š‹• †‘…—‡– ‹• ‹–‡†‡† –‘ ƒ••‹•– ‘”‰ƒ‹œƒ–‹‘• –‘ ‡˜ƒŽ—ƒ–‡ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’‡”ˆ‘”ƒ…‡ ƒ†–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆƒ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡‡–•›•–‡‹‘”†‡”–‘ˆ—Žϐ‹Ž–Š‡”‡“—‹”‡‡–• ‘ˆ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͻǤͳǣ‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘Ǥ Š‡ ”‡•—Ž–• ‘ˆ ‘‹–‘”‹‰ ƒ† ‡ƒ•—”‡‡– ‘ˆ ƒ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ƒƒ‰‡‡– •›•–‡ ȋ Ȍ can be ive of decisions relating to ISMS governance, management, operational effectiveness and continual improvement. As with other ISO/IEC 27000 documents, this document should be considered, interpreted and adapted –‘•—‹–‡ƒ…Š‘”‰ƒ‹œƒ–‹‘ǯ••’‡…‹ϐ‹…•‹–—ƒ–‹‘ǤŠ‡…‘…‡’–•ƒ†ƒ’’”‘ƒ…Š‡•ƒ”‡‹–‡†‡†–‘„‡„”‘ƒ†Ž› ƒ’’Ž‹…ƒ„Ž‡„—––Š‡’ƒ”–‹…—Žƒ”‡ƒ•—”‡•–Šƒ–ƒ›’ƒ”–‹…—Žƒ”‘”‰ƒ‹œƒ–‹‘”‡“—‹”‡•†‡’‡†‘…‘–‡š–—ƒŽ ˆƒ…–‘”• ȋ•—…Š ƒ• ‹–• •‹œ‡ǡ •‡…–‘”ǡ ƒ–—”‹–›ǡ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ”‹••ǡ …‘’Ž‹ƒ…‡ ‘„Ž‹‰ƒ–‹‘• ƒ† ƒƒ‰‡‡–•–›Ž‡Ȍ–Šƒ–˜ƒ”›™‹†‡Ž›‹’”ƒ…–‹…‡Ǥ


This document is recommended for organizations implementing an ISMS that meets the requirements ‘ˆ Ȁ ʹ͹ͲͲͳǤ ‘™‡˜‡”ǡ ‹– †‘‡• ‘– ‡•–ƒ„Ž‹•Š ƒ› ‡™ ”‡“—‹”‡‡–• ˆ‘” ™Š‹…Š …‘ˆ‘” –‘ Ȁ ʹ͹ͲͲͳ‘”‹’‘•‡ƒ›‘„Ž‹‰ƒ–‹‘•—’‘‘”‰ƒ‹œƒ–‹‘•–‘‘„•‡”˜‡–Š‡‰—‹†‡Ž‹‡•’”‡•‡–‡†Ǥ



v



INTERNATIONAL STANDARD

ISO/IEC 27004:2016(E)

Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation 1 Scope This document provides guidelines intended to assist organizations in evaluating the information •‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ†–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆƒ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡‡–•›•–‡‹‘”†‡”–‘ ˆ—Žϐ‹Ž–Š‡”‡“—‹”‡‡–•‘ˆ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͻǤͳǤ –‡•–ƒ„Ž‹•Š‡•ǣ ƒȌ –Š‡‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡Ǣ „Ȍ –Š‡ ‘‹–‘”‹‰ ƒ† ‡ƒ•—”‡‡– ‘ˆ –Š‡ ‡ˆˆ‡…–‹˜‡‡•• ‘ˆ ƒ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ƒƒ‰‡‡– •›•–‡ȋ Ȍ‹…Ž—†‹‰‹–•’”‘…‡••‡•ƒ†…‘–”‘Ž•Ǣ …Ȍ –Š‡ƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘‘ˆ–Š‡”‡•—Ž–•‘ˆ‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–Ǥ


Š‹•†‘…—‡–‹•ƒ’’Ž‹…ƒ„Ž‡–‘ƒŽŽ–›’‡•ƒ†•‹œ‡•‘ˆ‘”‰ƒ‹œƒ–‹‘•Ǥ

2 Normative references Š‡ ˆ‘ŽŽ‘™‹‰ †‘…—‡–• ƒ”‡ ”‡ˆ‡””‡† –‘ ‹ –Š‡ –‡š– ‹ •—…Š ƒ ™ƒ› –Šƒ– •‘‡ ‘” ƒŽŽ ‘ˆ –Š‡‹” …‘–‡– …‘•–‹–—–‡• ”‡“—‹”‡‡–• ‘ˆ –Š‹• †‘…—‡–Ǥ ‘” †ƒ–‡† ”‡ˆ‡”‡…‡•ǡ ‘Ž› –Š‡ ‡†‹–‹‘ …‹–‡† ƒ’’Ž‹‡•Ǥ ‘” —†ƒ–‡†”‡ˆ‡”‡…‡•ǡ–Š‡Žƒ–‡•–‡†‹–‹‘‘ˆ–Š‡”‡ˆ‡”‡…‡††‘…—‡–ȋ‹…Ž—†‹‰ƒ›ƒ‡†‡–•Ȍƒ’’Ž‹‡•Ǥ There are no normative references in this document.

͵ ‡”•ƒ††‡ϐ‹‹–‹‘• ‘”–Š‡’—”’‘•‡•‘ˆ–Š‹•†‘…—‡–ǡ–Š‡–‡”•ƒ††‡ϐ‹‹–‹‘•‰‹˜‡‹ Ȁ ʹ͹ͲͲͲƒ’’Ž›Ǥ ISO and IEC maintain terminological databases for use in standardization at the following addresses: — IEC Electropedia: available at http://www.electropedia.org/ — ISO Online browsing platform: available at http://www.iso.org/obp

4 Structure and overview This document is structured as follows: a)

Rationale (Clause 5ȌǢ

b) Characteristics (Clause 6ȌǢ …Ȍ ›’‡•‘ˆ‡ƒ•—”‡•ȋClause 7ȌǢ d) Processes (Clause 8). The ordering of these clauses is intended to aid understanding and map to ISO/IEC 27001:2013, 9.1 requirements, as is illustrated in Figure 1. –ƒ”–‹‰™‹–Š–Š‡‹ˆ‘”ƒ–‹‘‡‡†‡†–‘ˆ—Žϐ‹Ž–Šƒ–”‡“—‹”‡‡–ǡ”‡ˆ‡””‡†–‘ƒ•‹ˆ‘”ƒ–‹‘‡‡†•ǡ–Š‡ ‘”‰ƒ‹œƒ–‹‘ †‡–‡”‹‡• –Š‡ ‡ƒ•—”‡• –Šƒ– ‹– ™‹ŽŽ —•‡ –‘ ˆ—Žϐ‹Ž –Š‘•‡ ‹ˆ‘”ƒ–‹‘ ‡‡†•Ǥ Š‡ ’”‘…‡•• © ISO/IEC 2016 – All rights reserved


1

ISO/IEC 27004:2016(E)

‘ˆ ‘‹–‘”‹‰ ƒ† ‡ƒ•—”‡‡– ’”‘†—…‡• †ƒ–ƒ ™Š‹…Š ‹• –Š‡ ƒƒŽ›•‡†Ǥ Š‡ ”‡•—Ž–• ‘ˆ ƒƒŽ›•‹• ƒ”‡ ‡˜ƒŽ—ƒ–‡†‹ˆ—Žϐ‹Ž‡–‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘‡‡†•Ǥ In addition, Annex A†‡•…”‹„‡•ƒ‡ƒ•—”‡‡–‘†‡Žˆ‘”‹ˆ‘”ƒ–‹‘•‡…—”‹–›ǡ‹…Ž—†‹‰–Š‡”‡Žƒ–‹‘•Š‹’ between the components of the measurement model and the requirements of ISO/IEC 27001:2013, 9.1.


Annex B provides a wide range of examples. These examples are intended to provide practical guidance ‘ Š‘™ ‘”‰ƒ‹œƒ–‹‘• …ƒ ‘‹–‘”ǡ ‡ƒ•—”‡ǡ ƒƒŽ›•‡ ƒ† ‡˜ƒŽ—ƒ–‡ –Š‡‹” …Š‘•‡ ’”‘…‡••‡• ƒ† ƒ”‡ƒ•‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ǤŠ‡•‡‡šƒ’Ž‡•—•‡–Š‡•—‰‰‡•–‡†–‡’Žƒ–‡‰‹˜‡‹Table 1. Annex C provides a further example using an alternative free-form text-based format.

Figure 1 — Mapping to ISO/IEC 27001:2013, 9.1 requirements

5 Rationale 5.1 The need for measurement Š‡ ‘˜‡”ƒŽŽ ‘„Œ‡…–‹˜‡ ‘ˆ ƒ ‹• –Š‡ ’”‡•‡”˜ƒ–‹‘ ‘ˆ …‘ϐ‹†‡–‹ƒŽ‹–›ǡ ‹–‡‰”‹–› ƒ† ƒ˜ƒ‹Žƒ„‹Ž‹–› ‘ˆ information within its scope. There are ISMS activities that concern the planning of how to do this, and –Š‡‹’Ž‡‡–ƒ–‹‘‘ˆ–Š‘•‡’Žƒ•Ǥ‘™‡˜‡”ǡ„›–Š‡•‡Ž˜‡•ǡ–Š‡•‡ƒ…–‹˜‹–‹‡•…ƒ‘–‰—ƒ”ƒ–‡‡–Šƒ––Š‡ ”‡ƒŽ‹•ƒ–‹‘‘ˆ–Š‘•‡’Žƒ•ˆ—Žϐ‹Ž–Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•ǤŠ‡”‡ˆ‘”‡ǡ‹–Š‡ ƒ•†‡ϐ‹‡† „› Ȁ ʹ͹ͲͲͳǡ –Š‡”‡ ƒ”‡ •‡˜‡”ƒŽ ”‡“—‹”‡‡–• –‘ ‡˜ƒŽ—ƒ–‡ ‹ˆ –Š‡ ’Žƒ• ƒ† ƒ…–‹˜‹–‹‡• ‡•—”‡ –Š‡ ˆ—Žϐ‹Ž‡–‘ˆ–Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•Ǥ

2



ISO/IEC 27004:2016(E)

ͷǤʹ —Žϐ‹ŽŽ‹‰–Š‡ Ȁ ʹ͹ͲͲͳ”‡“—‹”‡‡–• Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͻǤͳ”‡“—‹”‡•–Š‡‘”‰ƒ‹œƒ–‹‘–‘‡˜ƒŽ—ƒ–‡–Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ ƒ† –Š‡ ‡ˆˆ‡…–‹˜‡‡•• ‘ˆ –Š‡ Ǥ ‡ƒ•—”‡ –›’‡• ƒ„Ž‡ –‘ ˆ—Žϐ‹Ž –Š‡•‡ ”‡“—‹”‡‡–• …ƒ „‡ ˆ‘—† ‹ Clause 7. ISO/IEC 27001:2013, 9.1 further requires the organization to determine: ƒȌ ™Šƒ–‡‡†•–‘„‡‘‹–‘”‡†ƒ†‡ƒ•—”‡†ǡ‹…Ž—†‹‰‹ˆ‘”ƒ–‹‘•‡…—”‹–›’”‘…‡••‡•ƒ†…‘–”‘Ž•Ǣ „Ȍ –Š‡‡–Š‘†•ˆ‘”‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘ǡƒ•ƒ’’Ž‹…ƒ„Ž‡ǡ–‘‡•—”‡˜ƒŽ‹† ”‡•—Ž–•Ǣ …Ȍ ™Š‡–Š‡‘‹–‘”‹‰ƒ†‡ƒ•—”‹‰•ŠƒŽŽ„‡’‡”ˆ‘”‡†Ǣ †Ȍ ™Š‘•ŠƒŽŽ‘‹–‘”ƒ†‡ƒ•—”‡Ǣ ‡Ȍ ™Š‡–Š‡”‡•—Ž–•ˆ”‘‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–•ŠƒŽŽ„‡ƒƒŽ›•‡†ƒ†‡˜ƒŽ—ƒ–‡†Ǣƒ† ˆȌ ™Š‘•ŠƒŽŽƒƒŽ›•‡ƒ†‡˜ƒŽ—ƒ–‡–Š‡•‡”‡•—Ž–•Ǥ The mapping of these requirements is provided in Figure 1.


‹ƒŽŽ›ǡ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡ ͻǤͳ ”‡“—‹”‡• –Š‡ ‘”‰ƒ‹œƒ–‹‘ –‘ ”‡–ƒ‹ ƒ’’”‘’”‹ƒ–‡ †‘…—‡–‡† information as evidence of the monitoring and measurement results (See 8.9). ISO/IEC 27001:2013, 9.1 also notes that methods selected should produce comparable and reproducible results in order for them to be considered valid (See 6.4).

5.3 Validity of results ISO/IEC 27001:2013, 9.1 b) requires that organizations choose methods for measurement, monitoring, ƒƒŽ›•‹• ƒ† ‡˜ƒŽ—ƒ–‹‘ –‘ ‡•—”‡ ˜ƒŽ‹† ”‡•—Ž–•Ǥ Š‡ …Žƒ—•‡ ‘–‡• –Šƒ– –‘ „‡ ˜ƒŽ‹†ǡ ”‡•—Ž–• •Š‘—Ž† „‡ …‘’ƒ”ƒ„Ž‡ ƒ† ”‡’”‘†—…‹„Ž‡Ǥ ‘ ƒ…Š‹‡˜‡ –Š‹•ǡ ‘”‰ƒ‹œƒ–‹‘• •Š‘—Ž† …‘ŽŽ‡…–ǡ ƒƒŽ›•‡ǡ ƒ† ”‡’‘”– measures, taking the following points into consideration: a)

in order to get comparable results on measures that are based on monitoring at different points in –‹‡•ǡ‹–‹•‹’‘”–ƒ––‘‡•—”‡–Šƒ–•…‘’‡ƒ†…‘–‡š–‘ˆ–Š‡ ƒ”‡‘–…Šƒ‰‡†Ǣ

„Ȍ …Šƒ‰‡•‹–Š‡‡–Š‘†•‘”–‡…Š‹“—‡•—•‡†ˆ‘”‡ƒ•—”‹‰ƒ†‘‹–‘”‹‰†‘‘–‰‡‡”ƒŽŽ›Ž‡ƒ†–‘ …‘’ƒ”ƒ„Ž‡”‡•—Ž–•Ǥ ‘”†‡”–‘”‡–ƒ‹…‘’ƒ”ƒ„‹Ž‹–›ǡ•’‡…‹ϐ‹…–‡•–••—…Šƒ•’ƒ”ƒŽŽ‡Žƒ’’Ž‹…ƒ–‹‘‘ˆ –Š‡‘”‹‰‹ƒŽƒ•™‡ŽŽƒ•–Š‡…Šƒ‰‡†‡–Š‘†•…ƒ„‡”‡“—‹”‡†Ǣ …Ȍ ‹ˆ•—„Œ‡…–‹˜‡‡Ž‡‡–•ƒ”‡’ƒ”–‘ˆ–Š‡‡–Š‘†•‘”–‡…Š‹“—‡•—•‡†ˆ‘”‡ƒ•—”‹‰ƒ†‘‹–‘”‹‰ǡ •’‡…‹ϐ‹…•–‡’•…ƒ„‡‡‡†‡†–‘‘„–ƒ‹”‡’”‘†—…‹„Ž‡”‡•—Ž–•Ǥ•ƒ‡šƒ’Ž‡ǡ“—‡•–‹‘ƒ‹”‡”‡•—Ž–• •Š‘—Ž†„‡‡˜ƒŽ—ƒ–‡†ƒ‰ƒ‹•–†‡ϐ‹‡†…”‹–‡”‹ƒǢƒ† †Ȍ ‹•‘‡•‹–—ƒ–‹‘•ǡ”‡’”‘†—…‹„‹Ž‹–›…ƒ‘Ž›„‡‰‹˜‡‹•’‡…‹ϐ‹……‹”…—•–ƒ…‡•Ǥ ‘”‡šƒ’Ž‡ǡ–Š‡”‡ are situations where results are non-reproducible, but are valid when aggregated.

ͷǤͶ ‡‡ϐ‹–• —Žϐ‹ŽŽ‹‰ ’”‘…‡••‡•ƒ†…‘–”‘Ž•ƒ†‡•—”‹‰‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡…ƒ’”‘˜‹†‡ƒ —„‡”‘ˆ‘”‰ƒ‹œƒ–‹‘ƒŽƒ†ϐ‹ƒ…‹ƒŽ„‡‡ϐ‹–•ǤƒŒ‘”„‡‡ϐ‹–•…ƒ‹…Ž—†‡ǣ a)

Increased ability: ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹• ƒ† ‡˜ƒŽ—ƒ–‹‘ …ƒ ‹…”‡ƒ•‡ ƒ……‘—–ƒ„‹Ž‹–› ˆ‘” ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› „› Š‡Ž’‹‰ –‘ ‹†‡–‹ˆ› •’‡…‹ϐ‹… ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’”‘…‡••‡•‘”…‘–”‘Ž•–Šƒ–ƒ”‡‹’Ž‡‡–‡†‹…‘””‡…–Ž›ǡƒ”‡‘–‹’Ž‡‡–‡†ǡ‘”ƒ”‡‹‡ˆˆ‡…–‹˜‡Ǥ

b) Improved information security performance and ISMS processes: Monitoring, measurement, ƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘…ƒ‡ƒ„Ž‡‘”‰ƒ‹œƒ–‹‘•–‘“—ƒ–‹ˆ›‹’”‘˜‡‡–•‹•‡…—”‹‰‹ˆ‘”ƒ–‹‘ © ISO/IEC 2016 – All rights reserved


3

ISO/IEC 27004:2016(E)

™‹–Š‹ –Š‡ •…‘’‡ ‘ˆ –Š‡‹” ƒ† †‡‘•–”ƒ–‡ “—ƒ–‹ϐ‹ƒ„Ž‡ ’”‘‰”‡•• ‹ ƒ……‘’Ž‹•Š‹‰ –Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•Ǥ c)

Evidence of meeting requirements: ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹• ƒ† ‡˜ƒŽ—ƒ–‹‘ …ƒ ’”‘˜‹†‡ †‘…—‡–‡† ‡˜‹†‡…‡ –Šƒ– Š‡Ž’• †‡‘•–”ƒ–‡ ˆ—Žϐ‹ŽŽ‹‰ ‘ˆ Ȁ ʹ͹ͲͲͳ ȋƒ† ‘–Š‡” standards) requirements, as well as applicable laws, rules, and regulations.

d) decision-making:‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘…ƒ•—’’‘”– ”‹•Ǧ ‹ˆ‘”‡† †‡…‹•‹‘Ǧƒ‹‰ „› …‘–”‹„—–‹‰ “—ƒ–‹ϐ‹ƒ„Ž‡ ‹ˆ‘”ƒ–‹‘ –‘ –Š‡ ”‹• ƒƒ‰‡‡– process. It can allow organizations to measure successes and failures of past and current ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹˜‡•–‡–•ǡƒ†•Š‘—Ž†’”‘˜‹†‡“—ƒ–‹ϐ‹ƒ„Ž‡†ƒ–ƒ–Šƒ–…ƒ•—’’‘”–”‡•‘—”…‡ allocation for future investments.

6 Characteristics 6.1 General


‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–‹•–Š‡ϐ‹”•–•–‡’‹ƒ’”‘…‡••–‘‡˜ƒŽ—ƒ–‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ and ISMS effectiveness. ƒ…‡† ™‹–Š ƒ ’‘–‡–‹ƒŽŽ› ‘˜‡”™Š‡Ž‹‰ ˜ƒ”‹‡–› ‘ˆ ƒ––”‹„—–‡• ‘ˆ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–›Ǧ”‡Žƒ–‡† ‡–‹–‹‡• –Šƒ–…ƒ„‡‡ƒ•—”‡†ǡ‹–‹•‘–‡–‹”‡Ž›‘„˜‹‘—•™Š‹…Š‘‡••Š‘—Ž†„‡‡ƒ•—”‡†ǤŠ‹•‹•ƒ‹’‘”–ƒ– ‹••—‡ „‡…ƒ—•‡ ‹– ‹• ‹’”ƒ…–‹…ƒ„Ž‡ǡ …‘•–Ž› ƒ† …‘—–‡”’”‘†—…–‹˜‡ –‘ ‡ƒ•—”‡ –‘‘ ƒ› ‘” –Š‡ ™”‘‰ ƒ––”‹„—–‡•Ǥ•‹†‡ˆ”‘–Š‡‘„˜‹‘—•…‘•–•‘ˆ‡ƒ•—”‹‰ǡƒƒŽ›•‹‰ƒ†”‡’‘”–‹‰—‡”‘—•ƒ––”‹„—–‡•ǡ –Š‡”‡‹•ƒ†‹•–‹…–’‘••‹„‹Ž‹–›–Šƒ–‡›‹••—‡•…ƒ„‡‘„•…—”‡†™‹–Š‹ƒŽƒ”‰‡˜‘Ž—‡‘ˆ‹ˆ‘”ƒ–‹‘‘” missed altogether if suitable measures are not in place. ‘”†‡” –‘ †‡–‡”‹‡ ™Šƒ– –‘ ‘‹–‘” ƒ† ‡ƒ•—”‡ǡ –Š‡ ‘”‰ƒ‹œƒ–‹‘ •Š‘—Ž† ϐ‹”•– …‘•‹†‡” ™Šƒ– ‹– ™‹•Š‡• –‘ ƒ…Š‹‡˜‡ ‹ ‡˜ƒŽ—ƒ–‹‰ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’‡”ˆ‘”ƒ…‡ ƒ† ‡ˆˆ‡…–‹˜‡‡••Ǥ Š‹• …ƒ allow it to determine its information needs. Organizations should next decide what measures are needed to each discrete information ‡‡†ƒ†™Šƒ–†ƒ–ƒƒ”‡”‡“—‹”‡†–‘†‡”‹˜‡–Š‡”‡“—‹•‹–‡‡ƒ•—”‡•Ǥ‡…‡ǡ‡ƒ•—”‡‡–•Š‘—Ž†ƒŽ™ƒ›• correspond to the information needs of the organization.

6.2 What to monitor ‘‹–‘”‹‰ †‡–‡”‹‡• –Š‡ •–ƒ–—• ‘ˆ ƒ •›•–‡ǡ ƒ ’”‘…‡•• ‘” ƒ ƒ…–‹˜‹–› ‹ ‘”†‡” –‘ ‡‡– ƒ •’‡…‹ϐ‹‡† information need. ›•–‡•ǡ’”‘…‡••‡•ƒ†ƒ…–‹˜‹–‹‡•™Š‹…Š…ƒ„‡‘‹–‘”‡†‹…Ž—†‡ǡ„—–ƒ”‡‘–Ž‹‹–‡†–‘ǣ ƒȌ ‹’Ž‡‡–ƒ–‹‘‘ˆ ’”‘…‡••‡•Ǣ „Ȍ ‹…‹†‡–ƒƒ‰‡‡–Ǣ …Ȍ ˜—Ž‡”ƒ„‹Ž‹–›ƒƒ‰‡‡–Ǣ †Ȍ …‘ϐ‹‰—”ƒ–‹‘ƒƒ‰‡‡–Ǣ ‡Ȍ •‡…—”‹–›ƒ™ƒ”‡‡••ƒ†–”ƒ‹‹‰Ǣ ˆȌ ƒ……‡••…‘–”‘Žǡϐ‹”‡™ƒŽŽƒ†‘–Š‡”‡˜‡–Ž‘‰‰‹‰Ǣ ‰Ȍ ƒ—†‹–Ǣ ŠȌ ”‹•ƒ••‡••‡–’”‘…‡••Ǣ ‹Ȍ ”‹•–”‡ƒ–‡–’”‘…‡••Ǣ ŒȌ –Š‹”†’ƒ”–›”‹•ƒƒ‰‡‡–Ǣ 4



ISO/IEC 27004:2016(E)

Ȍ „—•‹‡••…‘–‹—‹–›ƒƒ‰‡‡–Ǣ ŽȌ ’Š›•‹…ƒŽƒ†‡˜‹”‘‡–ƒŽ•‡…—”‹–›ƒƒ‰‡‡–Ǣƒ† Ȍ •›•–‡‘‹–‘”‹‰Ǥ These monitoring activities produce data (event logs, interviews, training statistics, incident ‹ˆ‘”ƒ–‹‘ǡ‡–…ǤȌ–Šƒ–…ƒ„‡—•‡†–‘•—’’‘”–‘–Š‡”‡ƒ•—”‡•Ǥ –Š‡’”‘…‡••‘ˆ†‡ϐ‹‹‰ƒ––”‹„—–‡•–‘„‡ measured, additional monitoring can be required to provide ing information. Note that monitoring can allow an organization to determine whether a risk has materialized, and –Š‡”‡„›‹†‹…ƒ–‡™Šƒ–ƒ…–‹‘‹–…ƒ–ƒ‡–‘–”‡ƒ–•—…Šƒ”‹•‹–•‡ŽˆǤ‘–‡ƒŽ•‘–Šƒ––Š‡”‡…ƒ„‡…‡”–ƒ‹ –›’‡•‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›…‘–”‘Ž•–Šƒ–Šƒ˜‡–Š‡‡š’Ž‹…‹–’—”’‘•‡‘ˆ‘‹–‘”‹‰ǤŠ‡—•‹‰‘—–’—–• of such controls to measurement, organizations should ensure that the measurement process –ƒ‡•‹–‘ƒ……‘—–™Š‡–Š‡”–Š‡†ƒ–ƒ—•‡†™ƒ•‘„–ƒ‹‡†„‡ˆ‘”‡‘”ƒˆ–‡”ƒ›–”‡ƒ–‡–ƒ…–‹‘™ƒ•–ƒ‡Ǥ

6.3 What to measure


‡ƒ•—”‡‡– ‹• ƒ ƒ…–‹˜‹–› —†‡”–ƒ‡ –‘ †‡–‡”‹‡ ƒ ˜ƒŽ—‡ǡ •–ƒ–—• ‘” –”‡† ‹ ’‡”ˆ‘”ƒ…‡ ‘” ‡ˆˆ‡…–‹˜‡‡••–‘Š‡Ž’‹†‡–‹ˆ›’‘–‡–‹ƒŽ‹’”‘˜‡‡–‡‡†•Ǥ‡ƒ•—”‡‡–…ƒ„‡ƒ’’Ž‹‡†–‘ƒ› processes, activities, controls and groups of controls. As an example, consider ISO/IEC 27001:2013, 7.2 c), which requires an organization to take action, where ƒ’’Ž‹…ƒ„Ž‡ǡ –‘ ƒ…“—‹”‡ ‡…‡••ƒ”› …‘’‡–‡…‡Ǥ ‘”‰ƒ‹œƒ–‹‘ …ƒ †‡–‡”‹‡ ™Š‡–Š‡” ƒŽŽ ‹†‹˜‹†—ƒŽ• who require training have received it and whether the training was delivered as planned. This can be ‡ƒ•—”‡†„›–Š‡—„‡”‘”’‡”…‡–ƒ‰‡‘ˆ’‡‘’Ž‡–”ƒ‹‡†Ǥ‘”‰ƒ‹œƒ–‹‘…ƒƒŽ•‘†‡–‡”‹‡™Š‡–Š‡” –Š‡‹†‹˜‹†—ƒŽ•™Š‘Šƒ˜‡„‡‡–”ƒ‹‡†ƒ…–—ƒŽŽ›ƒ…“—‹”‡†ƒ†”‡–ƒ‹‡†–Š‡‡…‡••ƒ”›…‘’‡–‡…‡ȋ™Š‹…Š can be measured with a post-training questionnaire). With regards to ISMS processes, organizations should note that there are a number of clauses in Ȁ ʹ͹ͲͲͳ–Šƒ–‡š’Ž‹…‹–Ž›”‡“—‹”‡–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ•‘‡ƒ…–‹˜‹–›–‘„‡†‡–‡”‹‡†Ǥ ‘”‡šƒ’Ž‡ǡ ISO/IEC 27001:2013, 10.1 d) requires organizations to “review the effectiveness of any corrective action takenǳǤ ‘”†‡”–‘’‡”ˆ‘”•—…Šƒ”‡˜‹‡™ǡ–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ…‘””‡…–‹˜‡ƒ…–‹‘••Š‘—Ž†ϐ‹”•–„‡ †‡–‡”‹‡†‹–‡”•‘ˆ•‘‡†‡ϐ‹‡†ˆ‘”‘ˆ‡ƒ•—”‡Ǥ ‘”†‡”–‘†‘–Š‹•–Š‡‘”‰ƒ‹œƒ–‹‘•Š‘—Ž†ϐ‹”•– †‡ϐ‹‡ƒƒ’’”‘’”‹ƒ–‡‹ˆ‘”ƒ–‹‘‡‡†ƒ†ƒ‡ƒ•—”‡ǡ‘”‡ƒ•—”‡•ǡ–‘•ƒ–‹•ˆ›‹–ǤŠ‡’”‘…‡••ˆ‘”†‘‹‰ this is explained in Clause 8. ISMS processes and activities that are candidates for measurement include: ƒȌ ’Žƒ‹‰Ǣ „Ȍ Ž‡ƒ†‡”•Š‹’Ǣ …Ȍ ”‹•ƒƒ‰‡‡–Ǣ †Ȍ ’‘Ž‹…›ƒƒ‰‡‡–Ǣ ‡Ȍ ”‡•‘—”…‡ƒƒ‰‡‡–Ǣ ˆȌ …‘—‹…ƒ–‹‰Ǣ ‰Ȍ ƒƒ‰‡‡–”‡˜‹‡™Ǣ ŠȌ †‘…—‡–‹‰Ǣƒ† i)

auditing.

‹–Š”‡‰ƒ”†•–‘‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ǡ–Š‡‘•–‘„˜‹‘—•…ƒ†‹†ƒ–‡•ƒ”‡–Š‡‘”‰ƒ‹œƒ–‹‘ǯ• ‹ˆ‘”ƒ–‹‘•‡…—”‹–›…‘–”‘Ž•‘”‰”‘—’•‘ˆ•—…Š…‘–”‘Ž•ȋ‘”‡˜‡–Š‡‡–‹”‡”‹•–”‡ƒ–‡–’ŽƒȌǤŠ‡•‡ controls are determined through the process of risk treatment and are referred to in ISO/IEC 27001 as ‡…‡••ƒ”›…‘–”‘Ž•ǤŠ‡›…ƒ„‡ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡ‡š…‘–”‘Ž•ǡ•‡…–‘”Ǧ•’‡…‹ϐ‹……‘–”‘Ž•ȋ‡Ǥ‰Ǥƒ• †‡ϐ‹‡†‹•–ƒ†ƒ”†••—…Šƒ• Ȁ ʹ͹ͲͳͲȌǡ…‘–”‘Ž••’‡…‹ϐ‹‡†„›‘–Š‡”•–ƒ†ƒ”†•ƒ†…‘–”‘Ž•–Šƒ– © ISO/IEC 2016 – All rights reserved


5

ISO/IEC 27004:2016(E)

Šƒ˜‡„‡‡†‡•‹‰‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ•–Š‡’—”’‘•‡‘ˆƒ…‘–”‘Ž‹•–‘‘†‹ˆ›”‹•ǡ–Š‡”‡ƒ”‡ƒ˜ƒ”‹‡–› of attributes that can be measured, such as: ŒȌ –Š‡†‡‰”‡‡–‘™Š‹…Šƒ…‘–”‘Ž”‡†—…‡•–Š‡Ž‹‡Ž‹Š‘‘†‘ˆ–Š‡‘……—””‡…‡‘ˆƒ‡˜‡–Ǣ Ȍ –Š‡†‡‰”‡‡–‘™Š‹…Šƒ…‘–”‘Ž”‡†—…‡•–Š‡…‘•‡“—‡…‡‘ˆƒ‡˜‡–Ǣ ŽȌ –Š‡ˆ”‡“—‡…›‘ˆ‡˜‡–•–Šƒ–ƒ…‘–”‘Ž…ƒ…‘’‡™‹–Š„‡ˆ‘”‡ˆƒ‹Ž—”‡Ǣƒ† m) how long after the occurrence of an event does it take for the control to detect that the event has occurred.

6.4 When to monitor, measure, analyse and evaluate


”‰ƒ‹œƒ–‹‘••Š‘—Ž††‡ϐ‹‡•’‡…‹ϐ‹…–‹‡ˆ”ƒ‡•‹™Š‹…Š–‘‘‹–‘”ǡ‡ƒ•—”‡ǡƒƒŽ›•‡ǡƒ†‡˜ƒŽ—ƒ–‡ǡ „ƒ•‡† ‘ ‹†‹˜‹†—ƒŽ ‹ˆ‘”ƒ–‹‘ ‡‡†•ǡ ”‡“—‹”‡† ‡ƒ•—”‡•ǡ ƒ† –Š‡ Ž‹ˆ‡…›…Ž‡ ‘ˆ †ƒ–ƒ •—’’‘”–‹‰ ‹†‹˜‹†—ƒŽ‡ƒ•—”‡•ǤŠ‡†ƒ–ƒ•—’’‘”–‹‰‡ƒ•—”‡•…ƒ„‡…‘ŽŽ‡…–‡†‘”‡ˆ”‡“—‡–Ž›–Šƒ–Š‡ƒƒŽ›•‹• ƒ†”‡’‘”–‹‰‘ˆ•—…Š‡ƒ•—”‡•–‘‹†‹˜‹†—ƒŽ‹–‡”‡•–‡†’ƒ”–‹‡•Ǥ ‘”‡šƒ’Ž‡ǡ™Š‹Ž‡†ƒ–ƒ‘•‡…—”‹–› ‹…‹†‡–•…ƒ„‡…‘ŽŽ‡…–‡†…‘–‹—ƒŽŽ›ǡ”‡’‘”–‹‰‘ˆ•—…Š†ƒ–ƒ–‘‡š–‡”ƒŽ‹–‡”‡•–‡†’ƒ”–‹‡••Š‘—Ž†„‡ „ƒ•‡†‘•’‡…‹ϐ‹…”‡“—‹”‡‡–•ǡ•—…Šƒ••‡˜‡”‹–›ȋ’‘••‹„Ž›”‡“—‹”‹‰‹‡†‹ƒ–‡‘–‹ϐ‹…ƒ–‹‘ƒ•‹–Š‡ case of a reportable breach) or aggregated values (as might be the case for attempted intrusions which were detected and blocked). ”‰ƒ‹œƒ–‹‘• •Š‘—Ž† ‘–‡ –Šƒ– ‹ ‘”†‡” –‘ •ƒ–‹•ˆ› …‡”–ƒ‹ ‹ˆ‘”ƒ–‹‘ ‡‡†•ǡ „‡ˆ‘”‡ ƒƒŽ›•‹• ƒ† evaluation can proceed, an appropriate volume of data needs to be collected in order to provide ƒ ‡ƒ‹‰ˆ—Ž „ƒ•‹• ˆ‘” ƒ••‡••‡– ƒ† …‘’ƒ”‹•‘ ȋ‡Ǥ‰Ǥ ™Š‡ …‘†—…–‹‰ •–ƒ–‹•–‹…ƒŽ ƒƒŽ›•‹•ȌǤ ƒ††‹–‹‘ǡ –Š‡ ’”‘…‡••‡• ‘ˆ ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹•ǡ ƒ† ‡˜ƒŽ—ƒ–‹‘ …ƒ ‡‡† –‡•–‹‰ ƒ† ϐ‹‡Ǧ–—‹‰ „‡ˆ‘”‡ –Š‡ ”‡•—Ž–‹‰ ‡ƒ•—”‡• …ƒ „‡ —•‡ˆ—Ž –‘ –Š‡ ‘”‰ƒ‹œƒ–‹‘Ǥ ”‰ƒ‹œƒ–‹‘• •Š‘—Ž† –Š‡”‡ˆ‘”‡†‡–‡”‹‡ƒŽ‹‹––‘–Š‡†—”ƒ–‹‘‘ˆƒ›ϐ‹‡Ǧ–—‹‰ȋ•‘ƒ•–‘’”‘…‡‡†™‹–Š–Š‡”‡ƒŽ‘„Œ‡…–‹˜‡ǡ ‡ƒ•—”‡‡–‘ˆ–Š‡ Ȍƒ†ˆ‘”Š‘™Ž‘‰‘‹–‘”‹‰ƒ†…‘ŽŽ‡…–‹‘•Š‘—Ž†…‘–‹—‡„‡ˆ‘”‡ƒƒŽ›•‹• and evaluation can commence. ”‰ƒ‹œƒ–‹‘•…ƒƒ†Œ—•––Š‡‹”‡ƒ•—”‡‡––‹‡ˆ”ƒ‡•ǡƒ•–Š‡›—’†ƒ–‡–Š‡‹”‡ƒ•—”‡‡–ƒ…–‹˜‹–‹‡•ǡ –‘ƒ††”‡•••’‡…‹ϐ‹…‡˜‹”‘‡–ƒŽ…Šƒ‰‡•Ž‹•–‡†‹8.2. For example, if an organization is transitioning ˆ”‘ƒƒ—ƒŽ†ƒ–ƒ•‘—”…‡–‘ƒƒ—–‘ƒ–‡†•‘—”…‡ǡƒ…Šƒ‰‡‹ˆ”‡“—‡…›‘ˆ…‘ŽŽ‡…–‹‘…ƒ„‡”‡“—‹”‡†Ǥ Furthermore, a baseline is needed to compare two sets of measures taken at different points in time ƒ†’‘–‡–‹ƒŽŽ›„›†‹ˆˆ‡”‡–‡–Š‘†•„—–ƒ‹‹‰–‘ˆ—Žϐ‹Ž–Š‡•ƒ‡‹ˆ‘”ƒ–‹‘‡‡†Ǥ ‘”‰ƒ‹œƒ–‹‘ …ƒ …Š‘‘•‡ –‘ •–”—…–—”‡ –Š‡‹” ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹•ǡ ƒ† ‡˜ƒŽ—ƒ–‹‘ activities into a measurement programme. It is important to note, however, that ISO/IEC 27001 has no requirement for organizations to have such a programme.

6.5 Who will monitor, measure, analyse and evaluate Organizations (considering requirements of ISO/IEC 27001:2013, 9.1 and 5.3Ȍ •Š‘—Ž† •’‡…‹ˆ› ™Š‘ ‘‹–‘”•ǡ‡ƒ•—”‡•ǡƒƒŽ›•‡•ƒ†‡˜ƒŽ—ƒ–‡•‹–‡”•‘ˆ‹†‹˜‹†—ƒŽ•‘””‘Ž‡•Ǥ‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹•ǡ ƒ† ‡˜ƒŽ—ƒ–‹‘ …ƒ „‡ ’‡”ˆ‘”‡† —•‹‰ ‡‹–Š‡” ƒ—ƒŽ ‘” ƒ—–‘ƒ–‡† ‡ƒ•Ǥ Š‡–Š‡” –Š‡ ‡ƒ•—”‡‡– ‹• ’‡”ˆ‘”‡† ƒ—ƒŽŽ› ‘” ƒ—–‘ƒ–‹…ƒŽŽ›ǡ ‘”‰ƒ‹œƒ–‹‘• …ƒ †‡ϐ‹‡ –Š‡ ˆ‘ŽŽ‘™‹‰ measurement-related roles and responsibilities: a)

measurement client: the management or other interested parties requesting or requiring ‹ˆ‘”ƒ–‹‘ƒ„‘—––Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆƒ ǡ…‘–”‘Ž•‘”‰”‘—’‘ˆ…‘–”‘Ž•Ǣ

„Ȍ ‡ƒ•—”‡‡–’Žƒ‡”ǣ–Š‡’‡”•‘‘”‘”‰ƒ‹œƒ–‹‘ƒŽ—‹––Šƒ–†‡ϐ‹‡•–Š‡‡ƒ•—”‡‡–…‘•–”—…–• –Šƒ–Ž‹•‡ƒ•—”ƒ„Ž‡ƒ––”‹„—–‡•–‘ƒ•’‡…‹ϐ‹‡†‹ˆ‘”ƒ–‹‘‡‡†Ǣ c)

6

measurement reviewer: the person or organizational unit that validates that the developed ‡ƒ•—”‡‡–…‘•–”—…–•ƒ”‡ƒ’’”‘’”‹ƒ–‡ˆ‘”‡˜ƒŽ—ƒ–‹‰‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ†–Š‡ ‡ˆˆ‡…–‹˜‡‡••‘ˆƒ ǡ…‘–”‘Ž•‘”‰”‘—’‘ˆ…‘–”‘Ž•Ǣ



ISO/IEC 27004:2016(E)

d) information owner: the person or organizational unit that owns the information that provides ‹’—–‹–‘‡ƒ•—”‡•ǤŠ‹•’‡”•‘‹•”‡•’‘•‹„Ž‡ˆ‘”’”‘˜‹†‹‰–Š‡†ƒ–ƒƒ†‹•ƒŽ•‘ˆ”‡“—‡–Ž›ȋ„—– ‘–ƒŽ™ƒ›•Ȍ”‡•’‘•‹„Ž‡ˆ‘”…‘†—…–‹‰‡ƒ•—”‡‡–ƒ…–‹˜‹–‹‡•Ǣ e)

information collector: the person or organizational unit responsible for collecting, recording and •–‘”‹‰–Š‡†ƒ–ƒǢ

ˆȌ ‹ˆ‘”ƒ–‹‘ƒƒŽ›•–ǣ–Š‡’‡”•‘‘”‘”‰ƒ‹œƒ–‹‘ƒŽ—‹–”‡•’‘•‹„Ž‡ˆ‘”ƒƒŽ›•‹‰†ƒ–ƒǢƒ† g) information communicator: the person or organizational unit responsible for communicating the ”‡•—Ž–•‘ˆƒƒŽ›•‹•Ǥ ”‰ƒ‹œƒ–‹‘•…ƒ…‘„‹‡•‘‡ǡ‘”’‘••‹„Ž›ƒŽŽǡ‘ˆ–Š‡•‡”‘Ž‡•Ǥ Individuals performing different roles and responsibilities throughout the processes can require diverse skill sets and associated awareness and training.

7 Types of measures 7.1 General


For the purposes of this guidance, the performance of planned activities and the effectiveness of the ”‡•—Ž–•…ƒ„‡‡ƒ•—”‡†„›ƒ’’Ž›‹‰–Š‡–™‘ˆ‘ŽŽ‘™‹‰–›’‡•‘ˆ‡ƒ•—”‡•ǣ a)

performance measures: measures that express the planned results in of the characteristics ‘ˆ –Š‡ ’Žƒ‡† ƒ…–‹˜‹–›ǡ •—…Š ƒ• Š‡ƒ† …‘—–•ǡ ‹Ž‡•–‘‡ ƒ……‘’Ž‹•Š‡–ǡ ‘” –Š‡ †‡‰”‡‡ –‘ ™Š‹…Š ‹ˆ‘”ƒ–‹‘•‡…—”‹–›…‘–”‘Ž•Šƒ˜‡„‡‡‹’Ž‡‡–‡†Ǣ

b) effectiveness measures: measures that express the effect that realization of the planned activities Šƒ•‘–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•Ǥ Š‡•‡‡ƒ•—”‡•…ƒ„‡‹Š‡”‡–Ž›‘”‰ƒ‹œƒ–‹‘Ǧ•’‡…‹ϐ‹…•‹…‡‡ƒ…Š‘”‰ƒ‹œƒ–‹‘Šƒ•‹–•‘™’ƒ”–‹…—Žƒ” ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•ǡ’‘Ž‹…‹‡•ƒ†”‡“—‹”‡‡–•Ǥ Note that the “performance measures” and “effectiveness measures” should not be confused ™‹–Š–Š‡ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͻǤͳ”‡“—‹”‡‡––‘‡˜ƒŽ—ƒ–‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ† effectiveness.

7.2 Performance measures Performance measures can be used to demonstrate progress in implementing ISMS processes, associated ’”‘…‡†—”‡•ƒ†•’‡…‹ϐ‹…•‡…—”‹–›…‘–”‘Ž•ǤŠ‡”‡ƒ•‡ˆˆ‡…–‹˜‡‡••…‘…‡”•–Š‡‡š–‡––‘™Š‹…Š’Žƒ‡† activities have been realised and intended results achieved, performance measures should concern the ‡š–‡––‘™Š‹…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›’”‘…‡••‡•ƒ†…‘–”‘Ž•Šƒ˜‡„‡‡‹’Ž‡‡–‡†ǤŠ‡•‡‡ƒ•—”‡• Š‡Ž’†‡–‡”‹‡™Š‡–Š‡”–Š‡ ’”‘…‡••‡•ƒ†‹ˆ‘”ƒ–‹‘•‡…—”‹–›…‘–”‘Ž•Šƒ˜‡„‡‡‹’Ž‡‡–‡† ƒ••’‡…‹ϐ‹‡†Ǥ ‡”ˆ‘”ƒ…‡‡ƒ•—”‡•—•‡†ƒ–ƒ–Šƒ–…ƒ„‡‘„–ƒ‹‡†ˆ”‘‹—–‡•ǡƒ––‡†ƒ…‡”‡…‘”†•ǡ’”‘Œ‡…–’Žƒ•ǡ ƒ—–‘ƒ–‡†•…ƒ‹‰–‘‘Ž•ƒ†‘–Š‡”…‘‘Ž›Ǧ—•‡†‡ƒ•‘ˆ†‘…—‡–‹‰ǡ”‡…‘”†‹‰ǡƒ†‘‹–‘”‹‰ ISMS activities. Š‡…‘ŽŽ‡…–‹‘ǡƒƒŽ›•‹•ǡƒ†”‡’‘”–‹‰‘ˆ‡ƒ•—”‡••Š‘—Ž†„‡ƒ—–‘ƒ–‡†™Š‡”‡˜‡”’‘••‹„Ž‡ǡ‹‘”†‡”–‘ reduce the cost and effort required and the potential for human error.



7

ISO/IEC 27004:2016(E)

Example 1 Š‡ ‡ƒ•—”‹‰ –Š‡ †‡‰”‡‡ ‘ˆ ‹’Ž‡‡–ƒ–‹‘ ‘ˆ •’‡…‹ϐ‹… ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› …‘–”‘Ž•ǡ •—…Š ƒ• –Š‡ ’‡”…‡–ƒ‰‡ ‘ˆ Žƒ’–‘’• ™‹–Š Šƒ”† †‹• ‡…”›’–‹‘ǡ –Š‡ ”‡•—Ž–• ‘ˆ –Š‹• ‡ƒ•—”‡ ™‹ŽŽ Ž‹‡Ž› „‡ǡ ƒ– ϐ‹”•–ǡŽ‡••–ŠƒͳͲͲΨǤŠ‡–Š‡”‡•—Ž– ”‡ƒ…Š‡•ƒ†”‡ƒ‹•ƒ– ͳͲͲΨǡ‹– …ƒ„‡…‘…Ž—†‡†–Šƒ– –Š‡ ‹ˆ‘”ƒ–‹‘•›•–‡•Šƒ˜‡ˆ—ŽŽ›‹’Ž‡‡–‡†–Š‡•‡…—”‹–›…‘–”‘Ž•ƒ††”‡••‡†„›–Š‹•‡ƒ•—”‡ǡƒ† measurement activities can refocus on other controls in need of improvement. Example 2


‘”ƒ‡™ ǡ–Š‡‘”‰ƒ‹œƒ–‹‘•Š‘—Ž†ϐ‹”•–•‡‡–‘‡•—”‡–Šƒ––‘’ƒƒ‰‡‡–ƒ––‡†•–Š‡”‡˜‹‡™ and other meetings that can be called. The planned (or intended) result in this case is full attendance ƒ– ƒŽŽ ‡‡–‹‰•ǡ „ƒ””‹‰ •‹…‡•• ƒ† ’‡”‹––‡† ’”‹‘” …‘‹–‡–•Ǥ Š‡ ‡ƒ•—”‡ ‹• •‹’Ž› Š‘™ ƒ›ƒ––‡†˜‡”•—•Š‘™ƒ›‘—‰Š––‘ƒ––‡†ǡ™‹–Šƒ’‘••‹„Ž‡‘†‹ϐ‹‡”–Šƒ–ƒ„•‡…‡™ƒ•ˆ‘”‰‘‘† ”‡ƒ•‘Ǥ–ϐ‹”•–ǡ–Š‡”‡•—Ž–•‘ˆ–Š‡•‡‡ƒ•—”‡•‹‰Š–‹†‹…ƒ–‡ƒ•Š‘”–ˆƒŽŽǤ‘™‡˜‡”ǡ™‹–Š–‹‡ǡ”‡•—Ž–• should reach and remain close to their planned targets. At this point, the organization should begin to focus its measurement efforts on effectiveness measures (see 7.3). ˆ–‡”‘•–’‡”ˆ‘”ƒ…‡‡ƒ•—”‡•”‡ƒ…Šƒ†”‡ƒ‹ƒ–ͳͲͲΨǡ–Š‡‘”‰ƒ‹œƒ–‹‘•Š‘—Ž†„‡‰‹–‘ˆ‘…—•‹–• ‡ƒ•—”‡‡–‡ˆˆ‘”–•‘‡ˆˆ‡…–‹˜‡‡••‡ƒ•—”‡•Ǥ”‰ƒ‹œƒ–‹‘••Š‘—Ž†‡˜‡”ˆ—ŽŽ›”‡–‹”‡’‡”ˆ‘”ƒ…‡ ‡ƒ•—”‡• „‡…ƒ—•‡ –Š‡› …ƒ „‡ Š‡Ž’ˆ—Ž ‹ ’‘‹–‹‰ ‘—– •’‡…‹ϐ‹… •‡…—”‹–› …‘–”‘Ž• –Šƒ– ƒ”‡ ‹ ‡‡† ‘ˆ ‹’”‘˜‡‡–ǢŠ‘™‡˜‡”ǡ‘˜‡”–‹‡ǡ–Š‡‡’Šƒ•‹•ƒ†”‡•‘—”…‡•„‡‹‰ƒ’’Ž‹‡†–‘‡ƒ•—”‡‡–•Š‘—Ž† •Š‹ˆ–ƒ™ƒ›ˆ”‘–Š‡•‡‡ƒ•—”‡•ƒ†–‘™ƒ”†•‡ˆˆ‡…–‹˜‡‡••‡ƒ•—”‡•ȋ•‡‡7.3). According to ISO/IEC 27001:2013, 9.1, it is likewise important to also measure the effectiveness of –Š‡ ƒƒ‰‡‡– •›•–‡ ȋ†‹•…—••‡† ‡š–ȌǤ ‘ ‘’‡”ƒ–‡ ƒ •—‹–ƒ„Ž‡ ǡ ‘”‰ƒ‹œƒ–‹‘• •Š‘—Ž† ‡ƒ•—”‡ performance and effectiveness at planned intervals.

7.3 Effectiveness measures Effectiveness measures should be used to describe the effectiveness and impact that the realisations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information •‡…—”‹–› ‘„Œ‡…–‹˜‡•Ǥ Š‡•‡ ‡ƒ•—”‡• •Š‘—Ž† „‡ —•‡† –‘ †‡–‡”‹‡ ™Š‡–Š‡” ’”‘…‡••‡• ƒ† ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› …‘–”‘Ž• ƒ”‡ ‘’‡”ƒ–‹‰ ƒ• ‹–‡†‡† ƒ† ƒ…Š‹‡˜‹‰ –Š‡‹” †‡•‹”‡† ‘—–…‘‡•Ǥ ‡’‡†‹‰—’‘–Š‘•‡‘„Œ‡…–‹˜‡•ǡ‡ˆˆ‡…–‹˜‡‡••‡ƒ•—”‡•…ƒ„‡—•‡†–‘“—ƒ–‹ˆ›ǡ‡Ǥ‰Ǥǣ ƒȌ …‘•–•ƒ˜‹‰•’”‘†—…‡†„›–Š‡ ‘”–Š”‘—‰Š…‘•–•‹…—””‡†ˆ”‘ƒ††”‡••‹‰‹ˆ‘”ƒ–‹‘•‡…—”‹–› ‹…‹†‡–•Ǣ „Ȍ –Š‡†‡‰”‡‡‘ˆ…—•–‘‡”–”—•–‰ƒ‹‡†Ȁƒ‹–ƒ‹‡†„›–Š‡ Ǣƒ† …Ȍ –Š‡ƒ…Š‹‡˜‡‡–‘ˆ‘–Š‡”‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•Ǥ ˆˆ‡…–‹˜‡‡•• ‡ƒ•—”‡• …ƒ „‡ …”‡ƒ–‡† „› …‘„‹‹‰ †ƒ–ƒ ‘„–ƒ‹‡† ˆ”‘ ƒ—–‘ƒ–‡† ‘‹–‘”‹‰ ƒ† ‡˜ƒŽ—ƒ–‹‘–‘‘Ž•™‹–Šƒ—ƒŽŽ›Ǧ†‡”‹˜‡††ƒ–ƒƒ„‘—– ƒ…–‹˜‹–›ǤŠ‹•…ƒ”‡“—‹”‡–”ƒ…‹‰ƒ˜ƒ”‹‡–› ‘ˆ ‡ƒ•—”‡• ƒ…”‘•• –Š‡ ‘”‰ƒ‹œƒ–‹‘ ‹ ƒ ƒ‡” –Šƒ– …ƒ „‡ †‹”‡…–Ž› –‹‡† –‘ –Š‡ ƒ…–‹˜‹–‹‡• ƒ† ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‡˜‡–•Ǥ‘ƒ…Š‹‡˜‡–Š‹•ǡƒ‘”‰ƒ‹œƒ–‹‘•Š‘—Ž†Šƒ˜‡ƒ‡•–ƒ„Ž‹•Š‡†…ƒ’ƒ„‹Ž‹–›–‘ǣ d) evaluate the degree to which ISMS processes, controls, or groups of controls have been implemented –Š”‘—‰Š’‡”ˆ‘”ƒ…‡‡ƒ•—”‡•Ǣ ‡Ȍ …‘ŽŽ‡…–†ƒ–ƒˆ”‘ƒ—–‘ƒ–‡†‘‹–‘”‹‰ƒ†‡˜ƒŽ—ƒ–‹‘–‘‘Ž•Ǣ ˆȌ ƒ—ƒŽŽ›…‘ŽŽ‡…–†ƒ–ƒˆ”‘ ƒ…–‹˜‹–‹‡•Ǣ ‰Ȍ ‘”ƒŽ‹œ‡ƒ†ƒƒŽ›•‡†ƒ–ƒ‘”‹‰‹ƒ–‹‰ˆ”‘—Ž–‹’Ž‡ƒ—–‘ƒ–‡†ƒ†ƒ—ƒŽ•‘—”…‡•Ǣƒ† h) interpret and report this data to decision makers. 8



ISO/IEC 27004:2016(E)

These effectiveness measures combine information about the realisation of the risk treatment plan ™‹–Šƒ˜ƒ”‹‡–›‘ˆ‹ˆ‘”ƒ–‹‘ƒ„‘—–”‡•‘—”…‡•ƒ†…ƒ’”‘˜‹†‡‹’—–•–‘–Š‡”‹•ƒƒ‰‡‡–’”‘…‡••Ǥ Š‡›…ƒƒŽ•‘’”‘˜‹†‡–Š‡‘•–†‹”‡…–‹•‹‰Š–‹–‘–Š‡˜ƒŽ—‡‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›–‘–Š‡‘”‰ƒ‹œƒ–‹‘ and can be the ones that ought to be of most interest to top management. Example 3 š’Ž‘‹–ƒ–‹‘•‘ˆ‘™˜—Ž‡”ƒ„‹Ž‹–‹‡•ƒ”‡‘™–‘…ƒ—•‡ƒŽƒ”‰‡’‘”–‹‘‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–› ‹…‹†‡–•Ǥ Š‡ ‰”‡ƒ–‡” –Š‡ —„‡” ‘ˆ ‘™ ˜—Ž‡”ƒ„‹Ž‹–‹‡• ƒ† –Š‡ Ž‘‰‡” –Šƒ– –Š‡› ƒ”‡ ‘– ƒ††”‡••‡†ȋ‡Ǥ‰Ǥ’ƒ–…Š‡†Ȍǡ–Š‡‰”‡ƒ–‡”–Š‡’”‘„ƒ„‹Ž‹–›‘ˆ–Š‡‹”‡š’Ž‘‹–ƒ–‹‘„›ƒ••‘…‹ƒ–‡†–Š”‡ƒ–•ƒ† the greater the related risk exposure. An effectiveness measure can help an organization determine ‹–•”‹•‡š’‘•—”‡…ƒ—•‡†„›•—…Š˜—Ž‡”ƒ„‹Ž‹–‹‡•Ǥ Example 4 –”ƒ‹‹‰ …‘—”•‡ …ƒ Šƒ˜‡ •’‡…‹ϐ‹… –”ƒ‹‹‰ ‘„Œ‡…–‹˜‡• ˆ‘” ‡ƒ…Š …‘—”•‡ ‘†—Ž‡Ǥ ‡ˆˆ‡…–‹˜‡‡•• measure can help the organization to determine the extent to which each trainee has understood ‡ƒ…Š Ž‡••‘ ƒ† ‹• ƒ„Ž‡ –‘ ƒ’’Ž› –Š‡‹” ‡™ ‘™Ž‡†‰‡ ƒ† •‹ŽŽ•Ǥ Š‡•‡ ‡ƒ•—”‡• —•—ƒŽŽ› ”‡“—‹”‡ —Ž–‹’Ž‡†ƒ–ƒ’‘‹–•ǡ•—…Šƒ•ǣ”‡•—Ž–•‘ˆ’‘•–Ǧ–”ƒ‹‹‰–‡•–•Ǣ‡šƒ‹ƒ–‹‘‘ˆ‹…‹†‡–†ƒ–ƒ…‘””‡Žƒ–‡† ™‹–Š–”ƒ‹‹‰–‘’‹…•Ǣ‘”ƒƒŽ›•‹•‘ˆŠ‡Ž’†‡•…ƒŽŽ•…‘””‡Žƒ–‡†™‹–Š–”ƒ‹‹‰–‘’‹…•Ǥ


8 Processes 8.1 General ‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘ȋ•‡‡ ‹‰—”‡ʹȌ…‘•‹•–•‘ˆ–Š‡ˆ‘ŽŽ‘™‹‰’”‘…‡••‡•ǣ ƒȌ ‹†‡–‹ˆ›‹ˆ‘”ƒ–‹‘‡‡†•Ǣ „Ȍ …”‡ƒ–‡ƒ†ƒ‹–ƒ‹‡ƒ•—”‡•Ǣ …Ȍ ‡•–ƒ„Ž‹•Š’”‘…‡†—”‡•Ǣ †Ȍ ‘‹–‘”ƒ†‡ƒ•—”‡Ǣ ‡Ȍ ƒƒŽ›•‡”‡•—Ž–•Ǣƒ† ˆȌ ‡˜ƒŽ—ƒ–‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ† ‡ˆˆ‡…–‹˜‡‡••Ǥ In addition, there is an ISMS management process that covers the review and improvement of the above processes, see 8.8.



9


ISO/IEC 27004:2016(E)

Figure 2 — Monitoring, measurement, analysis and evaluation processes

8.2 Identify information needs Š‡…”‡ƒ–‹‘‘ˆ‡ƒ•—”‡••Š‘—Ž†„‡‰‹™‹–Š‹†‡–‹ϐ‹…ƒ–‹‘‘ˆ‹ˆ‘”ƒ–‹‘‡‡†•ǡ™Š‹…Š…ƒƒ••‹•–‹–Š‡ —†‡”•–ƒ†‹‰‘ˆ–Š‡‘’‡”ƒ–‹‘ƒŽ…Šƒ”ƒ…–‡”‹•–‹…•ƒ†Ȁ‘”’‡”ˆ‘”ƒ…‡‘ˆƒ›ƒ•’‡…–‘ˆ–Š‡ ǡ•—…Šƒ• ƒ›‘ˆ–Š‡ˆ‘ŽŽ‘™‹‰ǣ ƒȌ ‹–‡”‡•–‡†’ƒ”–›‡‡†•Ǣ „Ȍ –Š‡•–”ƒ–‡‰‹…†‹”‡…–‹‘‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘Ǣ …Ȍ ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ƒ†‘„Œ‡…–‹˜‡•Ǣƒ† d) the risk treatment plan. Š‡ˆ‘ŽŽ‘™‹‰ƒ…–‹˜‹–‹‡••Š‘—Ž†„‡’‡”ˆ‘”‡†–‘‹†‡–‹ˆ›”‡Ž‡˜ƒ–‹ˆ‘”ƒ–‹‘‡‡†•ǣ e)

examine the ISMS, its processes and other elements such as: ͳȌ ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ƒ†‘„Œ‡…–‹˜‡•ǡ…‘–”‘Ž‘„Œ‡…–‹˜‡•ƒ†…‘–”‘Ž•Ǣ ʹȌ Ž‡‰ƒŽǡ”‡‰—Žƒ–‘”›ǡ…‘–”ƒ…–—ƒŽƒ†‘”‰ƒ‹œƒ–‹‘ƒŽ”‡“—‹”‡‡–•ˆ‘”‹ˆ‘”ƒ–‹‘•‡…—”‹–›Ǣƒ† ͵Ȍ –Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›”‹•ƒƒ‰‡‡–’”‘…‡••‘—–…‘‡•Ǥ

ˆȌ ’”‹‘”‹–‹œ‡–Š‡‹†‡–‹ϐ‹‡†‹ˆ‘”ƒ–‹‘‡‡†•„ƒ•‡†‘…”‹–‡”‹ƒǡ•—…Šƒ•ǣ ͳȌ ”‹•–”‡ƒ–‡–’”‹‘”‹–‹‡•Ǣ 10



ISO/IEC 27004:2016(E)

ʹȌ …ƒ’ƒ„‹Ž‹–‹‡•ƒ†”‡•‘—”…‡•‘ˆƒ‘”‰ƒ‹œƒ–‹‘Ǣ ͵Ȍ ‹–‡”‡•–‡†’ƒ”–›‡‡†•Ǣ ͶȌ –Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ƒ†‘„Œ‡…–‹˜‡•ǡƒ†…‘–”‘Ž‘„Œ‡…–‹˜‡•Ǣ ͷȌ ‹ˆ‘”ƒ–‹‘”‡“—‹”‡†–‘‡‡–‘”‰ƒ‹œƒ–‹‘ƒŽǡŽ‡‰ƒŽǡ”‡‰—Žƒ–‘”›ǡƒ†…‘–”ƒ…–—ƒŽ‘„Ž‹‰ƒ–‹‘•Ǣƒ† ͸Ȍ –Š‡˜ƒŽ—‡‘ˆ–Š‡‹ˆ‘”ƒ–‹‘–‘„‡‘„–ƒ‹‡†‹”‡Žƒ–‹‘–‘–Š‡…‘•–‘ˆ‡ƒ•—”‡‡–Ǣ g) select a subset of information needs required to be addressed in measurement activities from the ’”‹‘”‹–‹œ‡†Ž‹•–Ǣƒ† h) document and communicate the selected information needs to all relevant interested parties.

8.3 Create and maintain measures 8.3.1

General

”‰ƒ‹œƒ–‹‘• •Š‘—Ž† …”‡ƒ–‡ ‡ƒ•—”‡• ‘…‡ ƒ† –Š‡”‡ƒˆ–‡” ”‡˜‹‡™ ƒ† •›•–‡ƒ–‹…ƒŽŽ› —’†ƒ–‡ –Š‡•‡ measures at planned intervals or when the ISMS’s environment undergoes substantial changes. Such changes can include, among others:


ƒȌ –Š‡•…‘’‡‘ˆ–Š‡ Ǣ „Ȍ ‘”‰ƒ‹œƒ–‹‘ƒŽ•–”—…–—”‡Ǣ …Ȍ ‹–‡”‡•–‡†’ƒ”–‹‡•‹…Ž—†‹‰‹–‡”‡•–‡†’ƒ”–›”‘Ž‡•ǡ”‡•’‘•‹„‹Ž‹–‹‡•ƒ†ƒ—–Š‘”‹–‹‡•Ǣ †Ȍ „—•‹‡••‘„Œ‡…–‹˜‡•ƒ†”‡“—‹”‡‡–•Ǣ ‡Ȍ Ž‡‰ƒŽƒ†”‡‰—Žƒ–‘”›”‡“—‹”‡‡–•Ǣ ˆȌ ƒ…Š‹‡˜‡‡–‘ˆ†‡•‹”‡†ƒ†•–ƒ„Ž‡”‡•—Ž–•ˆ‘”•‡˜‡”ƒŽ•—„•‡“—‡–…›…Ž‡•Ǣƒ† ‰Ȍ ‹–”‘†—…–‹‘‘”†‹•’‘•‹–‹‘‘ˆ‹ˆ‘”ƒ–‹‘’”‘…‡••‹‰–‡…Š‘Ž‘‰‹‡•ƒ†•›•–‡•Ǥ Creating or updating such measures can include, among others, the followings steps: ŠȌ ‹†‡–‹ˆ›…—””‡–•‡…—”‹–›’”ƒ…–‹…‡•–Šƒ–…ƒ•—’’‘”–‹ˆ‘”ƒ–‹‘‡‡†•Ǣ ‹Ȍ †‡˜‡Ž‘’‘”—’†ƒ–‡‡ƒ•—”‡•Ǣ ŒȌ †‘…—‡–‡ƒ•—”‡•ƒ††‡ϐ‹‡‹’Ž‡‡–ƒ–‹‘’”‹‘”‹–›Ǣƒ† k) keep management informed and engaged. Updating measures is expected to take less time and effort than the initial creation. 8.3.2

Identify current security practices that can information needs

…‡ ƒ ‹ˆ‘”ƒ–‹‘ ‡‡† ‹• ‹†‡–‹ϐ‹‡†ǡ ‘”‰ƒ‹œƒ–‹‘• •Š‘—Ž† ‹˜‡–‘”› ‡š‹•–‹‰ ‡ƒ•—”‡‡– ƒ† •‡…—”‹–› ’”ƒ…–‹…‡• ƒ• ƒ ’‘–‡–‹ƒŽ …‘’‘‡– ‘ˆ ‡ƒ•—”‡‡–Ǥ š‹•–‹‰ ‡ƒ•—”‡‡– ƒ† •‡…—”‹–› practices can include measurement associated with: ƒȌ ”‹•ƒƒ‰‡‡–Ǣ „Ȍ ’”‘Œ‡…–ƒƒ‰‡‡–Ǣ …Ȍ …‘’Ž‹ƒ…‡”‡’‘”–‹‰Ǣƒ† †Ȍ •‡…—”‹–›’‘Ž‹…‹‡•Ǥ



11

ISO/IEC 27004:2016(E)

8.3.3

Develop or update measures

‡ƒ•—”‡• •Š‘—Ž† ”‡•’‘† –‘ –Š‡ ‹ˆ‘”ƒ–‹‘ ‡‡†Ǥ Š‡› …ƒ ”‡Ž› ‘ –Š‡ …—””‡– ’”ƒ…–‹…‡• ‘” –Š‡› ‡‡† ‡™ ‘‡•Ǥ ‡™Ž› ‹†‡–‹ϐ‹‡† ‡ƒ•—”‡• …ƒ ƒŽ•‘ ‹˜‘Ž˜‡ ƒ ƒ†ƒ’–ƒ–‹‘ ‘ˆ ‡š‹•–‹‰ ‡ƒ•—”‡• ‘” ‡ƒ•—”‡‡–’”‘…‡••‡•Ǥ ƒ›…ƒ•‡ǡ–Š‡‹†‡–‹ϐ‹‡†‡ƒ•—”‡••Š‘—Ž†„‡†‡ϐ‹‡†‹•—ˆϐ‹…‹‡–†‡–ƒ‹Ž–‘ enable these measures to be implemented. šƒ’Ž‡•‘ˆ†ƒ–ƒ–Šƒ–…ƒ„‡…‘ŽŽ‡…–‡†–‘•—’’‘”–•‡…—”‹–›‡ƒ•—”‡•‹…Ž—†‡ǣ ƒȌ ‘—–’—–‘ˆ˜ƒ”‹‘—•Ž‘‰•ƒ†•…ƒ•Ǣ „Ȍ •–ƒ–‹•–‹…•‘–”ƒ‹‹‰ƒ†‘–Š‡”Š—ƒ”‡•‘—”…‡ƒ…–‹˜‹–‹‡•Ǣ …Ȍ ”‡Ž‡˜ƒ–•—”˜‡›•ƒ†“—‡•–‹‘ƒ‹”‡•Ǣ †Ȍ ‹…‹†‡–•–ƒ–‹•–‹…•Ǣ ‡Ȍ ”‡•—Ž–•‘ˆ‹–‡”ƒŽƒ—†‹–•Ǣ ˆȌ ”‡•—Ž–•‘ˆ„—•‹‡••…‘–‹—‹–›Ȁ†‹•ƒ•–‡””‡…‘˜‡”›‡š‡”…‹•‡•Ǣƒ† g) reports from management reviews.


These and other potential sources of data, which can be of either of internal or external origin, should „‡‡šƒ‹‡†ƒ†–›’‡•‘ˆƒ˜ƒ‹Žƒ„Ž‡†ƒ–ƒ‹†‡–‹ϐ‹‡†Ǥ Š‡•‡Ž‡…–‡†‡ƒ•—”‡••Š‘—Ž†•—’’‘”––Š‡’”‹‘”‹–›‘ˆ–Š‡‹ˆ‘”ƒ–‹‘‡‡†•ƒ†…ƒ…‘•‹†‡”ǣ ŠȌ ‡ƒ•‡‘ˆ†ƒ–ƒ…‘ŽŽ‡…–‹‘Ǣ ‹Ȍ ƒ˜ƒ‹Žƒ„‹Ž‹–›‘ˆŠ—ƒ”‡•‘—”…‡•–‘…‘ŽŽ‡…–ƒ†ƒƒ‰‡†ƒ–ƒǢ ŒȌ ƒ˜ƒ‹Žƒ„‹Ž‹–›‘ˆƒ’’”‘’”‹ƒ–‡–‘‘Ž•Ǣ Ȍ —„‡”‘ˆ’‘–‡–‹ƒŽŽ›”‡Ž‡˜ƒ–’‡”ˆ‘”ƒ…‡‹†‹…ƒ–‘”••—’’‘”–‡†„›–Š‡‡ƒ•—”‡Ǣ ŽȌ ‡ƒ•‡‘ˆ‹–‡”’”‡–ƒ–‹‘Ǣ Ȍ —„‡”‘ˆ—•‡”•‘ˆ†‡˜‡Ž‘’‡†‡ƒ•—”‡‡–”‡•—Ž–•Ǣ Ȍ ‡˜‹†‡…‡•Š‘™‹‰–Š‡‡ƒ•—”‡ǯ•ϐ‹–‡••ˆ‘”’—”’‘•‡‘”‹ˆ‘”ƒ–‹‘‡‡†Ǣƒ† ‘Ȍ …‘•–•‘ˆ…‘ŽŽ‡…–‹‰ǡƒƒ‰‹‰ǡƒ†ƒƒŽ›•‹‰–Š‡†ƒ–ƒǤ Organizations should document each measure in a form that ties the measure to the relevant ‹ˆ‘”ƒ–‹‘‡‡†ȋ‘”‡‡†•Ȍƒ†’”‘˜‹†‡••—ˆϐ‹…‹‡–‹ˆ‘”ƒ–‹‘ƒ„‘—––Š‡…Šƒ”ƒ…–‡”‹•–‹…•†‡•…”‹„‹‰ –Š‡‡ƒ•—”‡ƒ†Š‘™–‘…‘ŽŽ‡…–ǡƒƒŽ›•‡ǡƒ†”‡’‘”–‹–Ǥ—‰‰‡•–‡†‹ˆ‘”ƒ–‹‘†‡•…”‹’–‘”•ƒ”‡’”‘˜‹†‡† in Table 1. The examples in Annex B use Table 1 as a template. Two examples have an additional information †‡•…”‹’–‘”ȋ…ƒŽŽ‡†ǲƒ…–‹‘ǳȌǡ™Š‹…Š†‡ϐ‹‡•–Š‡ƒ…–‹‘–‘„‡–ƒ‡‹–Š‡‡˜‡––Šƒ––Š‡–ƒ”‰‡–‹•‘–‡–Ǥ ”‰ƒ‹œƒ–‹‘•ƒ›‹…Ž—†‡–Š‹•‹ˆ‘”ƒ–‹‘†‡•…”‹’–‘”‹ˆ–Š‡›…‘•‹†‡”‹–—•‡ˆ—ŽǤŠ‡”‡‹•‘•‹‰Ž‡™ƒ› –‘•’‡…‹ˆ›•—…Š‡ƒ•—”‡‡–…‘•–”—…–•ƒ†Annex C demonstrates an alternative free-form approach. – •Š‘—Ž† „‡ ‘–‡† –Šƒ– †‹ˆˆ‡”‡– ‡ƒ•—”‡• ƒ› ‡‡† –‘ „‡ ’”‘˜‹†‡† –‘ ‡‡– –Š‡ ‡‡†• ‘ˆ †‹ˆˆ‡”‡– measurement clients (see Table 1), which can be internal or external. For example, measures for ƒ††”‡••‹‰ –‘’ ƒƒ‰‡‡– ‹ˆ‘”ƒ–‹‘ ‡‡†• …ƒ †‹ˆˆ‡” ˆ”‘ –Š‘•‡ ˆ‘” •›•–‡ ƒ†‹‹•–”ƒ–‘” …‘•—’–‹‘ȋ‡Ǥ‰Ǥ‡‹–Š‡”‹–‡”‡•–‡†’ƒ”–›…ƒŠƒ˜‡ƒ•’‡…‹ϐ‹…”ƒ‰‡‘”ˆ‘…—•ǡ‘”‰”ƒ—Žƒ”‹–›ȌǤ Each measure should correspond to, at least, one information need, while a single information need might require several measures. ”‰ƒ‹œƒ–‹‘••Š‘—Ž†–ƒ‡…ƒ”‡™Š‡—•‹‰•—„Œ‡…–‹˜‡‡ƒ•—”‡•ƒ•‡ƒ•—”‡•ˆ‘”‡†„›…‘„‹‹‰–™‘ ‘”‘”‡•—„Œ‡…–‹˜‡‡ƒ•—”‡•…ƒƒ†˜‡”•‡Ž›ƒˆˆ‡…––Š‡ϐ‹ƒŽ”‡•—Ž–Ǥ 12



ISO/IEC 27004:2016(E)

Table 1 — Example security measure descriptors


Information descriptor

Meaning or purpose

Measure ID

’‡…‹ϐ‹…‹†‡–‹ϐ‹‡”Ǥ

Information need

Over-arching need for understanding to which the measure contributes.

Measure

–ƒ–‡‡–‘ˆ‡ƒ•—”‡‡–ǡ‰‡‡”ƒŽŽ›†‡•…”‹„‡†—•‹‰ƒ™‘”†•—…Šƒ•ǲ’‡”…‡–ƒ‰‡ǳǡ ǲ—„‡”ǳǡǲˆ”‡“—‡…›ǳƒ†ǲƒ˜‡”ƒ‰‡ǳǤ

Formula/scoring

How the measure should be evaluated, calculated or scored.

Target

Desired result of the measurement, e.g., a milestone or a statistical measure or a set of thresholds. Note that ongoing monitoring can be required to ensure continued attainment of the target.

Implementation evidence

˜‹†‡…‡–Šƒ–˜ƒŽ‹†ƒ–‡•–Šƒ––Š‡‡ƒ•—”‡‡–‹•’‡”ˆ‘”‡†ǡŠ‡Ž’•‹†‡–‹ˆ›’‘••‹„Ž‡…ƒ—•‡• of poor results, and provides input to the process. Data to provide input into the formula.

”‡“—‡…›

‘™ˆ”‡“—‡–Ž›–Š‡†ƒ–ƒ•Š‘—Ž†„‡…‘ŽŽ‡…–‡†ƒ†”‡’‘”–‡†ǤŠ‡”‡…ƒ„‡ƒ”‡ƒ•‘ˆ‘”Šƒ˜‹‰ multiple frequencies.

Responsible parties

The person responsible for gathering and processing the measure. At the least, an ˆ‘”ƒ–‹‘™‡”ǡ ˆ‘”ƒ–‹‘‘ŽŽ‡…–‘”ƒ†‡ƒ•—”‡‡–Ž‹‡–•Š‘—Ž†„‡‹†‡–‹ϐ‹‡†Ǥ

Data source

Potential data sources can be databases, tracking tools, other parts of, the organization, ‡š–‡”ƒŽ‘”‰ƒ‹œƒ–‹‘•ǡ‘”•’‡…‹ϐ‹…‹†‹˜‹†—ƒŽ”‘Ž‡•Ǥ

Reporting format

‘™–Š‡‡ƒ•—”‡•Š‘—Ž†„‡…‘ŽŽ‡…–‡†ƒ†”‡’‘”–‡†ǡ‡Ǥ‰Ǥǡƒ•–‡š–ǡ—‡”‹…ƒŽŽ›ǡ‰”ƒ’Š‹…ƒŽŽ›ȋ’‹‡ chart, line chart, bar graph etc.), as part of a ‘dashboard’ or another form of presentation.

– ‹• ˜‡”› ‹’‘”–ƒ– –‘ †‡ϐ‹‡ ‡ƒ•—”‡• ‹ •—…Š ™ƒ› ƒ• –‘ …‘ŽŽ‡…– †ƒ–ƒ ‘…‡ ƒ† —•‡ ‹– ˆ‘” —Ž–‹’Ž‡ ’—”’‘•‡•Ǥ †‡ƒŽŽ›ǡ –Š‡ •ƒ‡ †ƒ–ƒ •Š‘—Ž† •—’’‘”– ƒ ˜ƒ”‹‡–› ‘ˆ ‡ƒ•—”‡• –Šƒ– …ƒ ”‡•’‘† –‘ †‹ˆˆ‡”‡– interested parties’ information needs. Note also that what is easiest to measure need not be most meaningful or most relevant. ƒ”‰‡–••Š‘—Ž†•–ƒ–‡–Š‡†‡•‹”‡†‡†•–ƒ–‡•ˆ‘”•’‡…‹ϐ‹…‡ƒ•—”‡•™‹–Š”‡•’‡…––‘–Š‡ ’”‘…‡••‡• ƒ†…‘–”‘Ž•ǡ–Š‡ƒ…Š‹‡˜‡‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•ǡƒ†ˆ‘”–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ–Š‡ to be evaluated. Establishment of targets can be facilitated if historic data that pertains to developed or selected measures is available. Trends observed in the past can in some cases provide insight into ranges of ’‡”ˆ‘”ƒ…‡ –Šƒ– Šƒ˜‡ ‡š‹•–‡† ’”‡˜‹‘—•Ž› ƒ† ‰—‹†‡ –Š‡ …”‡ƒ–‹‘ ‘ˆ ”‡ƒŽ‹•–‹… –ƒ”‰‡–•Ǥ ‘™‡˜‡”ǡ organizations should be cautioned that without due consideration, setting targets based upon what ™ƒ• ’”‡˜‹‘—•Ž› ƒ…Š‹‡˜‡† ‘” ’”‡˜‹‘—• ’‡”ˆ‘”ƒ…‡ …ƒ ƒŽ•‘ ’‡”’‡–—ƒ–‡ ƒ •–ƒ–—• “—‘ ‘” ‡˜‡ ‹’‡†‡ continual improvement. 8.3.4

Document measures and prioritize for implementation

‘ŽŽ‘™‹‰†‡ϐ‹‹–‹‘‘ˆ–Š‡”‡“—‹”‡†‡ƒ•—”‡•ǡ–Š‡‹”…‘’‹Žƒ–‹‘•Š‘—Ž†„‡†‘…—‡–‡†ƒ†’”‹‘”‹–‹œ‡† ˆ‘”‹’Ž‡‡–ƒ–‹‘„ƒ•‡†‘–Š‡’”‹‘”‹–›‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘‡‡†ƒ†ˆ‡ƒ•‹„‹Ž‹–›‘ˆ‘„–ƒ‹‹‰–Š‡†ƒ–ƒǤ ‡”ˆ‘”ƒ…‡‡ƒ•—”‡••Š‘—Ž†„‡‹’Ž‡‡–‡†ϐ‹”•––‘‡•—”‡–Šƒ– ’”‘…‡••‡•ƒ†…‘–”‘Ž•Šƒ˜‡ been implemented. Once performance measures are producing targeted values, effectiveness measures can be implemented as well. See also 6.4 for guidance on when to perform monitoring and related activities. 8.3.5

Keep management informed and engaged

Management on different organizational levels needs to be involved in developing and implementing ‡ƒ•—”‡•ǡ•‘–Šƒ––Š‡‡ƒ•—”‡•”‡ϐŽ‡…–ƒƒ‰‡‡–ǯ•‡‡†•Ǥ —”–Š‡”‘”‡ǡƒƒ‰‡‡–•Š‘—Ž†”‡…‡‹˜‡ ”‡‰—Žƒ”—’†ƒ–‡•‹ƒ’’”‘’”‹ƒ–‡ˆ‘”ƒ–•ƒ†•–›Ž‡•ǡ–‘‡•—”‡–Šƒ–‹–”‡ƒ‹•‹ˆ‘”‡†…‘…‡”‹‰–Š‡ •‡…—”‹–› ‡ƒ•—”‡‡– ƒ…–‹˜‹–‹‡• –Š”‘—‰Š‘—– –Š‡ ’”‘…‡•• ‘ˆ ‡ƒ•—”‡• †‡˜‡Ž‘’‡–ǡ ‹’Ž‡‡–ƒ–‹‘ and application.



13

ISO/IEC 27004:2016(E)

8.4 Establish procedures ‘‹’Ž‡‡–†‡ϐ‹‡†ƒ†’”‹‘”‹–‹œ‡†‡ƒ•—”‡•–Š‡ˆ‘ŽŽ‘™‹‰•–‡’••Š‘—Ž†„‡–ƒ‡ǣ ƒȌ ‹–‡”‡•–‡† ’ƒ”–‹‡• ™Š‘ •Š‘—Ž† „‡ ’ƒ”–‹…‹’ƒ–‹‰ ‹ –Š‡ •‡…—”‹–› ‡ƒ•—”‡‡– ’”‘…‡•• •Š‘—Ž† „‡ ƒ†‡ƒ™ƒ”‡‘ˆ‡ƒ•—”‡‡–ƒ…–‹˜‹–‹‡•ƒ†–Š‡”ƒ–‹‘ƒŽ‡„‡Š‹†‹–Ǣƒ† „Ȍ †ƒ–ƒ…‘ŽŽ‡…–‹‘ƒ†ƒƒŽ›•‹•–‘‘Ž••Š‘—Ž†„‡‹†‡–‹ϐ‹‡†ƒ†ǡ‹ˆ‡‡†‡†ǡ‘†‹ϐ‹‡†ǡ–‘‡ˆˆ‡…–‹˜‡Ž›ƒ† ‡ˆϐ‹…‹‡–Ž›‰ƒ–Š‡”‡ƒ•—”‡•Ǥ ”‰ƒ‹œƒ–‹‘••Š‘—Ž†‡•–ƒ„Ž‹•Š’”‘…‡†—”‡•ˆ‘”†ƒ–ƒ…‘ŽŽ‡…–‹‘ǡƒƒŽ›•‹•ǡƒ†”‡’‘”–‹‰‘ˆ‡ƒ•—”‡•ǡˆ‘” ‡šƒ’Ž‡„›ǣ …Ȍ †ƒ–ƒ…‘ŽŽ‡…–‹‘ǡ‹…Ž—†‹‰•‡…—”‡†ƒ–ƒ•–‘”ƒ‰‡ƒ†˜‡”‹ϐ‹…ƒ–‹‘ǤŠ‡’”‘…‡†—”‡••Š‘—Ž††‡ϐ‹‡Š‘™ †ƒ–ƒ‹•…‘ŽŽ‡…–‡†ǡ•–‘”‡†ǡ˜‡”‹ϐ‹‡†ƒ†™Š‹…Š…‘–‡š–‹ˆ‘”ƒ–‹‘‹•‡…‡••ƒ”›ˆ‘”ˆ—”–Š‡”’”‘…‡••‹‰Ǥ ƒ–ƒ˜‡”‹ϐ‹…ƒ–‹‘…ƒ„‡’‡”ˆ‘”‡†„›ƒ’’Ž›‹‰•—…Š–‡…Š‹“—‡•ƒ•ǣ ͳȌ ‡•—”‹‰ƒ˜ƒŽ—‡Ž‹‡•™‹–Š‹ƒ”ƒ‰‡‘ˆ’‘••‹„Ž‡˜ƒŽ—‡•Ǣ ʹȌ …Š‡…‹‰ƒ‰ƒ‹•–ƒŽ‹•–‘ˆ‡š’‡…–‡†˜ƒŽ—‡•Ǣƒ† 3) capturing contextual information, e.g., the time at which a datum was collected.


†Ȍ †ƒ–ƒ ƒƒŽ›•‹• ƒ† ”‡’‘”–‹‰ ‘ˆ ƒƒŽ›•‹• ‘ˆ ‡ƒ•—”‡•Ǥ Š‡ ’”‘…‡†—”‡• •Š‘—Ž† •’‡…‹ˆ› –Š‡ †ƒ–ƒ ƒƒŽ›•‹•–‡…Š‹“—‡•ƒ†–Š‡ˆ”‡“—‡…›ˆ‘””‡’‘”–‹‰–Š‡”‡•—Ž–‹‰‡ƒ•—”‡•Ǣ e)

reporting methods and formats, which can include: ͳȌ •…‘”‡…ƒ”†•–‘’”‘˜‹†‡•–”ƒ–‡‰‹…‹ˆ‘”ƒ–‹‘„›‹–‡‰”ƒ–‹‰Š‹‰ŠǦŽ‡˜‡Ž’‡”ˆ‘”ƒ…‡‹†‹…ƒ–‘”•Ǣ Š‡•‡ƒ›„‡–‡”‡†Ǯ‡›’‡”ˆ‘”ƒ…‡‹†‹…ƒ–‘”•ǯȋ•‡‡–Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›‡ƒ•—”‡‡– model in Annex A).

ʹȌ ‡š‡…—–‹˜‡ƒ†‘’‡”ƒ–‹‘ƒŽ†ƒ•Š„‘ƒ”†•ˆ‘…—•‡†‘•–”ƒ–‡‰‹…‘„Œ‡…–‹˜‡•ǡ”ƒ–Š‡”–Šƒ‘•’‡…‹ϐ‹… …‘–”‘Ž•ƒ†’”‘…‡••‡•Ǣ ͵Ȍ ”‡’‘”–‹‰ˆ‘”ƒ–•”ƒ‰‹‰ˆ”‘•‹’Ž‡ƒ†•–ƒ–‹…•–›Ž‡•ǡ•—…Šƒ•ƒŽ‹•–‘ˆ‡ƒ•—”‡•ˆ‘”ƒ‰‹˜‡ time period, to more sophisticated cross-referencing reports with nested groupings, rolling •—ƒ”‹‡•ǡƒ††›ƒ‹…†”‹ŽŽǦ–Š”‘—‰Š‘”Ž‹‹‰Ǥ‡’‘”–•…ƒ„‡‘”‡—•‡ˆ—Ž™Š‡–Š‡”‡‹•ƒ ‡‡†–‘’”‡•‡–‹–‡”‡•–‡†’ƒ”–‹‡•™‹–Š”ƒ™†ƒ–ƒ‹ƒ‡ƒ•›Ǧ–‘Ǧ”‡ƒ†ˆ‘”ƒ–Ǣƒ† ͶȌ ‰ƒ—‰‡• –‘ ”‡’”‡•‡– †›ƒ‹… ˜ƒŽ—‡• ‹…Ž—†‹‰ ƒŽ‡”–•ǡ ƒ††‹–‹‘ƒŽ ‰”ƒ’Š‹…ƒŽ ‡Ž‡‡–• ƒ† labelling of end-points.

8.5 Monitor and measure ”‘…‡†—”‡•ˆ‘”‘‹–‘”‹‰ƒ†‡ƒ•—”‡‡–ƒ……‘’Ž‹•Š‡†„›‡‹–Š‡”ƒ—ƒŽ‘”ƒ—–‘ƒ–‡†‡ƒ•ǡƒ† ˆ‘” •–‘”ƒ‰‡ ƒ† ˜‡”‹ϐ‹…ƒ–‹‘ǡ •Š‘—Ž† „‡ †‡ϐ‹‡†Ǥ ƒ–ƒ ˜‡”‹ϐ‹…ƒ–‹‘ …ƒ „‡ ’‡”ˆ‘”‡† „› “—ƒŽ‹ˆ›‹‰ –Š‡ †ƒ–ƒ…‘ŽŽ‡…–‡†ƒ‰ƒ‹•–ƒ…Š‡…Ž‹•––‘‡•—”‡–Šƒ––Š‡‡ˆˆ‡…–•‘–Š‡ƒƒŽ›•‹•‘ˆ‹••‹‰†ƒ–ƒƒ”‡‹‹ƒŽ ƒ†–Šƒ––Š‡˜ƒŽ—‡•ƒ”‡…‘””‡…–‘”™‹–Š‹”‡…‘‰‹œ‡†„‘—†•Ǥ ‘”–Š‡’—”’‘•‡‘ˆƒƒŽ›•‹‰ǡ•—ˆϐ‹…‹‡– †ƒ–ƒ•Š‘—Ž†„‡…‘ŽŽ‡…–‡†–‘‡•—”‡–Šƒ––Š‡”‡•—Ž–•‘ˆƒƒŽ›•‹•ƒ”‡”‡Ž‹ƒ„Ž‡Ǥ ”‰ƒ‹œƒ–‹‘• •Š‘—Ž† …‘ŽŽ‡…–ǡ ƒƒŽ›•‡ǡ ‡˜ƒŽ—ƒ–‡ ƒ† ”‡’‘”– ‡ƒ•—”‡• –‘ ”‡Ž‡˜ƒ– ‹–‡”‡•–‡† ’ƒ”–‹‡• ™‹–Š‡•–ƒ„Ž‹•Š‡†’‡”‹‘†‹…‹–›ǤŠ‡ƒ›‘ˆ–Š‡…‘†‹–‹‘••–ƒ–‡†‹8.3.1 occur, the organization should …‘•‹†‡”—’†ƒ–‹‰‹–•‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ǡƒ†‡˜ƒŽ—ƒ–‹‘’”‘…‡••‡•Ǥ Prior to publishing information in reports, dashboards, etc., the organization should determine how …‘ŽŽ‡…–‡††ƒ–ƒƒ†”‡•—Ž–•…ƒ„‡•Šƒ”‡†ǡƒ†™‹–Š™Š‘ǡƒ••‘‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›Ǧ”‡Žƒ–‡††ƒ–ƒ …ƒ„‡•‡•‹–‹˜‡ˆ”‘ƒ…‘ϐ‹†‡–‹ƒŽ‹–›’‡”•’‡…–‹˜‡Ǥ

14



ISO/IEC 27004:2016(E)

‘”‡‘˜‡”ǡ–Š‡”‡‹•„‡‡ϐ‹––‘Šƒ˜‹‰ƒ’”‘…‡••–‘…Š‡…ƒ†‡˜ƒŽ—ƒ–‡–Š‡…‘ŽŽ‡…–‹‘’”‘…‡••–‘…‘ϐ‹” –Šƒ––Š‡”‹‰Š–‡ƒ•—”‡•ƒ”‡„‡‹‰…‘ŽŽ‡…–‡†ƒ†‹ƒƒ‡”•—…Š–Šƒ––Š‡›ƒ”‡”‡’‡ƒ–ƒ„Ž‡ǡ’”‡…‹•‡ƒ† consistent.

8.6 Analyse results ‘ŽŽ‡…–‡††ƒ–ƒ•Š‘—Ž†„‡ƒƒŽ›•‡†‹”‡Žƒ–‹‘–‘–Š‡–ƒ”‰‡–ˆ‘”‡ƒ…Š‹†‹˜‹†—ƒŽ‡ƒ•—”‡Ǥ —‹†ƒ…‡ˆ‘” ’‡”ˆ‘”‹‰•–ƒ–‹•–‹…ƒŽƒƒŽ›•‹•…ƒ„‡ˆ‘—†‹ ȀͳͲͲͳ͹Ǥ Š‡ †ƒ–ƒ ƒƒŽ›•‹• ”‡•—Ž–• •Š‘—Ž† „‡ ‹–‡”’”‡–‡†Ǥ Š‡ ’‡”•‘ ƒƒŽ›•‹‰ –Š‡ ”‡•—Ž–• ȋ…‘—‹…ƒ–‘”Ȍ should be able to draw some initial conclusions based on the results. However, since the communicator(s) ‹‰Š–‘–„‡†‹”‡…–Ž›‹˜‘Ž˜‡†‹–Š‡–‡…Š‹…ƒŽƒ†ƒƒ‰‡‡–’”‘…‡••‡•ǡ•—…Š…‘…Ž—•‹‘•‡‡†–‘„‡ ”‡˜‹‡™‡† „› ‘–Š‡” ‹–‡”‡•–‡† ’ƒ”–‹‡•Ǥ ŽŽ ‹–‡”’”‡–ƒ–‹‘• •Š‘—Ž† –ƒ‡ ‹–‘ ƒ……‘—– –Š‡ …‘–‡š– ‘ˆ –Š‡ measures. ƒ–ƒ ƒƒŽ›•‹• •Š‘—Ž† ‹†‡–‹ˆ› ‰ƒ’• „‡–™‡‡ –Š‡ ‡š’‡…–‡† ƒ† ƒ…–—ƒŽ ‡ƒ•—”‡‡– ”‡•—Ž–• ‘ˆ ƒ ‹’Ž‡‡–‡† ǡ…‘–”‘Ž•‘”‰”‘—’•‘ˆ…‘–”‘Ž•Ǥ †‡–‹ϐ‹‡†‰ƒ’•…ƒ’‘‹––‘‡‡†•ˆ‘”‹’”‘˜‹‰–Š‡ ‹’Ž‡‡–‡† ǡ‹…Ž—†‹‰‹–••…‘’‡ǡ’‘Ž‹…‹‡•ǡ‘„Œ‡…–‹˜‡•ǡ…‘–”‘Ž•ǡ’”‘…‡••‡•ƒ†’”‘…‡†—”‡•Ǥ

8.7 Evaluate information security performance and ISMS effectiveness In accordance with 5.2, organizations should: Normen--Beuth-Max Planck Gesellschaft zur Förderung der Wissenschaften-KdNr.7926956-LfNr.7894926001-2017-03-17 13:49

a)

express their information needs in of the organization’s questions concerning information •‡…—”‹–›’‡”ˆ‘”ƒ…‡ƒ† ‡ˆˆ‡…–‹˜‡‡••Ǣƒ†

b) express their measures in of those information needs. – –Š‡”‡ˆ‘”‡ ˆ‘ŽŽ‘™• –Šƒ– –Š‡ ƒƒŽ›•‹• ‘ˆ –Š‡ ”‡•—Ž–• ‘ˆ ‘‹–‘”‹‰ ƒ† ‡ƒ•—”‡‡– ™‹ŽŽ ’”‘˜‹†‡ †ƒ–ƒ ™Š‹…Š …ƒ „‡ —•‡† –‘ •ƒ–‹•ˆ› –Š‡ ‹ˆ‘”ƒ–‹‘ ‡‡†• ȋ•‡‡ Annex A). Evaluation is the process of ‹–‡”’”‡–‹‰ –Šƒ– †ƒ–ƒ –‘ ƒ•™‡” –Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ• ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’‡”ˆ‘”ƒ…‡ ƒ† effectiveness questions.

8.8 Review and improve monitoring, measurement, analysis and evaluation processes ‘‹–‘”‹‰ǡ ‡ƒ•—”‡‡–ǡ ƒƒŽ›•‹•ǡ ƒ† ‡˜ƒŽ—ƒ–‹‘ ’”‘…‡••‡• •Š‘—Ž† …‘–‹—ƒŽŽ› ‹’”‘˜‡ ™‹–Š –Š‡ needs of the ISMS. Continual improvement activities can include, among other things: ƒȌ •‘Ž‹…‹–‹‰ˆ‡‡†„ƒ…ˆ”‘‹–‡”‡•–‡†’ƒ”–‹‡•Ǣ „Ȍ ”‡˜‹•‹‰…‘ŽŽ‡…–‹‘ƒ†ƒƒŽ›•‹•–‡…Š‹“—‡•ǡ„ƒ•‡†‘Ž‡••‘•Ž‡ƒ”‡†ƒ†‘–Š‡”ˆ‡‡†„ƒ…Ǣ …Ȍ ”‡˜‹•‹‰‹’Ž‡‡–ƒ–‹‘’”‘…‡†—”‡•Ǣƒ† †Ȍ ‹ˆ‘”ƒ–‹‘•‡…—”‹–›„‡…Šƒ”‹‰†ƒ–ƒǤ

8.9 Retain and communicate documented information ‘”†‡” –‘ ˆ—Žϐ‹Ž –Š‡ ”‡“—‹”‡‡–• ‘ˆ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡ ͻǤͳǡ ‹– ‹• ‘Ž› ‡…‡••ƒ”› ˆ‘” ‘”‰ƒ‹œƒ–‹‘• to retain documented information as evidence of the organization’s monitoring and measurements. ”‰ƒ‹œƒ–‹‘•ƒ”‡ƒ–Ž‹„‡”–›–‘†‡…‹†‡™Šƒ–‹•ƒ’’”‘’”‹ƒ–‡Ǥ”‰ƒ‹œƒ–‹‘•…ƒǡˆ‘”‡šƒ’Ž‡ǡ†‘…—‡– –Š‡’”‘…‡••ƒ†–Š‡‡–Š‘†•—•‡†–‘ƒƒŽ›•‡ƒ†‡˜ƒŽ—ƒ–‡–Š‡”‡•—Ž–•Ǥ Reports that are used to communicate measurement results to relevant interested parties should be ’”‡’ƒ”‡†—•‹‰ƒ’’”‘’”‹ƒ–‡”‡’‘”–‹‰ˆ‘”ƒ–•ǤŠ‡…‘…Ž—•‹‘•‘ˆ–Š‡ƒƒŽ›•‹••Š‘—Ž†„‡”‡˜‹‡™‡†„› ”‡Ž‡˜ƒ– ‹–‡”‡•–‡† ’ƒ”–‹‡• –‘ ‡•—”‡ ’”‘’‡” ‹–‡”’”‡–ƒ–‹‘ ‘ˆ –Š‡ †ƒ–ƒǤ Š‡ ”‡•—Ž–• ‘ˆ †ƒ–ƒ ƒƒŽ›•‹• should be documented for communication to interested parties.



15

ISO/IEC 27004:2016(E)

Š‡ ‹ˆ‘”ƒ–‹‘ …‘—‹…ƒ–‘” •Š‘—Ž† †‡–‡”‹‡ Š‘™ –‘ …‘—‹…ƒ–‡ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› measurement results, such as: ƒȌ ™Š‹…Š‡ƒ•—”‡‡–”‡•—Ž–••Š‘—Ž†„‡”‡’‘”–‡†‹–‡”ƒŽŽ›ƒ†‡š–‡”ƒŽŽ›Ǣ „Ȍ Ž‹•–‹‰•‘ˆ‡ƒ•—”‡•…‘””‡•’‘†‹‰–‘‹†‹˜‹†—ƒŽ‹–‡”‡•–‡†’ƒ”–‹‡•ǡƒ†‹–‡”‡•–‡†’ƒ”–‹‡•Ǣ …Ȍ •’‡…‹ϐ‹…‡ƒ•—”‡‡–”‡•—Ž–•–‘„‡’”‘˜‹†‡†ǡƒ†–Š‡–›’‡‘ˆ’”‡•‡–ƒ–‹‘ǡ–ƒ‹Ž‘”‡†–‘–Š‡‡‡†•‘ˆ ‡ƒ…Š‰”‘—’Ǣƒ†


d) means for obtaining from the interested parties to be used for evaluating the usefulness ‘ˆ‡ƒ•—”‡‡–”‡•—Ž–•ƒ†–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‡ƒ•—”‡‡–Ǥ

16



ISO/IEC 27004:2016(E)

Annex A (informative) An information security measurement model The measurement information model described in Figure A.1 is presented and explained in ISO/IEC 15939, and can be applied to ISMS. It describes how attributes of relevant entities can be “—ƒ–‹ϐ‹‡† ƒ† …‘˜‡”–‡† –‘ ‹†‹…ƒ–‘”• –Šƒ– ’”‘˜‹†‡ ƒ „ƒ•‹• ˆ‘” †‡…‹•‹‘ ƒ‹‰Ǥ Š‡ ‘†‡Ž ‹• ƒ structure which starts with linking information needs to the relevant entities and attributes of concern. ‘”‡šƒ’Ž‡ǡ–Š‡‹ˆ‘”ƒ–‹‘‡‡†…ƒ„‡Š‘™™‡ŽŽ–Š‡‡’Ž‘›‡‡•ƒ”‡‹ˆ‘”‡†ƒ„‘—––Š‡‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’‘Ž‹…›Ǥ –‹–‹‡• ‹…Ž—†‡ ’”‘…‡••‡•ǡ …‘–”‘Ž•ǡ †‘…—‡–‡† ‹ˆ‘”ƒ–‹‘ǡ •›•–‡•ǡ †‡˜‹…‡•ǡ personnel and resources. Examples of relevant entities in an ISMS are: risk management process, ƒ—†‹–‹‰’”‘…‡••ǡ‹ˆ‘”ƒ–‹‘…Žƒ••‹ϐ‹…ƒ–‹‘ǡƒƒ‰‡‡–‘ˆƒ……‡••”‹‰Š–•ǡ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ǡ ‘„‹Ž‡†‡˜‹…‡’‘Ž‹…›ǡ„ƒ…Ǧ‡†…‘’—–‡”ǡƒ†‹‹•–”ƒ–‘”ƒ†‡’Ž‘›‡‡Ǥ


The measurement information model helps to determine what the measurement planner needs to •’‡…‹ˆ›†—”‹‰‘‹–‘”‹‰ǡ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ǡƒ†‡˜ƒŽ—ƒ–‹‘Ǥ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡ ͻǤͳ ”‡“—‹”‡• –Šƒ– ‘”‰ƒ‹œƒ–‹‘• ‡˜ƒŽ—ƒ–‡ –Š‡ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ’‡”ˆ‘”ƒ…‡ ƒ†–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ–Š‡ ǤŠ‹•‘ˆ–‡‹˜‘Ž˜‡•–Š‡‹†‡–‹ϐ‹…ƒ–‹‘‘ˆ‹†‹…ƒ–‘”•ǡƒ†ˆ”‘–Š‡•‡ǡ ƒ……‘”†‹‰ –‘ –Š‡ •‹‰‹ϐ‹…ƒ…‡ ƒ† ‹’‘”–ƒ…‡ ‘ˆ –Š‡ ‹†‹…ƒ–‘”• –‘ –Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ• ’—”’‘•‡•ǡ ‡› ’‡”ˆ‘”ƒ…‡‹†‹…ƒ–‘”•ȋ Ȃ•‘‡–‹‡•ƒŽ•‘”‡ˆ‡””‡†–‘ƒ•Ǯ‡›•—……‡••‹†‹…ƒ–‘”•ǯȌ…ƒ„‡‹†‡–‹ϐ‹‡†Ǥ To determine such indicators, an organization can establish base measures and derive a measure from –Š‡„›—•‹‰ƒ‡ƒ•—”‡‡–ˆ—…–‹‘–Šƒ–…‘„‹‡•–™‘‘”‘”‡„ƒ•‡‡ƒ•—”‡•Ǥ The measurement model in this Annex (using base measure, derived measure, performance indicator ƒ†‡ƒ•—”‡‡–”‡•—Ž–Ȍ‹•ƒ‡šƒ’Ž‡‘ˆ–Š‡ƒ’’”‘ƒ…Š–‘ˆ—Žϐ‹Ž–Š‡ ”‡“—‹”‡‡–•ˆ‘”‡ƒ•—”‡‡–Ǥ Š‡”‡ƒ”‡‘–Š‡”’‘••‹„Ž‡™ƒ›•‘ˆŽ‘‘‹‰ƒ––Š‡’”‘…‡••‘ˆ‡ƒ•—”‡‡–ǡƒƒŽ›•‹•ƒ†‡˜ƒŽ—ƒ–‹‘Ǥ



17


ISO/IEC 27004:2016(E)

Figure A.1 — Key relationships in the measurement information model

18



ISO/IEC 27004:2016(E)

Annex B (informative) Measurement construct examples

B.1 General


The examples in Annex B follow the principles set out in this document. The table below ƒ’• ‡ƒ•—”‡‡– …‘•–”—…– ‡šƒ’Ž‡• –‘ •’‡…‹ϐ‹… …Žƒ—•‡• ‘” …‘–”‘Ž ‘„Œ‡…–‹˜‡ —„‡”• ‹ ISO/IEC 27001:2013. Related ISMS processes and controls (Clause or control number in ISO/IEC 27001:2013)

Measurement construct example names

5.1, 7.1

B.2 Resource allocation

7.5.2, A.5.1.2

Ǥ͵‘Ž‹…›”‡˜‹‡™

5.1, 9.3

B.4 Management commitment

8.2, 8.3

B.5 Risk exposure

9.2, A.18.2.1

B.6 Audit programme

10

B.7 Improvement actions

10

Ǥͺ‡…—”‹–›‹…‹†‡–•…‘•–

10, A.16.1.6

Ǥͻ‡ƒ”‹‰ˆ‘”‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•

10.1

B.10 Corrective action implementation

A.7.2

B.11 ISMS training or ISMS awareness

A.7.2.2

Ǥͳʹ ˆ‘”ƒ–‹‘•‡…—”‹–›–”ƒ‹‹‰

A.7.2.1, A.7.2.2

Ǥͳ͵ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••…‘’Ž‹ƒ…‡

A.7.2.2

B.14 ISMS awareness campaigns effectiveness

A.7.2.2, A.9.3.1, A.16.1

B.15 Social engineering preparedness

A.9.3.1

Ǥͳ͸ƒ••™‘”†“—ƒŽ‹–›Ȃƒ—ƒŽ

A.9.3.1

Ǥͳ͹ƒ••™‘”†“—ƒŽ‹–›Ȃƒ—–‘ƒ–‡†

A.9.2.5

B.18 Review of access rights

A.11.1.2

ǤͳͻŠ›•‹…ƒŽ‡–”›…‘–”‘Ž••›•–‡‡˜ƒŽ—ƒ–‹‘

A.11.1.2

ǤʹͲŠ›•‹…ƒŽ‡–”›…‘–”‘Ž•‡ˆˆ‡…–‹˜‡‡••

A.11.2.4

B.21 Management of periodic maintenance

A.12.1.2

B.22 Change management

A.12.2.1

B.23 Protection against malicious code

A.12.2.1

B.24 Anti-malware

A.12.2.1, A.17.2.1

Ǥʹͷ‘–ƒŽƒ˜ƒ‹Žƒ„‹Ž‹–›

A.12.2.1, A.13.1.3

B.26 Firewall rules

A.12.4.1

Ǥʹ͹‘‰ϐ‹Ž‡•”‡˜‹‡™

A.12.6.1

Ǥʹͺ‡˜‹…‡…‘ϐ‹‰—”ƒ–‹‘

A.12.6.1, A.18.2.3

Ǥʹͻ‡–‡•–ƒ†˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–

A.12.6.1

Ǥ͵Ͳ—Ž‡”ƒ„‹Ž‹–›Žƒ†•…ƒ’‡

A.15.1.2

Ǥ͵ͳǤͳȀǤ͵ͳǤʹ‡…—”‹–›‹–Š‹”†’ƒ”–›ƒ‰”‡‡‡–•



19

ISO/IEC 27004:2016(E)

Related ISMS processes and controls (Clause or control number in ISO/IEC 27001:2013)

Measurement construct example names

A.16

Ǥ͵ʹ‡…—”‹–›‹…‹†‡–ƒƒ‰‡‡–‡ˆˆ‡…–‹˜‡‡••

A.16.1

Ǥ͵͵‡…—”‹–›‹…‹†‡–•–”‡†

A 16.1.3

Ǥ͵Ͷ‡…—”‹–›‡˜‡–”‡’‘”–‹‰

A.18.2.1

B.35 ISMS review process

A.18.2.3

Ǥ͵͸—Ž‡”ƒ„‹Ž‹–›…‘˜‡”ƒ‰‡

…”‘•• ”‡ˆ‡”‡…‡ ‘ˆ –Š‡ ”‡Žƒ–‹‘•Š‹’ –‘ …Žƒ—•‡• ‘” …‘–”‘Ž ‘„Œ‡…–‹˜‡ —„‡”• ‹ Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ is included for each example. In addition, for two examples (B.20 and B.28) an additional information †‡•…”‹’–‘”…ƒŽŽ‡†ǲƒ…–‹‘ǳ‹•‹…Ž—†‡†ǤŠ‹•†‡ϐ‹‡•–Š‡ƒ…–‹‘–‘„‡–ƒ‡‹–Š‡‡˜‡––Šƒ––Š‡–ƒ”‰‡–‹• ‘–‡–Ǥ”‰ƒ‹œƒ–‹‘•ƒ›‹…Ž—†‡–Š‹•‹ˆ‘”ƒ–‹‘†‡•…”‹’–‘”‹ˆ–Š‡›…‘•‹†‡”‹–—•‡ˆ—ŽǤ †‡‡†ǡ–Š‡”‡ ‹• ‘ •‹‰Ž‡ ™ƒ› –‘ •’‡…‹ˆ› •—…Š ‡ƒ•—”‡‡– …‘•–”—…–• ƒ† Annex C demonstrates an alternative free-form approach.


B.2 Resource allocation Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

—ƒ–‹ˆ›”‡•‘—”…‡•™Š‹…Šƒ”‡„‡‹‰ƒŽŽ‘…ƒ–‡†–‘‹ˆ‘”ƒ–‹‘•‡…—”‹–›™‹–Š”‡•’‡…– to original budgets

Measure

”‡ƒ†‘™‘ˆ”‡•‘—”…‡•ƒŽŽ‘…ƒ–‡†–‘‹ˆ‘”ƒ–‹‘•‡…—”‹–›ȋ‹–‡”ƒŽ’‡”•‘‡Žǡ contracted personnel, hardware, software, services) within annual budget

Formula/scoring

Allocated resources/used resources within a budgeted period of time

Target

1


ˆ‘”ƒ–‹‘•‡…—”‹–›”‡•‘—”…‡‘‹–‘”‹‰

”‡“—‡…›

‡ƒ”Ž›

Responsible parties

ˆ‘”ƒ–‹‘™‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” ˆ‘”ƒ–‹‘‘ŽŽ‡…–‘”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Information Customer: board of directors

Data source

ˆ‘”ƒ–‹‘•‡…—”‹–›„—†‰‡– ˆ‘”ƒ–‹‘•‡…—”‹–›‡ˆˆ‡…–‹˜‡‡š’‡†‹–—”‡ ˆ‘”ƒ–‹‘•‡…—”‹–›”‡•‘—”…‡•—•ƒ‰‡”‡’‘”–•

Reporting format

ƒ†ƒ”†‹ƒ‰”ƒ™‹–Šƒ”‡•‘—”…‡…ƒ–‡‰‘”›ˆ‘”‡ƒ…Šƒš‹•ƒ†–Š‡†‘—„Ž‡‹†‹…ƒ–‹‘‘ˆ allocated and used resources

Relationship

ISO/IEC 27001:2013, 5.1: Leadership and commitment ISO/IEC 27001:2013, 7.1: Resources

20



ISO/IEC 27004:2016(E)

B.3 Policy review Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡™Š‡–Š‡”–Š‡’‘Ž‹…‹‡•ˆ‘”‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ”‡”‡˜‹‡™‡†ƒ–’Žƒ‡† ‹–‡”˜ƒŽ•‘”‹ˆ•‹‰‹ϐ‹…ƒ–…Šƒ‰‡•‘……—”

Measure

‡”…‡–ƒ‰‡‘ˆ’‘Ž‹…›”‡˜‹‡™‡†

Formula/scoring

—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…‹‡•–Šƒ–™‡”‡”‡˜‹‡™‡†‹’”‡˜‹‘—•›‡ƒ”Ȁ —„‡”‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…‹‡•‹’Žƒ…‡ȗͳͲͲ

Target

”‡‡ǣεͺͲǡ”ƒ‰‡εαͶͲΨǡ‡†δͶͲΨ


‘…—‡–Š‹•–‘”›‡–‹‘‹‰”‡˜‹‡™‘ˆ†‘…—‡–‘”†‘…—‡–Ž‹•–‹†‹…ƒ–‹‰ date of last review

”‡“—‡…›

‘ŽŽ‡…–ǣƒˆ–‡”’Žƒ‡†‹–‡”˜ƒŽ†‡ϐ‹‡†ˆ‘””‡˜‹‡™•ȋ‡Ǥ‰Ǥ›‡ƒ”Ž›‘”ƒˆ–‡”•‹‰‹ϐ‹…ƒ– changes) Report: for each collection

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘Ž‹…›‘™‡”™Š‘Šƒ•ƒ’’”‘˜‡†ƒƒ‰‡‡–”‡•’‘•‹„‹Ž‹–› ˆ‘”–Š‡†‡˜‡Ž‘’‡–ǡ”‡˜‹‡™ƒ†‡˜ƒŽ—ƒ–‹‘‘ˆ–Š‡’‘Ž‹…›


Information collector: Internal auditor ‡ƒ•—”‡‡–…Ž‹‡–ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡” Data source

‡˜‹‡™’Žƒ‘ˆ’‘Ž‹…‹‡•ǡŠ‹•–‘”›•‡…–‹‘‘ˆƒ•‡…—”‹–›’‘Ž‹…›ǡŽ‹•–‘ˆ†‘…—‡–•

Reporting format

Pie chart for current situation and line chart for compliance evolution representation

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͷǤͳǤʹǣ‡˜‹‡™‘ˆ–Š‡’‘Ž‹…‹‡•ˆ‘”‹ˆ‘”ƒ–‹‘•‡…—”‹–› ISO/IEC 27001:2013, 7.5.2: Creating and updating of documented information



21

ISO/IEC 27004:2016(E)

B.4 Management commitment Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

••‡••ƒƒ‰‡‡–…‘‹–‡–ƒ†‹ˆ‘”ƒ–‹‘•‡…—”‹–›”‡˜‹‡™ƒ…–‹˜‹–‹‡• regarding management review activities

Measure

a) Management review meetings completed to date b) Average participation rates in management review meetings to date

Formula/scoring

ƒȌ‹˜‹†‡ȏƒƒ‰‡‡–”‡˜‹‡™‡‡–‹‰•’‡”ˆ‘”‡†Ȑ„›ȏƒƒ‰‡‡–”‡˜‹‡™ meetings scheduled]


b) Compute mean and standard deviation of all participation rates to management review meetings Target

Resulting ratio of indicator a) should fall between 0.7 and 1.1 to conclude the ƒ…Š‹‡˜‡‡–‘ˆ–Š‡…‘–”‘Ž‘„Œ‡…–‹˜‡ƒ†‘ƒ…–‹‘Ǥ˜‡‹ˆ‹–ˆƒ‹Ž•ǡ‹–•Š‘—Ž†„‡•–‹ŽŽ over 0.5 to conclude the least achievement. With regard to indicator b), Computed …‘ϐ‹†‡…‡Ž‹‹–•„ƒ•‡†‘–Š‡•–ƒ†ƒ”††‡˜‹ƒ–‹‘‹†‹…ƒ–‡–Š‡Ž‹‡Ž‹Š‘‘†–Šƒ–ƒ ƒ…–—ƒŽ”‡•—Ž–…Ž‘•‡–‘–Š‡ƒ˜‡”ƒ‰‡’ƒ”–‹…‹’ƒ–‹‘”ƒ–‡™‹ŽŽ„‡ƒ…Š‹‡˜‡†Ǥ‡”›™‹†‡ …‘ϐ‹†‡…‡Ž‹‹–••—‰‰‡•–ƒ’‘–‡–‹ƒŽŽ›Žƒ”‰‡†‡’ƒ”–—”‡ƒ†–Š‡‡‡†ˆ‘”…‘–‹‰‡…› planning to deal with this outcome.


1.1 Count management review meetings scheduled to date 1.2 Per management review meetings to date, count managers planned to attend ƒ†ƒ††ƒ‡™‡–”›™‹–Šƒ†‡ˆƒ—Ž–˜ƒŽ—‡ˆ‘”—’Žƒ‡†‡‡–‹‰•’‡”ˆ‘”‡†‹ƒ ad hoc manner 2.1.1 Count planned management review meetings held to date 2.1.2 Count unplanned management review meetings held to date 2.1.3 Count rescheduled management review meetings held to date 2.2 For all management review meetings that were held, count the number of managers who attended

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ› ƒŽ›•‹•ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ—ƒ”–‡”Ž› ‡ƒ•—”‡‡–”‡˜‹•‹‘ǣ‡˜‹‡™ƒ†—’†ƒ–‡‡˜‡”›ʹ›‡ƒ”• ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ʹ›‡ƒ”•

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ—ƒŽ‹–›•›•–‡ƒƒ‰‡”ȋƒ••—‹‰…‘„‹‡†ƒƒ‰‡‡– •›•–‡‘ˆƒ† Ȍ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ—ƒŽ‹–›ƒƒ‰‡”Ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘” Ǣ—ƒŽ‹–›•›•–‡ƒƒ‰‡”

Data source

ͳǤ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡‡–”‡˜‹‡™’ŽƒȀ•…Š‡†—Ž‡ 2. Management review minutes/records

Reporting format

Line chart depicting indicator with criteria over several data collection and reporting periods with the statement of measurement results. The number of data collection ƒ†”‡’‘”–‹‰’‡”‹‘†••Š‘—Ž†„‡†‡ϐ‹‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘Ǥ

Relationship

ISO/IEC 27001:2013, 9.3: Management review ISO/IEC 27001:2013, 5.1: Leadership and commitment

22



ISO/IEC 27004:2016(E)

B.5 Risk exposure Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

••‡••‡š’‘•—”‡‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘–‘‹ˆ‘”ƒ–‹‘•‡…—”‹–›”‹••

Measure

ƒȌ‹‰Šƒ†‡†‹—”‹••„‡›‘†ƒ……‡’–ƒ„Ž‡–Š”‡•Š‘Ž† „Ȍ‹‡Ž›”‡˜‹‡™‘ˆŠ‹‰Šƒ†‡†‹—”‹••

Formula/scoring

ƒȌŠ”‡•Š‘Ž†ˆ‘”Š‹‰Šƒ†‡†‹—”‹•••Š‘—Ž†„‡†‡ϐ‹‡†ƒ†”‡•’‘•‹„Ž‡’ƒ”–‹‡• alerted if the threshold is breached b) Number of risks without status update

Target

1


Updated risk

”‡“—‡…›

‘ŽŽ‡…–ǣ‹‹—“—ƒ”–‡”Ž› Report: each quarter

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‡…—”‹–›•–ƒˆˆ


ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ Data source

Information risk

Reporting format

Trend of high risks Trend of accepted high and medium risks

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͺǤʹǣ ˆ‘”ƒ–‹‘•‡…—”‹–›”‹•ƒ••‡••‡– Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͺǤ͵ǣ ˆ‘”ƒ–‹‘‡…—”‹–›‹•”‡ƒ–‡–



23

ISO/IEC 27004:2016(E)

B.6 Audit programme Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

Completeness of the audit programme

Measure

Total number of audit performed compared with the total number of audits planned

Formula/scoring

ȋ‘–ƒŽ—„‡”‘ˆƒ—†‹–•’‡”ˆ‘”‡†ȌȀȋ‘–ƒŽ—„‡”‘ˆƒ—†‹–•’Žƒ‡†ȌȗͳͲͲǤ

Target

εͻͷΨ


Audit programme and related reports monitoring

”‡“—‡…›

‡ƒ”Ž›

Responsible parties

Information owner: Audit manager Information collector: Audit manager


Information customer: Top management Data source

Audit programme and audit reports

Reporting format

Trend chart linking the ratio of completed audits against the programme for each •ƒ’Ž‡†›‡ƒ”

Relationship

ISO/IEC 27001:2013, 9.2: Internal audit Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͺǤʹǤͳǣ †‡’‡†‡–”‡˜‹‡™‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›

24



ISO/IEC 27004:2016(E)

B.7 Improvement actions Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‡”‹ˆ›–Š‡•–ƒ–—•‘ˆ‹’”‘˜‡‡–ƒ…–‹‘•ƒ†–Š‡‹”ƒƒ‰‡‡–ƒ……‘”†‹‰™‹–Š’Žƒ•

Measure

‡”…‡–ƒ‰‡‘ˆƒ…–‹‘•‘–‹‡ǡ…‘•–•ƒ†“—ƒŽ‹–›ȋ‹Ǥ‡Ǥ”‡“—‹”‡‡–•Ȍƒ‰ƒ‹•–ƒŽŽ planned actions Š‡ƒ…–‹‘••Š‘—Ž†„‡–Š‡‘‡•’Žƒ‡†ȋ‹Ǥ‡Ǥ‘’‡‡†ǡ•–ƒ†Ǧ„›ƒ†‹’”‘‰”‡••Ȍ‹ the beginning of the timeframe

Formula/scoring

ȏȋ…–‹‘•‘–‹‡ǡ…‘•–•ƒ†“—ƒŽ‹–›ȌȀȋ—„‡”‘ˆƒ…–‹‘•ȌȐȗͳͲͲ

Target

ͻͲΨ


Status monitoring of each action

”‡“—‡…›

—ƒ”–‡”Ž›

Responsible parties

ˆ‘”ƒ–‹‘™‡”ǣ’”‘Œ‡…–ƒƒ‰‡‡–‘ˆϐ‹…‡ ˆ‘”ƒ–‹‘‘ŽŽ‡…–‘”ǣ’”‘Œ‡…–ƒƒ‰‡‡–‘ˆϐ‹…‡


ˆ‘”ƒ–‹‘—•–‘‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

‡Ž‡˜ƒ–’”‘Œ‡…–’Žƒ•

Reporting format

‹•–‘ˆƒŽŽ”‡Ž‡˜ƒ–ƒ…–‹‘•ƒ†–Š‡‹”•–ƒ–—•ȋƒ…–—ƒŽ–‹‡ǡ…‘•–•ƒ†“—ƒŽ‹–›ˆ‘”‡…ƒ•– ƒ‰ƒ‹•––Š‡’Žƒ‡†‘‡•Ȍ™‹–Š–Š‡’‡”…‡–ƒ‰‡‘ˆƒ…–‹‘•‘–‹‡ǡ…‘•–•ƒ†“—ƒŽ‹–› against the relevant number of actions in the timeframe

Relationship

ISO/IEC 27001:2013, Clause 10: Improvement

‘–‡ –Šƒ– –Š‹• ‡ƒ•—”‡ ƒ› „‡ ‹’”‘˜‡† „› ™‡‹‰Š–‹‰ ‡ƒ…Š ƒ…–‹‘ …‘•‹†‡”‹‰ –Š‡‹” …”‹–‹…ƒŽ‹–› ȋ‡Ǥ‰Ǥǡ actions that address high risks). Ž‹•–‘ˆƒŽŽ”‡Ž‡˜ƒ–ƒ…–‹‘••Š‘—Ž†„‡–‘‰‡–Š‡”™‹–Š–Š‡•›–Š‡–‹…”‡•—Ž–ǡ•‘–Šƒ–ƒŠ‹‰Š—„‡”‘ˆ‘Ǧ critical but within acceptable boundaries won’t hide a low number of critical actions outside acceptable boundaries.



25

ISO/IEC 27004:2016(E)

B.8 Security incident cost Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘•‹†‡”ƒ–‹‘•ƒ„‘—–…‘•–•ƒ”‹•‹‰ˆ”‘Žƒ…‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›

Measure

—‘ˆ…‘•–•ˆ‘”‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–‘……—””‡†‹–Š‡•ƒ’Ž‹‰’‡”‹‘†

Formula/scoring

—ȋ…‘•–•‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–Ȍ

Target

‡••–Šƒƒƒ……‡’–ƒ„Ž‡–Š”‡•Š‘Ž††‡ϐ‹‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘


›•–‡ƒ–‹…‰ƒ–Š‡”‹‰‘ˆ…‘•–•ˆ‘”‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•

”‡“—‡…›

—ƒ”–‡”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Information customer: Top management

Data source

Incident reports

Reporting format

‘Ž—…Šƒ”–•Š‘™‹‰…‘•–•‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•ˆ‘”–Š‹•ƒ†’”‡˜‹‘—• sampling periods.


–…ƒ„‡ˆ‘ŽŽ‘™‡†„›ƒ†”‹ŽŽǦ†‘™™‹–Šǣ Ȅ

ƒ˜‡”ƒ‰‡…‘•–‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–Ǣ

Ȅ ƒ˜‡”ƒ‰‡…‘•–‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–ˆ‘”‡ƒ…Š‹ˆ‘”ƒ–‹‘ •‡…—”‹–›‹…‹†‡–…ƒ–‡‰‘”›ȋ…ƒ–‡‰‘”‹‡••Š‘—Ž†„‡’”‡˜‹‘—•Ž›†‡ϐ‹‡†ȌǤ

Relationship

26

ISO/IEC 27001:2013, Clause 10: Improvement



ISO/IEC 27004:2016(E)

B.9 Learning from information security incidents Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‡”‹ˆ › ™Š‡–Š‡” •‡…—”‹– › ‹…‹†‡–• –”‹‰‰‡” ƒ…–‹‘• ˆ‘” ‹’”‘˜‹‰ –Š‡ …—””‡–•‡…—”‹–›•‹–—ƒ–‹‘

Measure

—„‡”‘ˆ•‡…—”‹–›‹…‹†‡–•–Šƒ––”‹‰‰‡”‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹’”‘˜‡‡–ƒ…–‹‘•

Formula/scoring

—‘ˆ•‡…—”‹–›‹…‹†‡–•–Šƒ––”‹‰‰‡”‡†ƒ…–‹‘•Ȁ—‘ˆ•‡…—”‹–›‹…‹†‡–•

Target

ƒŽ—‡•Š‘—Ž†„‡Š‹‰Š‡”–Šƒ–Š‡–Š”‡•Š‘Ž††‡ϐ‹‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘


…–‹‘’Žƒ™‹–ŠŽ‹–‘•‡…—”‹–›‹…‹†‡–•

”‡“—‡…›

‘ŽŽ‡…–ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ˜‡”›•‡‡•–‡”

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”


ˆ‘”ƒ–‹‘…—•–‘‡”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

Incident reports

Reporting format

‘Ž—…Šƒ”–•Š‘™‹‰…‘•–•‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•ˆ‘”–Š‹•ƒ†’”‡˜‹‘—• sampling periods. –…ƒ„‡ˆ‘ŽŽ‘™‡†„›ƒ†”‹ŽŽǦ†‘™™‹–Šǣ Ȅ

ƒ˜‡”ƒ‰‡…‘•–‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–Ǣ

Ȅ ƒ˜‡”ƒ‰‡…‘•–‘ˆ‡ƒ…Š‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–ˆ‘”‡ƒ…Š‹ˆ‘”ƒ–‹‘ •‡…—”‹–›‹…‹†‡–…ƒ–‡‰‘”›ȋ…ƒ–‡‰‘”‹‡••Š‘—Ž†„‡’”‡˜‹‘—•Ž›†‡ϐ‹‡†ȌǤ

Relationship

ISO/IEC 27001:2013, Clause 10: Improvement Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͸ǤͳǤ͸ǣ‡ƒ”‹‰ˆ”‘‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•



27

ISO/IEC 27004:2016(E)

B.10 Corrective action implementation Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

Assess performance of corrective action implementation

Measure

a) Status expressed as a ratio of corrective action not implemented b) Status expressed as a ratio of corrective action not implemented without reason c) Trend of statuses

Formula/scoring

ƒȌ‹˜‹†‡ȏ‘””‡…–‹˜‡ƒ…–‹‘‘–‹’Ž‡‡–‡†–‘†ƒ–‡Ȑ„›ȏ‘””‡…–‹˜‡ƒ…–‹‘• planned to date] „Ȍ‹˜‹†‡ȏ‘””‡…–‹˜‡ƒ…–‹‘‘–‹’Ž‡‡–‡†™‹–Š‘—–”‡ƒ•‘Ȑ„›ȏ‘””‡…–‹˜‡ actions planned to date]


c) Compare Statuses with Previous statuses Target

‘”†‡”–‘…‘…Ž—†‡–Š‡ƒ…Š‹‡˜‡‡–‘ˆ–Š‡‘„Œ‡…–‹˜‡ƒ†‘ƒ…–‹‘ǡ–Š‡”ƒ–‹‘•‘ˆ ‹†‹…ƒ–‘”ƒȌƒ†„Ȍ•Š‘—Ž†ˆƒŽŽ”‡•’‡…–‹˜‡Ž›„‡–™‡‡ͲǤͶƒ†ͲǤͲƒ†„‡–™‡‡ͲǤʹ and 0.0, and Trend of indicator c) should have been declining for the last 2 reporting periods. The indicator c) should be presented in comparison with previous indicators so that the trend in corrective action implementation can be examined.


1. Count corrective actions planned to be implemented to date ʹǤ‘—–…‘””‡…–‹˜‡ƒ…–‹‘•”‡…‘”†‡†ƒ•‹’Ž‡‡–‡†„›†—‡†ƒ–‡ 3. Count corrective actions recorded as planned actions not taken with the reason

”‡“—‡…›

‘ŽŽ‡…–ǣ—ƒ”–‡”Ž› ƒŽ›•‹•ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ—ƒ”–‡”Ž› ‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡˜‹‡™ƒ—ƒŽŽ› ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ͳ›‡ƒ”

Responsible parties

Information owner: Managers responsible for ISMS Information collector: Managers responsible for ISMS ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘” Ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”

Data source

Corrective action reports

Reporting format

Stacked bar chart with the statement of measurement results including an executive •—ƒ”›‘ˆϐ‹†‹‰•ƒ†’‘••‹„Ž‡ƒƒ‰‡‡–ƒ…–‹‘•ǡ–Šƒ–†‡’‹…–•–‘–ƒŽ—„‡” of corrective actions, separated into implemented, not implemented without a legitimate reason, and not implemented with a legitimate reason.

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡͳͲǤͳǣ‘…‘ˆ‘”‹–›ƒ†…‘””‡…–‹˜‡ƒ…–‹‘

28



ISO/IEC 27004:2016(E)

B.11 ISMS training or ISMS awareness Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡ƒ•—”‡Š‘™ƒ›‡’Ž‘›‡‡•”‡…‡‹˜‡†ƒ ”‡Žƒ–‡†ƒ™ƒ”‡‡••–”ƒ‹‹‰ƒ† ‡•–ƒ„Ž‹•Š…‘–”‘Ž…‘’Ž‹ƒ…‡™‹–Š–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›

Measure

‡”…‡–ƒ‰‡‘ˆ‡’Ž‘›‡‡•Šƒ˜‹‰’ƒ”–‹…‹’ƒ–‡†–‘ƒ ƒ™ƒ”‡‡••–”ƒ‹‹‰

Formula/scoring

ͳαȏ—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘”‡…‡‹˜‡† –”ƒ‹‹‰Ȁ—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘ Šƒ˜‡–‘”‡…‡‹˜‡ –”ƒ‹‹‰ȐȗͳͲͲ ʹαȏ—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘”‡‡™‡†–Š‡‹” –”ƒ‹‹‰‹–Š‡Žƒ•–›‡ƒ”Ȁ —„‡”‘ˆ‡’Ž‘›‡‡‹•…‘’‡ȐȗͳͲͲ

Target

”‡‡ǣ‹ˆ ͳεͻͲƒ† ʹεͷͲΨ ‘–Š‡”™‹•‡‡ŽŽ‘™ǣ‹ˆ ͳε͸ͲΨƒ† ʹε͵ͲΨ otherwise Red ‡†Ȃ‹–‡”˜‡–‹‘‹•”‡“—‹”‡†ǡ…ƒ—•ƒ–‹‘ƒƒŽ›•‹•—•–„‡…‘†—…–‡†–‘†‡–‡”‹‡ reasons for non-compliance and poor performance


‡ŽŽ‘™Ȃ‹†‹…ƒ–‘”•Š‘—Ž†„‡™ƒ–…Š‡†…Ž‘•‡Ž›ˆ‘”’‘••‹„Ž‡•Ž‹’’ƒ‰‡–‘‡† Green – no action is required Implementation evidence

ƒ”–‹…‹’ƒ–‹‘Ž‹•–•‘ˆƒŽŽƒ™ƒ”‡‡••–”ƒ‹‹‰•Ǣ…‘—–‘ˆŽ‘‰•Ȁ”‡‰‹•–”‹‡•™‹–Š –”ƒ‹‹‰ϐ‹‡Ž†Ȁ”‘™ϐ‹ŽŽ‡”ƒ•ǲ‡…‡‹˜‡†ǳ

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ›ǡϐ‹”•–™‘”‹‰†ƒ›‘ˆ–Š‡‘–Š ƒŽ›•‹•ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ—ƒ”–‡”Ž› ‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡˜‹‡™ƒ—ƒŽŽ› Period of Measurement: Annual

Responsible parties

Information owner: Training manager – Human resources Information collector: Training management – Human resource department Measurement client: Managers responsible for an ISMS, Chief information •‡…—”‹–›‘ˆϐ‹…‡”

Data source

’Ž‘›‡‡†ƒ–ƒ„ƒ•‡ǡ–”ƒ‹‹‰”‡…‘”†•ǡ’ƒ”–‹…‹’ƒ–‹‘Ž‹•–‘ˆƒ™ƒ”‡‡••–”ƒ‹‹‰•

Reporting format

ƒ”‰”ƒ’Š™‹–Š„ƒ”•…‘Ž‘—”Ǧ…‘†‡†„ƒ•‡†‘–ƒ”‰‡–ǤŠ‘”–•—ƒ”›‘ˆ™Šƒ––Š‡‡ƒ•—”‡ means and possible management actions should be attached to the bar chart. OR Pie chart for current situation and line chart for compliance evolution representation.

Relationship

ISO/IEC 27001:2013, A.7.2: Competence.



29

ISO/IEC 27004:2016(E)

B.12 Information security training Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡…‘’Ž‹ƒ…‡™‹–Šƒ—ƒŽ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••–”ƒ‹‹‰ requirement

Measure

‡”…‡–ƒ‰‡‘ˆ’‡”•‘‡Ž™Š‘”‡…‡‹˜‡†ƒ—ƒŽ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••–”ƒ‹‹‰

Formula/scoring

ȏ—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘”‡…‡‹˜‡†ƒ—ƒŽ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡•• –”ƒ‹‹‰Ȁ—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘‡‡†–‘”‡…‡‹˜‡ƒ—ƒŽ‹ˆ‘”ƒ–‹‘•‡…—”‹–› ƒ™ƒ”‡‡••–”ƒ‹‹‰ȐȗͳͲͲ

Target

ͲǦ͸ͲΨǦ‡†Ǣ͸ͲǦͻͲΨǦ‡ŽŽ‘™ǢͻͲǦͳͲͲΨ ”‡‡Ǥ ‘”‡ŽŽ‘™ǡ‹ˆ’”‘‰”‡••‘ˆƒ–Ž‡ƒ•– ͳͲΨ’‡”“—ƒ”–‡”‹•‘–ƒ…Š‹‡˜‡†ǡ”ƒ–‹‰‹•ƒ—–‘ƒ–‹…ƒŽŽ›”‡†Ǥ ‡†Ȃ‹–‡”˜‡–‹‘‹•”‡“—‹”‡†ǡ…ƒ—•ƒ–‹‘ƒƒŽ›•‹•—•–„‡…‘†—…–‡†–‘†‡–‡”‹‡ reasons for non-compliance and poor performance. ‡ŽŽ‘™Ȃ‹†‹…ƒ–‘”•Š‘—Ž†„‡™ƒ–…Š‡†…Ž‘•‡Ž›ˆ‘”’‘••‹„Ž‡•Ž‹’’ƒ‰‡–‘‡†Ǥ


Green – no action is required. Implementation evidence

‘—–‘ˆŽ‘‰•Ȁ”‡‰‹•–”‹‡•™‹–Šƒ—ƒŽ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••–”ƒ‹‹‰ϐ‹‡Ž†Ȁ ”‘™ϐ‹ŽŽ‡”ƒ•ǲ‡…‡‹˜‡†ǳ

”‡“—‡…›


Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”ƒ†”ƒ‹‹‰ƒƒ‰‡” Information collector: Training management – Human resource department ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ Ǣ‡…—”‹–›ƒƒ‰‡‡–Ǣ Training management

Data source

’Ž‘›‡‡†ƒ–ƒ„ƒ•‡ǡ–”ƒ‹‹‰”‡…‘”†•

Reporting format

ƒ”‰”ƒ’Š™‹–Š„ƒ”•…‘Ž‘—”Ǧ…‘†‡†„ƒ•‡†‘–ƒ”‰‡–ǤŠ‘”–•—ƒ”›‘ˆ™Šƒ––Š‡‡ƒ•ure means and possible management actions should be attached to the bar chart.

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤ͹ǤʹǤʹǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••ǡ‡†—…ƒ–‹‘ƒ† training.

30



ISO/IEC 27004:2016(E)

B.13 Information security awareness compliance Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

••‡•••–ƒ–—•‘ˆ…‘’Ž‹ƒ…‡™‹–Š‘”‰ƒ‹œƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••’‘Ž‹…›ƒ‘‰ relevant personnel

Measure

1. Progress to date 2. Progress to date with g

Formula/scoring

‡”‹˜‡–Š‡ǲ’”‘‰”‡••–‘†ƒ–‡ǳ„›ƒ††‹‰•–ƒ–—•ˆ‘”ƒŽŽ’‡”•‘‡ŽŠƒ˜‹‰•‹‰‡†ǡ planned to be completed to date ‡”‹˜‡ǲ’”‘‰”‡••–‘†ƒ–‡™‹–Š•‹‰‹‰ǳ„›†‹˜‹†‡’‡”•‘‡ŽŠƒ˜‹‰•‹‰‡†–‘†ƒ–‡ „›’‡”•‘‡Ž’Žƒ‡†ˆ‘”•‹‰‹‰–‘†ƒ–‡ ƒȌȏ†‹˜‹†‡’”‘‰”‡••–‘†ƒ–‡„›ȋ’‡”•‘‡Ž’Žƒ‡†–‘†ƒ–‡–‹‡•ͳͲͲȌȐƒ†’”‘‰”‡•• to date with g b) Compare status with previous statuses

Target

ƒȌ‡•—Ž–‹‰”ƒ–‹‘••Š‘—Ž†ˆƒŽŽ”‡•’‡…–‹˜‡Ž›„‡–™‡‡ͲǤͻƒ†ͳǤͳƒ†„‡–™‡‡ͲǤͻͻ ƒ†ͳǤͲͳ–‘…‘…Ž—†‡–Š‡ƒ…Š‹‡˜‡‡–‘ˆ–Š‡…‘–”‘Ž‘„Œ‡…–‹˜‡ƒ†‘ƒ…–‹‘Ǣƒ†


b) Trend should be upward or stable Implementation evidence

1.1. Count number of personnel scheduled to have signed and completed the training to date 1.2. Ask responsible individual for percent of personnel who have completed the training and signed ʹǤͳǤ‘—–—„‡”‘ˆ’‡”•‘‡Ž•…Š‡†—Ž‡†–‘Šƒ˜‡•‹‰‡†„›–Š‹•†ƒ–‡ 2.2. Count number of personnel having signed agreements

”‡“—‡…›


Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”ƒ†”ƒ‹‹‰ƒƒ‰‡” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ”ƒ‹‹‰ƒƒ‰‡‡–Ǣ—ƒ”‡•‘—”…‡†‡’ƒ”–‡– ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ Ǣ‡…—”‹–›ƒƒ‰‡‡–Ǥ training management

Data source

ͳǤͳǤ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••–”ƒ‹‹‰’ŽƒȀ•…Š‡†—Ž‡ǣ‡”•‘‡Ž‹†‡–‹ϐ‹‡†‹’Žƒ 1.2 Personnel who have completed or in progress in the training: Personnel status with regard to the training ʹǤͳǤŽƒˆ‘”•‹‰‹‰—•‡”ƒ‰”‡‡‡–•Ȁ•…Š‡†—Ž‡ǣ‡”•‘‡Ž‹†‡–‹ϐ‹‡†‹’Žƒˆ‘”•‹‰‹‰ 2.2. Personnel having signed agreements: Personnel status with regard to the g of agreements

Reporting format

–ƒ†ƒ”† ‘–α”‹–‡”‹ƒŠƒ˜‡„‡‡‡–•ƒ–‹•ˆƒ…–‘”‹Ž› –ƒŽ‹… ‘–α”‹–‡”‹ƒŠƒ˜‡„‡‡‡–—•ƒ–‹•ˆƒ…–‘”‹Ž› Bold Font = Criteria have not been met



31

ISO/IEC 27004:2016(E)

Relationship

ISO/IEC 27001:2013, A.7.2.2: Management responsibilities


Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤ͹ǤʹǤͳǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••ǡ‡†—…ƒ–‹‘ƒ† training

32



ISO/IEC 27004:2016(E)

B.14 ISMS awareness campaigns effectiveness Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡ƒ•—”‡‹ˆ‡’Ž‘›‡‡•Šƒ˜‡—†‡”•–‘‘†…‘–‡–‘ˆƒ™ƒ”‡‡••…ƒ’ƒ‹‰

Measure

‡”…‡–ƒ‰‡‘ˆ‡’Ž‘›‡‡•’ƒ••‹‰ƒ‘™Ž‡†‰‡–‡•–„‡ˆ‘”‡ƒ†ƒˆ–‡” ƒ™ƒ”‡‡•• campaign

Formula/scoring

Š‘‘•‡ƒ‰‹˜‡—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘™‡”‡–ƒ”‰‡–‡†„›ƒƒ™ƒ”‡‡••…ƒ’ƒ‹‰ ƒ†Ž‡––Š‡ϐ‹ŽŽ‘—–ƒ•Š‘”–‘™Ž‡†‰‡–‡•–ƒ„‘—––‘’‹…•‘ˆ–Š‡ƒ™ƒ”‡‡••…ƒ’ƒ‹‰ Percentage of people ed the test

Target

”‡‡ǣͻͲǦͳͲͲΨ‘ˆ’‡‘’Ž‡’ƒ••‡†–Š‡–‡•–ǡ”ƒ‰‡ǣ͸ͲǦͻͲΨ‘ˆ’‡‘’Ž‡’ƒ••‡†–Š‡ –‡•–ǡ‡†ǣδ͸ͲΨ‘ˆ’‡‘’Ž‡’ƒ••‡†–Š‡–‡•–


™ƒ”‡‡••…ƒ’ƒ‹‰†‘…—‡–•Ȁ‹ˆ‘”ƒ–‹‘’”‘˜‹†‡†–‘‡’Ž‘›‡‡•ǢŽ‹•–‘ˆ ‡’Ž‘›‡‡•™Š‘ˆ‘ŽŽ‘™‡†ƒ™ƒ”‡‡••…ƒ’ƒ‹‰Ǣ‘™Ž‡†‰‡–‡•–•

”‡“—‡…›

Collect: one month after awareness campaign Report: for each collection

Responsible parties

Information owner: Human resources


Information collector: Human resources ‡ƒ•—”‡‡–…Ž‹‡–ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

’Ž‘›‡‡†ƒ–ƒ„ƒ•‡ǡƒ™ƒ”‡‡••…ƒ’ƒ‹‰‹ˆ‘”ƒ–‹‘ǡ‘™Ž‡†‰‡–‡•–”‡•—Ž–•

Reporting format

Pie chart for representing percentage of staff ed the test situation and line chart for evolution representation if extra training has been organised ˆ‘”ƒ•’‡…‹ϐ‹…–‘’‹…

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤ͹ǤʹǤʹǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••ǡ‡†—…ƒ–‹‘ƒ† training



33

ISO/IEC 27004:2016(E)

B.15 Social engineering preparedness Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡™Š‡–Š‡”•–ƒˆˆ‹•’”‡’ƒ”‡†–‘”‡ƒ…–’”‘’‡”Ž›‹…ƒ•‡‘ˆ•‘‡•‘…‹ƒŽ engineering attacks

Measure

‡”…‡–ƒ‰‡‘ˆ•–ƒˆˆ–Šƒ–”‡ƒ…–…‘””‡…–Ž›–‘ƒ–‡•–ǡ‡Ǥ‰Ǥǡ™Š‘†‹†‘–…Ž‹…‘ƒŽ‹‹ a given test consisting in sending a phishing email to (a selected part of the) staff

Formula/scoring

a = Number of staff having clicked on the link/number of staff participating in the test b = 1-Number of staff having reported the dangerous email through appropriate channels c = Number of staff having followed the instruction given when clicking on the link, i.e. start revealing a /number of staff participating


d = An appropriate weighted sum of the above parameter, depending on the nature of the test Target

d: 0-60: Red, 60-80: Yellow, 90-100: Green


‘—–‘ˆƒ…–‹˜‹–›‘ƒ•‹—Žƒ–‡†…‘ƒ†ƒ†…‘–”‘Žƒ††”‡••‡†„›–Š‡Ž‹Ǥƒ‡ …ƒ”‡–‘”‡•’‡…–’‡”•‘‡Ž’”‹˜ƒ…›ƒ•’‡…–•ǡƒ†–‘ƒ‘›‹•‡†ƒ–ƒ•‘–Šƒ––‡•– participants do not have to fear negative consequences from this test.

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ›–‘ƒ—ƒŽŽ›ǡ†‡’‡†‹‰‘–Š‡…”‹–‹…ƒŽ‹–›‘ˆ•‘…‹ƒŽ‡‰‹‡‡”‹‰ƒ––ƒ…• Report: for each collection

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ •‡…—”‹–›‘ˆϐ‹…‡”–”ƒ‹‡†–‘”‡•’‡…–’”‹˜ƒ…›ƒ•’‡…–• Measurement client: Risk owner

Data source

‹•–‘ˆ•–ƒˆˆǡ‘”—•‡”•‘ˆƒ‰‹˜‡•‡”˜‹…‡Ǣ™ƒ”‡‡•••—’’‘”–ǡ…‘—‹…ƒ–‹‘ȋ‡ƒ‹Ž or intranet)

Reporting format

‡•– ”‡’‘”– ‹†‹…ƒ–‹‰ –‡•– †‡–ƒ‹Ž•ǡ ‡ƒ•—”‡‡–•ǡ ƒƒŽ›•‹• ‘ˆ ”‡•—Ž–•ǡ ƒ† recommendation, based on target and agreed treatment

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͸Ǥͳǣƒƒ‰‡‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–• and improvements ISO/IEC 27001:2013, A.9.3.1: Use of secret authentication information Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤ͹ǤʹǤʹǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒ™ƒ”‡‡••ǡ‡†—…ƒ–‹‘ƒ† training

34



ISO/IEC 27004:2016(E)

B.16 quality – manual Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘ ƒ••‡•• –Š‡ “—ƒŽ‹–› ‘ˆ –Š‡ ’ƒ••™‘”†• —•‡† „› –Š‡ •‡”• –‘ ƒ……‡•• –Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ• •›•–‡•

Measure

‘–ƒŽ—„‡”‘ˆ’ƒ••™‘”†•–Šƒ–…‘’Ž›™‹–Š‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…› ƒȌƒ–‹‘‘ˆ’ƒ••™‘”†•™Š‹…Š‡‡–‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…› „Ȍ”‡†•‘ˆ…‘’Ž‹ƒ…‡•–ƒ–—•”‡‰ƒ”†‹‰’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…›

Formula/scoring

Count number of s in database ‡–‡”‹‡–Š‡—„‡”‘ˆ’ƒ••™‘”†•™Š‹…Š•ƒ–‹•ˆ›‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†’‘Ž‹…› ȭ‘ˆȏ‘–ƒŽ—„‡”‘ˆ’ƒ••™‘”†•–Šƒ–…‘’Ž›™‹–Š‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†“—ƒŽ‹–› ’‘Ž‹…›ˆ‘”‡ƒ…Š—•‡”Ȑ ƒȌƒ–‹‘‘ˆ’ƒ••™‘”†•™Š‹…Š‡‡–‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…› „Ȍ”‡†•‘ˆ…‘’Ž‹ƒ…‡•–ƒ–—•”‡‰ƒ”†‹‰’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…›


c) Divide [Total number of s complied with organization’s “—ƒŽ‹–›’‘Ž‹…›Ȑ„›ȏ—„‡”‘ˆ”‡‰‹•–‡”‡†’ƒ••™‘”†•Ȑ d) Compare ratio with the previous ratio Target

‘–”‘Ž‘„Œ‡…–‹˜‡‹•ƒ…Š‹‡˜‡†ƒ†‘ƒ…–‹‘”‡“—‹”‡†‹ˆ–Š‡”‡•—Ž–‹‰”ƒ–‹‘‹•ƒ„‘˜‡ ͲǤͻǤ ˆ–Š‡”‡•—Ž–‹‰”ƒ–‹‘‹•„‡–™‡‡ͲǤͺƒ†ͲǤͻ–Š‡…‘–”‘Ž‘„Œ‡…–‹˜‡‹•‘–ƒ…Š‹‡˜‡†ǡ but positive trend indicates improvement. If the resulting ratio is below 0.8 immediate action should be taken.


1 Count number of s on database ʹ‡–‡”‹‡–Š‡—„‡”‘ˆ’ƒ••™‘”†•™Š‹…Š•ƒ–‹•ˆ›‘”‰ƒ‹œƒ–‹‘ǯ•’ƒ••™‘”†’‘Ž‹…› ‘ϐ‹‰—”ƒ–‹‘ϐ‹Ž‡ǡ’ƒ••™‘”†•‡––‹‰‘”…‘ϐ‹‰—”ƒ–‹‘–‘‘Ž

”‡“—‡…›

‘ŽŽ‡…–ǣ‡’‡†‹‰‘–Š‡…”‹–‹…ƒŽ‹–›„—–‹‹—›‡ƒ”Ž› ƒŽ›•‹•ǣˆ–‡”‡ƒ…Š…‘ŽŽ‡…–‹‘ ‡’‘”–ǣˆ–‡”‡ƒ…ŠƒƒŽ›•‹• ‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡ƒ”Ž› ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ‡ƒ”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ›•–‡ƒ†‹‹•–”ƒ–‘” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ ǡ‡…—”‹–›ƒƒ‰‡”

Data source

•‡”’ƒ••™‘”††ƒ–ƒ„ƒ•‡Ǣ †‹˜‹†—ƒŽ’ƒ••™‘”†•

Reporting format

Trend line that depicts the number of s compliant with organization’s ’ƒ••™‘”†“—ƒŽ‹–›’‘Ž‹…›ǡ•—’‡”‹’‘•‡†™‹–Š–”‡†Ž‹‡•’”‘†—…‡††—”‹‰’”‡˜‹‘—• reporting periods.

Relationship

ISO/IEC 27001:2013, A.9.3.1: Use of secret authentication information



35

ISO/IEC 27004:2016(E)

B.17 quality – automated Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘ ƒ••‡•• –Š‡ “—ƒŽ‹–› ‘ˆ –Š‡ ’ƒ••™‘”†• —•‡† „› –Š‡ •‡”• –‘ ƒ……‡•• –Š‡ ‘”‰ƒ‹œƒ–‹‘ǯ• •›•–‡•

Measure

1 Total number of s 2 Total number of uncrackable s

Formula/scoring

1 Ratio of s crackable within 4 hours 2 Trend of the ratio 1 ƒȌ‹˜‹†‡ȏ—„‡”‘ˆ—…”ƒ…ƒ„Ž‡’ƒ••™‘”†•Ȑ„›ȏ‘–ƒŽ—„‡”‘ˆ’ƒ••™‘”†•Ȑ


b) Compare ratio with the previous ratio Target

‘–”‘Ž‘„Œ‡…–‹˜‡‹•ƒ…Š‹‡˜‡†ƒ†‘ƒ…–‹‘”‡“—‹”‡†‹ˆ–Š‡”‡•—Ž–‹‰”ƒ–‹‘‹•ƒ„‘˜‡ ͲǤͻǤ ˆ–Š‡”‡•—Ž–‹‰”ƒ–‹‘‹•„‡–™‡‡ͲǤͺƒ†ͲǤͻ–Š‡…‘–”‘Ž‘„Œ‡…–‹˜‡‹•‘–ƒ…Š‹‡˜‡†ǡ but positive trend indicates improvement. If the resulting ratio is below 0.8 immediate action should be taken.


ͳ—“—‡”›‘‡’Ž‘›‡‡ƒ……‘—–”‡…‘”†• ʹ—’ƒ••™‘”†…”ƒ…‡”‘‡’Ž‘›‡‡•›•–‡ƒ……‘—–”‡…‘”†•—•‹‰Š›„”‹†ƒ––ƒ…

”‡“—‡…›

‘ŽŽ‡…–ǣ‡‡Ž› ƒŽ›•‹•ǣ‡‡Ž› ‡’‘”–ǣ‡‡Ž› ‡ƒ•—”‡‡–”‡˜‹•‹‘ǣ‡˜‹‡™ƒ†—’†ƒ–‡‡˜‡”››‡ƒ” ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡͵›‡ƒ”•

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ›•–‡ƒ†‹‹•–”ƒ–‘” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ ǡ‡…—”‹–›ƒƒ‰‡”

Data source

’Ž‘›‡‡•›•–‡ƒ……‘—–†ƒ–ƒ„ƒ•‡

Reporting format

”‡†Ž‹‡–Šƒ–†‡’‹…–•’ƒ••™‘”†…”ƒ…ƒ„‹Ž‹–›ˆ‘”ƒŽŽ”‡…‘”†•–‡•–‡†•—’‡”‹’‘•‡† with lines produced during previous tests.

Relationship

ISO/IEC 27001:2013, A.9.3.1: Use of secret authentication information

36



ISO/IEC 27004:2016(E)

B.18 Review of access rights Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‡ƒ•—”‡‘Š‘™ƒ›•›•–‡ƒ–‹…—•‡”ƒ……‡••”‹‰Š–•”‡˜‹‡™•ƒ”‡’‡”ˆ‘”‡†‘ …”‹–‹…ƒŽ•›•–‡•

Measure

‡”…‡–ƒ‰‡‘ˆ…”‹–‹…ƒŽ•›•–‡•™Š‡”‡—•‡”ƒ……‡••”‹‰Š–•ƒ”‡’‡”‹‘†‹…ƒŽŽ›”‡˜‹‡™‡†

Formula/scoring

ȏ—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•…Žƒ••‹ϐ‹‡†ƒ•…”‹–‹…ƒŽ™Š‡”‡’‡”‹‘†‹…ƒ……‡••”‹‰Š–• ”‡˜‹‡™•ƒ”‡’‡”ˆ‘”‡†Ȁ‘–ƒŽ—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•…Žƒ••‹ϐ‹‡†ƒ•…”‹–‹…ƒŽȐȗͳͲͲ

Target

”‡‡ǣͻͲǦͳͲͲΨǡ”ƒ‰‡ǣ͹ͲǦͻͲΨǡ‡†δ͹ͲΨ


”‘‘ˆ•‘ˆ”‡˜‹‡™•ȋ‡Ǥ‰Ǥ‡ƒ‹Žǡ–‹…‡–‹–‹…‡–‹‰•›•–‡ǡˆ‘”—Žƒ’”‘‘ϐ‹‰”‡˜‹‡™ completion)

”‡“—‡…›

‘ŽŽ‡…–ǣˆ–‡”ƒ›…Šƒ‰‡••—…Šƒ•’”‘‘–‹‘ǡ†‡‘–‹‘‘”–‡”‹ƒ–‹‘‘ˆ‡’Ž‘›‡–

Responsible parties

Information owner: Risk owner

Report: each semester ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”


‡ƒ•—”‡‡–…Ž‹‡–ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

••‡–‹˜‡–‘”›ǡ•›•–‡—•‡†–‘–”ƒ…‹ˆ”‡˜‹‡™•™‡”‡’‡”ˆ‘”‡†ǡ‡Ǥ‰Ǥǡ‹…‡–‹‰•›•–‡

Reporting format


Relationship

ISO/IEC 27001:2013, A.9.2.5: Review of access rights



37

ISO/IEC 27004:2016(E)

B.19 Physical entry controls system evaluation Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘•Š‘™–Š‡‡š‹•–‡…‡ǡ‡š–‡–ƒ†“—ƒŽ‹–›‘ˆ–Š‡•›•–‡—•‡†ˆ‘”ƒ……‡••…‘–”‘Ž

Measure

–”‡‰–Š‘ˆ’Š›•‹…ƒŽ‡–”›…‘–”‘Ž••›•–‡

Formula/scoring

Scale from 0-5 0 There is no access control system 1Š‡”‡‹•ƒƒ……‡•••›•–‡™Š‡”‡PIN codeȋ‘‡ˆƒ…–‘”•›•–‡Ȍ‹•—•‡†ˆ‘” ‡–”›…‘–”‘Ž 2 There is an access control card•›•–‡™Š‡”‡’ƒ••…ƒ”†ȋ‘‡ˆƒ…–‘”•›•–‡Ȍ‹• —•‡†ˆ‘”‡–”›…‘–”‘Ž 3Š‡”‡‹•ƒƒ……‡••…ƒ”†•›•–‡™Š‡”‡ card and PIN code is used for ‡–”›…‘–”‘Ž 4 Previous + log functionality activated


5”‡˜‹‘—•Ϊ …‘†‡‹•”‡’Žƒ…‡†„›biometric authenticationȋϐ‹‰‡”’”‹–ǡ˜‘‹…‡ recognition, retina scan etc.) Target

ƒŽ—‡͵α•ƒ–‹•ˆƒ…–‘”›


Qualitative assessment where each subset grade is a part of the grade above. Control –Š‡–›’‡‘ˆ‡–”›…‘–”‘Ž•›•–‡ƒ†‹•’‡…––Š‡ˆ‘ŽŽ‘™‹‰ƒ•’‡…–•ǣ Ȅ……‡••…‘–”‘Ž…ƒ”†•›•–‡‡š‹•–‡…‡ — PIN code usage Ȅ‘‰ˆ—…–‹‘ƒŽ‹–› — Biometric authentication

”‡“—‡…›

‘ŽŽ‡…–ǣ‡ƒ”Ž› ƒŽ›•‹•ǣ‡ƒ”Ž› ‡’‘”–ǣ‡ƒ”Ž› Measurement revision: 12 months Period of measurement: Applicable 12 months

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ ƒ…‹Ž‹–›ƒƒ‰‡” Information collector: Internal auditor/external auditor Measurement client: Management committee

Data source

†‡–‹–›ƒƒ‰‡‡–”‡…‘”†•

Reporting format

Graphs

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͳǤͳǤʹǣŠ›•‹…ƒŽ‡–”›…‘–”‘Ž•

38



ISO/IEC 27004:2016(E)

B.20 Physical entry controls effectiveness Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

ͳǤ•—”‡ƒ‡˜‹”‘‡–‘ˆ…‘’”‡Š‡•‹˜‡•‡…—”‹–›ƒ†ƒ……‘—–ƒ„‹Ž‹–›ˆ‘” personnel, facilities, and products ʹǤ –‡‰”ƒ–‡’Š›•‹…ƒŽƒ†‹ˆ‘”ƒ–‹‘•‡…—”‹–›’”‘–‡…–‹‘‡…Šƒ‹••–‘‡•—”‡ appropriate protection of the organization’s information resources

Measure

—„‡”‘ˆ—ƒ—–Š‘”‹œ‡†‡–”›‹–‘ˆƒ…‹Ž‹–‹‡•…‘–ƒ‹‹‰‹ˆ‘”ƒ–‹‘•›•–‡•ȋ•—„•‡– ‘ˆ’Š›•‹…ƒŽ•‡…—”‹–›‹…‹†‡–•Ȍ

Formula/scoring

—””‡–—„‡”‘ˆ’Š›•‹…ƒŽ•‡…—”‹–›‹…‹†‡–•ƒŽŽ‘™‹‰—ƒ—–Š‘”‹œ‡†‡–”›‹–‘ ˆƒ…‹Ž‹–‹‡•…‘–ƒ‹‹‰‹ˆ‘”ƒ–‹‘•›•–‡•Ȁ’”‡˜‹‘—•˜ƒŽ—‡


ȋ‘–‡–Šƒ––Š‡•‡‡ƒ•—”‡•‡‡†–‘–ƒ‡‹–‘ƒ……‘—–‘”‰ƒ‹œƒ–‹‘Ǧ•’‡…‹ϐ‹……‘–‡š– •—…Šƒ•–Š‡–‘–ƒŽ—„‡”‘ˆ’Š›•‹…ƒŽ•‡…—”‹–›‹…‹†‡–•Ȍ Target

Below 1.0


›•–‡ƒ–‹…ƒƒŽ›•‹•‘ˆ’Š›•‹…ƒŽ•‡…—”‹–›‹…‹†‡–”‡’‘”–•ƒ†ƒ……‡••…‘–”‘ŽŽ‘‰•

”‡“—‡…›

—ƒ”–‡”Ž›ˆ‘”†ƒ–ƒ‰ƒ–Š‡”‹‰ƒ†”‡’‘”–‹‰

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣŠ›•‹…ƒŽ•‡…—”‹–›‘ˆϐ‹…‡” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…—•–‘‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘‘ˆϐ‹…‡”ǡŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”

Data source

Š›•‹…ƒŽ•‡…—”‹–›‹…‹†‡–”‡’‘”–• Š›•‹…ƒŽƒ……‡••…‘–”‘ŽŽ‘‰•

Reporting format

Ž‘–•Š‘™‹‰–”‡†‘ˆ—ƒ—–Š‘”‹œ‡†‡–”›‹–‘ˆƒ…‹Ž‹–‹‡•…‘–ƒ‹‹‰‹ˆ‘”ƒ–‹‘ •›•–‡•ˆ‘”–Š‡‘•–”‡…‡–•ƒ’Ž‹‰’‡”‹‘†•

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͳǤͳǤʹǣŠ›•‹…ƒŽ‡–”›…‘–”‘Ž•

Action

‡˜‹‡™ƒ†‹’”‘˜‡’Š›•‹…ƒŽ•‡…—”‹–›…‘–”‘Ž•ƒ’’Ž‹‡†–‘‹ˆ‘”ƒ–‹‘•›•–‡•Ǥ



39

ISO/IEC 27004:2016(E)

B.21 Management of periodic maintenance Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

To evaluate timeliness of maintenance activities in relation to schedule

Measure

ƒ‹–‡ƒ…‡†‡Žƒ›’‡”…‘’Ž‡–‡†ƒ‹–‡ƒ…‡‡˜‡–

Formula/scoring

For each completed event, subtract [Date of actual maintenance] from [Date of scheduled maintenance] ͳǤ”‰ƒ‹œƒ–‹‘Ǧ•’‡…‹ϐ‹…ǡˆ‘”‡šƒ’Ž‡ǡ‹ˆƒ˜‡”ƒ‰‡†‡Žƒ›‹•…‘•‹•–‡–Ž›•Š‘™‹‰ƒ– ‘˜‡”͵†ƒ›•ǡ–Š‡…ƒ—•‡•‡‡†–‘„‡‡šƒ‹‡†

Target

2. Ratio of completed maintenance events should be greater than 0.9 3. Trend should be stable or close to 0 4. Trend should be stable or upwards 1 Dates of scheduled maintenance


2 Dates of completed maintenance 3 Total number of planned maintenance events


4 Total number of completed maintenance events ”‡“—‡…›

‘ŽŽ‡…–ǣ“—ƒ”–‡”Ž› ‡’‘”–ǣƒ—ƒŽŽ› ˆ‘”ƒ–‹‘‘™‡”ǣ›•–‡ƒ†‹‹•–”ƒ–‘”

Responsible Parties

ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ ‡ƒ•—”‡‡–…Ž‹‡–ǣ‡…—”‹–›ƒƒ‰‡”ǡ ƒƒ‰‡”

Data source

Format

ͳŽƒȀ•…Š‡†—Ž‡‘ˆ•›•–‡ƒ‹–‡ƒ…‡• ʹ‡…‘”†•‘ˆ•›•–‡ƒ‹–‡ƒ…‡• ‹‡…Šƒ”––Šƒ–†‡’‹…–•–Š‡ƒ˜‡”ƒ‰‡†‡˜‹ƒ–‹‘‘ˆƒ‹–‡ƒ…‡†‡Žƒ›ǡ•—’‡”‹’‘•‡† ™‹–ŠŽ‹‡•’”‘†—…‡††—”‹‰’”‡˜‹‘—•”‡’‘”–‹‰’‡”‹‘†•ƒ†–Š‡—„‡”•‘ˆ•›•–‡• within the scope ‡š’Žƒƒ–‹‘‘ˆϐ‹†‹‰•ƒ†”‡…‘‡†ƒ–‹‘ˆ‘”’‘–‡–‹ƒŽƒƒ‰‡‡–ƒ…–‹‘

Relationship

40

ISO/IEC 27001:2013, A.11.2.4: Equipment maintenance



ISO/IEC 27004:2016(E)

B.22 Change management Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

˜ƒŽ—ƒ–‡™Š‡–Š‡”…Šƒ‰‡ƒƒ‰‡‡–„‡•–’”ƒ…–‹…‡ƒ•™‡ŽŽŠƒ”†‡‹‰’‘Ž‹…›ƒ”‡ respected

Measure

‡”…‡–ƒ‰‡‘ˆ‡™‹•–ƒŽŽ‡†•›•–‡•–Šƒ–™‡”‡”‡•’‡…–‡†…Šƒ‰‡ƒƒ‰‡‡–„‡•– ’”ƒ…–‹…‡ƒ†Šƒ”†‡‹‰’‘Ž‹…›

Formula/scoring

—„‡”‘ˆ‡™Ž›‹•–ƒŽŽ‡†ƒ’’Ž‹…ƒ–‹‘•‘”•›•–‡•™Š‡”‡‡˜‹†‡…‡•‘ˆ”‡•’‡…–‹‰ –Š‡…Šƒ‰‡ƒƒ‰‡‡–„‡•–’”ƒ…–‹…‡•ƒ”‡ƒ˜ƒ‹Žƒ„Ž‡Ȁ—„‡”‘ˆ‡™Ž›‹•–ƒŽŽ‡† applications

Target

ŽŽ•›•–‡•—•–ˆ‘ŽŽ‘™–Š‡…Šƒ‰‡ƒƒ‰‡‡–‰—‹†‡Ž‹‡•


‹…‡–‹‰•›•–‡ǡ‡Ǧƒ‹Ž•ǡ”‡’‘”–•ǡ…Š‡…Ž‹•–—•‡†ˆ‘”…‘ϐ‹‰—”ƒ–‹‘

”‡“—‡…›

‘ŽŽ‡…–ǣ˜‡”›•‡‡•–‡” ‡’‘”–ǣ‡ƒ”Ž›–‘ƒƒ‰‡‡–ǡ‡ƒ…Š•‡‡•–‡”–‘ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”

Responsible parties

Information owner: Risk owner Information collector: Risk owner


‡ƒ•—”‡‡–…Ž‹‡–ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

‹…‡–‹‰•›•–‡ǡ‡Ǧƒ‹Ž•ǡ”‡’‘”–•ǡ…Š‡…Ž‹•–—•‡†ˆ‘”…‘ϐ‹‰—”ƒ–‹‘ǡ…‘ϐ‹‰—”ƒ–‹‘ review tool report

Reporting format


Relationship

ISO/IEC 27001:2013, A.12.1.2: Change management



41

ISO/IEC 27004:2016(E)

B.23 Protection against malicious code Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘ƒ••‡••–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ–Š‡’”‘–‡…–‹‘•›•–‡ƒ‰ƒ‹•–ƒŽ‹…‹‘—••‘ˆ–™ƒ”‡ƒ––ƒ…•

Measure

Trend of detected attacks that were not blocked over multiple reporting periods

Formula/scoring

—„‡”‘ˆ•‡…—”‹–›‹…‹†‡–•…ƒ—•‡†„›ƒŽ‹…‹‘—••‘ˆ–™ƒ”‡Ȁ—„‡”‘ˆ†‡–‡…–‡† ƒ†„Ž‘…‡†ƒ––ƒ…•…ƒ—•‡†„›ƒŽ‹…‹‘—••‘ˆ–™ƒ”‡

Target

”‡†Ž‹‡•Š‘—Ž†”‡ƒ‹—†‡”•’‡…‹ϐ‹‡†”‡ˆ‡”‡…‡ǡ”‡•—Ž–‹‰‹ƒ†‘™™ƒ”†‘” constant trend


ͳ ‘—– —„‡” ‘ˆ •‡…—”‹–› ‹…‹†‡–• …ƒ—•‡† „› ƒŽ‹…‹‘—• •‘ˆ–™ƒ”‡ ‹ –Š‡ incident reports 2 Count number of records of blocked attacks

”‡“—‡…›

‘ŽŽ‡…–ǣƒ‹Ž› ƒŽ›•‹•ǣ‘–ŠŽ› ‡’‘”–ǣ‘–ŠŽ›


‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡˜‹‡™ƒ—ƒŽŽ› ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ͳ›‡ƒ” Responsible parties

Information owner Information collector Measurement client

Data source

1 Incident reports 2 Logs of countermeasure software for malicious software

Reporting format

Trend line that depicts ratio of malicious software detection and prevention with lines produced during previous reporting periods

Relationship

ISO/IEC 27001:2013, A.12.2.1: Controls against malware

”‰ƒ‹œƒ–‹‘• ƒ†‘’–‹‰ –Š‹• ‡ƒ•—”‡ •Š‘—Ž† …‘•‹†‡” –Š‡ ˆ‘ŽŽ‘™‹‰ ‹••—‡• –Šƒ– ƒ› Ž‡ƒ† –‘ ƒ ‹…‘””‡…–ƒƒŽ›•‹•‘ˆ•—…Š‡ƒ•—”‡ǣ

Ȅǲ—„‡”‘ˆ†‡–‡…–‡†ƒ†„Ž‘…‡†ƒ––ƒ…•…ƒ—•‡†„›ƒŽ‹…‹‘—••‘ˆ–™ƒ”‡ǳ…ƒ„‡˜‡”›Š‹‰ŠǢ–Š—• •—…Š‡ƒ•—”‡…ƒ”‡•—Ž–‹˜‡”›•ƒŽŽ”ƒ–‹‘•Ǣ Ȅ ‹ˆ ‹ ‘‡ ’‡”‹‘† –Š‡”‡ ‹• ƒ ‹…”‡ƒ•‡ ‘ˆ •’”‡ƒ†‹‰ ‘ˆ ƒ •’‡…‹ϐ‹… ˜‹”—•ǡ ƒ ‘”‰ƒ‹œƒ–‹‘ ƒ› ‡š’‡”‹‡…‡ƒ‹…”‡ƒ•‡‘ˆƒŽ™ƒ”‡ƒ––ƒ…•ƒ†‹…‹†‡–•Ǣ‹–Š‹•…ƒ•‡–Š‡”ƒ–‹‘”‡ƒ‹•–Š‡•ƒ‡ǡ even if the increase of incidents can raise concern.

42



ISO/IEC 27004:2016(E)

B.24 Anti-malware Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

—„‡”‘ˆƒŽ™ƒ”‡ƒˆˆ‡…–‡†•›•–‡•™Š‹…Š†‘‘–Šƒ˜‡ƒ—’†ƒ–‡†ƒ–‹ǦƒŽ™ƒ”‡ solution

Measure

‡”…‡–ƒ‰‡‘ˆƒŽ™ƒ”‡ƒˆˆ‡…–‡†•›•–‡•…‘‡…–‡†–‘–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‡–™‘” with obsolete (e.g. more than one week) antimalware signatures

Formula/scoring

(Number of obsolete antivirus) / (Total workstation)

Target

Ͳ‘”ƒ•ƒŽŽ˜ƒŽ—‡†‡…‹†‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘


‘‹–‘”‹‰‘ˆƒ–‹˜‹”—•ƒ…–‹˜‹–‹‡•‹‡ƒ…ŠƒŽ™ƒ”‡ƒˆˆ‡…–‡†•›•–‡

”‡“—‡…›

ƒ‹Ž›

Responsible parties

Information owner: IT operations Information collector: IT operations ˆ‘”ƒ–‹‘…—•–‘‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”

Data source

Monitoring tools


Antimalware console Reporting format

—„‡”•’‡”•›•–‡…Žƒ••‡•ȋ™‘”•–ƒ–‹‘•ǡ•‡”˜‡”•ǡ‘Ȁ•Ȍ

Relationship

ISO/IEC 27001:2013, A.12.2.1: Controls against malware



43

ISO/IEC 27004:2016(E)

B.25 Total availability Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

˜ƒ‹Žƒ„‹Ž‹–›‘ˆ •‡”˜‹…‡•ˆ‘”‡ƒ…Š•‡”˜‹…‡ǡ…‘’ƒ”‡†™‹–Š–Š‡†‡ϐ‹‡†ƒš‹— downtime

Measure

‘”‡ƒ…Š •‡”˜‹…‡–Š‡‡†Ǧ–‘Ǧ‡†ƒ˜ƒ‹Žƒ„‹Ž‹–›‹•…‘’ƒ”‡†™‹–Š–Š‡ƒš‹— ƒ˜ƒ‹Žƒ„‹Ž‹–›ȋ‹Ǥ‡Ǥǡ‡š…Ž—†‹‰–Š‡’”‡˜‹‘—•Ž›†‡ϐ‹‡††‘™–‹‡™‹†‘™•Ȍ

Formula/scoring

ȋ‘–ƒŽƒ˜ƒ‹Žƒ„‹Ž‹–›ȌȀȋƒš‹—ƒ˜ƒ‹Žƒ„‹Ž‹–›‡š…Ž—†‹‰†‘™–‹‡™‹†‘™•Ȍ

Target

‡”˜‹…‡ƒ˜ƒ‹Žƒ„‹Ž‹–›–ƒ”‰‡–


‘‹–‘”‹‰‘ˆ‡†Ǧ–‘Ǧ‡†ƒ˜ƒ‹Žƒ„‹Ž‹–›‘ˆ‡ƒ…Š •‡”˜‹…‡

”‡“—‡…›

‘–ŠŽ›

Responsible parties

Information owner: IT operations ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ “—ƒŽ‹–›


ˆ‘”ƒ–‹‘…—•–‘‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘‘ˆϐ‹…‡” Data source

Monitoring tools

Reporting format

For each service, two lines:

Relationship

44

ͳǤ

Ž‹‡Ž‹‹‰–Š‡ƒ…–—ƒŽƒ˜ƒ‹Žƒ„‹Ž‹–›ȋ’‡”…‡–ƒ‰‡Ȍ‘ˆ‡ƒ…Š•ƒ’Ž‡†’‡”‹‘†

ʹǤ

Ž‹‡ȋˆ‘”…‘’ƒ”‹•‘’—”’‘•‡•Ȍ•Š‘™‹‰–Š‡ƒ˜ƒ‹Žƒ„‹Ž‹–›–ƒ”‰‡–

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͹ǤʹǤͳǣ˜ƒ‹Žƒ„‹Ž‹–›‘ˆ‹ˆ‘”ƒ–‹‘’”‘…‡••‹‰ˆƒ…‹Ž‹–‹‡•



ISO/IEC 27004:2016(E)

B.26 Firewall rules Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

˜ƒŽ—ƒ–‡…—””‡–ϐ‹”‡™ƒŽŽ’‡”ˆ‘”ƒ…‡

Measure

—•‡†ϐ‹”‡™ƒŽŽ”—Ž‡•‘„‘”†‡”ϐ‹”‡™ƒŽŽ•

Formula/scoring

‘—–‘ˆ„‘”†‡”ϐ‹”‡™ƒŽŽ”—Ž‡•™Š‹…ŠŠƒ˜‡„‡‡—•‡†Ͳ–‹‡•‹–Š‡Žƒ•–•ƒ’Ž‹‰’‡”‹‘†

Target

0


‡…‘”†•‘ˆ—•ƒ‰‡…‘—–‡”•‘‡ƒ…Šϐ‹”‡™ƒŽŽ”—Ž‡•

”‡“—‡…›

‹Ǧƒ—ƒŽ‘”›‡ƒ”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‡–™‘”ƒƒ‰‡”Ȁ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡–™‘”ƒƒŽ›•–Ȁ•‡…—”‹–›ƒƒŽ›•–


ˆ‘”ƒ–‹‘…—•–‘‡”ǣ‡–™‘”ƒƒ‰‡”Ȁ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡” Data source

‹”‡™ƒŽŽƒƒ‰‡‡–…‘•‘Ž‡ǡϐ‹”‡™ƒŽŽ”‡˜‹‡™”‡’‘”–

Reporting format

‘—–‘”Ž‹•–‘ˆ——•‡†ϐ‹”‡™ƒŽŽ”—Ž‡•–‘„‡ƒ”‡†ˆ‘””‡˜‹‡™ƒ†’‘••‹„Ž‡†‡Ž‡–‹‘

Relationship

ISO/IEC 27001:2013, A.13.1.3: Segregation in networks



45

ISO/IEC 27004:2016(E)

Ǥʹ͹‘‰ϐ‹Ž‡•”‡˜‹‡™ Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘ƒ••‡••–Š‡•–ƒ–—•‘ˆ…‘’Ž‹ƒ…‡‘ˆ–Š‡”‡‰—Žƒ””‡˜‹‡™‘ˆ…”‹–‹…ƒŽ•›•–‡Ž‘‰ϐ‹Ž‡•

Measure

‡”…‡–ƒ‰‡‘ˆƒ—†‹–Ž‘‰ϐ‹Ž‡•”‡˜‹‡™‡†™Š‡”‡“—‹”‡†’‡”–‹‡’‡”‹‘†

Formula/scoring

ȏ͓‘ˆŽ‘‰ϐ‹Ž‡•”‡˜‹‡™‡†™‹–Š‹•’‡…‹ϐ‹‡†–‹‡’‡”‹‘†Ȁ–‘–ƒŽ͓‘ˆŽ‘‰ϐ‹Ž‡•ȐȗͳͲͲ

Target

‡•—Ž–„‡Ž‘™ʹͲΨ•Š‘—Ž†„‡‡šƒ‹‡†ˆ‘”…ƒ—•‡•‘ˆ—†‡”’‡”ˆ‘”ƒ…‡


††—’–‘–ƒŽ—„‡”‘ˆŽ‘‰ϐ‹Ž‡•Ž‹•–‡†‹–Š‡”‡˜‹‡™Ž‘‰Ž‹•–

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ›ȋ†‡’‡†‹‰‘–Š‡…”‹–‹…ƒŽ‹–›ǡ‹–…‘—Ž†‰‘–‘†ƒ‹Ž›‘””‡ƒŽǦ–‹‡Ȍ ƒŽ›•‹•ǣ‘–ŠŽ›ȋ†‡’‡†‹‰‘–Š‡…”‹–‹…ƒŽ‹–›ǡ‹–…‘—Ž†‰‘–‘†ƒ‹Ž›‘””‡ƒŽǦ–‹‡Ȍ ‡’‘”–ǣ—ƒ”–‡”Ž› ‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡˜‹‡™ƒ†—’†ƒ–‡‡˜‡”›ʹ›‡ƒ”• ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ʹ›‡ƒ”•

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‡…—”‹–›ƒƒ‰‡”


ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ ǡ‡…—”‹–›ƒƒ‰‡” Data source

›•–‡Ǣ‹†‹˜‹†—ƒŽŽ‘‰ϐ‹Ž‡•Ǣ‡˜‹†‡…‡‘ˆ–Š‡Ž‘‰”‡˜‹‡™

Reporting format

‹‡…Šƒ”––Šƒ–†‡’‹…–•–Š‡–”‡†™‹–Šƒ•—ƒ”›‘ˆϐ‹†‹‰•ƒ†ƒ›•—‰‰‡•–‡† management actions

Relationship

ISO/IEC 27001:2013, A.12.4.1: Event logging

46



ISO/IEC 27004:2016(E)

Ǥʹͺ‡˜‹…‡…‘ϐ‹‰—”ƒ–‹‘ Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

ƒŽ‹†ƒ–‡–Šƒ–‘—”†‡˜‹…‡•ƒ”‡…‘–‹—ƒŽŽ›•‡…—”‡Ž›…‘ϐ‹‰—”‡†ƒ……‘”†‹‰–‘’‘Ž‹…›

Measure

‡”…‡–ƒ‰‡‘ˆ†‡˜‹…‡•ȋ„›–›’‡Ȍ…‘ϐ‹‰—”‡†ƒ……‘”†‹‰–‘’‘Ž‹…›

Formula/scoring

ȏ—„‡”‘ˆ†‡˜‹…‡•…‘ϐ‹‰—”‡†…‘””‡…–Ž›Ȁ–‘–ƒŽ͓†‡˜‹…‡•ȐȗͳͲͲ ȋ–‘–ƒŽ—„‡”‘ˆ†‡˜‹…‡•‹•‘”‰ƒ‹œƒ–‹‘Ǧ•’‡…‹ϐ‹…ƒ†ƒ›‹…Ž—†‡ƒ›ƒ†ƒŽŽ‘ˆ –Š‡ˆ‘ŽŽ‘™‹‰ǣ†‡˜‹…‡•”‡‰‹•–‡”‡†‹…‘ϐ‹‰—”ƒ–‹‘ƒƒ‰‡‡–†ƒ–ƒ„ƒ•‡ǡ†‡˜‹…‡• ˆ‘—†„—–‘–”‡‰‹•–‡”‡†‹…‘ϐ‹‰—”ƒ–‹‘ƒƒ‰‡‡–†ƒ–ƒ„ƒ•‡ǡ†‡˜‹…‡•”—‹‰ ƒ•’‡…‹ϐ‹…‘’‡”ƒ–‹‰•›•–‡Ȁ˜‡”•‹‘ǡ‘„‹Ž‡†‡˜‹…‡•ǡ‡–…ǤȌ

Target

ͳͲͲΨ


ƒ•‡†‘ƒ—–‘ƒ–‡†•…ƒ‹‰ǣƒ—–Š‘”‹–ƒ–‹˜‡†‡˜‹…‡‹˜‡–‘”›Ǣƒ—–Š‘”‹–ƒ–‹˜‡ •‘ˆ–™ƒ”‡‹˜‡–‘”›Ǣ…‘ϐ‹‰—”ƒ–‹‘•…ƒ‹‰”‡•—Ž–•

”‡“—‡…›

…ƒ‡˜‡”›͵†ƒ›•Ǣ”‡’‘”–‹‡†‹ƒ–‡Ž›

Responsible Parties

Information owner: Network management Information collector: Network management


ˆ‘”ƒ–‹‘…—•–‘‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘‘ˆϐ‹…‡” Data source

‘ϐ‹‰—”ƒ–‹‘…‘–”‘Ž„‘ƒ”†Ǣ‹˜‡–‘”›†ƒ–ƒ„ƒ•‡Ǣ•…ƒ‹‰–‘‘Ž•

Reporting format

‹‡…Šƒ”–ˆ‘”–”‡†•ǡ˜—Ž‡”ƒ„Ž‡Š‘•–•„›ƒ‡

Action

‹•…‘‡…–—ƒ’’”‘˜‡††‡˜‹…‡•ˆ”‘–Š‡‡–™‘”Ǣ’ƒ–…Š‘Ǧ…‘’Ž‹ƒ–†‡˜‹…‡•Ǣ ”‡˜‹‡™ƒ†”‡˜‹•‡ƒ•‡…‡••ƒ”›…‘ϐ‹‰—”ƒ–‹‘ƒƒ‰‡‡–‰—‹†‡Ž‹‡•Ǣ‡–…Ǥ

Relationship

ISO/IEC 27001:2013, A.12.16.1: Management of technical vulnerabilities



47

ISO/IEC 27004:2016(E)

B.29 Pentest and vulnerability assessment Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡™Š‡–Š‡”‹ˆ‘”ƒ–‹‘•›•–‡•Šƒ†Ž‹‰•‡•‹–‹˜‡†ƒ–ƒȋ…‘ϐ‹†‡–‹ƒŽ‹–›ǡ ‹–‡‰”‹–›Ȍƒ”‡˜—Ž‡”ƒ„Ž‡–‘ƒŽ‹…‹‘—•ƒ––ƒ…•

Measure

‡”…‡–ƒ‰‡‘ˆ…”‹–‹…ƒŽ‹ˆ‘”ƒ–‹‘•›•–‡•™Š‡”‡ƒ’‡‡–”ƒ–‹‘–‡•–‘”˜—Ž‡”ƒ„‹Ž‹–› ƒ••‡••‡–Šƒ•„‡‡‡š‡…—–‡†•‹…‡–Š‡‹”Žƒ•–ƒŒ‘””‡Ž‡ƒ•‡

Formula/scoring

ȏ—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•“—ƒ–‹ϐ‹‡†ƒ•…”‹–‹…ƒŽƒ†™Š‡”‡ƒ’‡‡–”ƒ–‹‘ –‡•–‘”˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–Šƒ•„‡‡†‘‡•‹…‡–Š‡‹”Žƒ•–ƒŒ‘””‡Ž‡ƒ•‡Ȁ —„‡”‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•“—ƒ–‹ϐ‹‡†ƒ•…”‹–‹…ƒŽȐȗͳͲͲǡ‡Ǥ‰Ǥ ”‡‡ǣͳͲͲΨǡ ”ƒ‰‡εα͹ͷΨǡ‡†δ͹ͷΨ

Target

Orange (Green would be too perfect)


‡’‘”–• ‘ˆ ’‡‡–”ƒ–‹‘ –‡•–• ‘” ˜—Ž‡”ƒ„‹Ž‹–› ƒ••‡••‡–• ’‡”ˆ‘”‡† ‘ ‹ˆ‘”ƒ–‹‘•›•–‡•…‘’ƒ”‡†–‘—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•›•–‡•…Žƒ••‹ϐ‹‡†ƒ• …”‹–‹…ƒŽ‹–Š‡ƒ••‡–‹˜‡–‘”›

”‡“—‡…›

‘ŽŽ‡…–ǣ›‡ƒ”Ž› Report: for each collection


Responsible parties

Information owner: Risk owner Information collector: Experts with the know-how to conduct penetration tests or ‡š‡…—–‡˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–• ‡ƒ•—”‡‡–…Ž‹‡–ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”

Data source

••‡–‹˜‡–‘”›ǡ’‡‡–”ƒ–‹‘–‡•–”‡’‘”–•

Reporting format


Relationship

ISO/IEC 27001:2013, A.12.6.1: Management of technical vulnerabilities ISO/IEC 27001:2013, A.18.2.3: Technical compliance review

48



ISO/IEC 27004:2016(E)

B.30 Vulnerability landscape Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

˜ƒŽ—ƒ–‡–Š‡˜—Ž‡”ƒ„‹Ž‹–›Ž‡˜‡Ž‘ˆ–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•‹ˆ‘”ƒ–‹‘•›•–‡•

Measure

Weight of open (unpatched) vulnerabilities

Formula/scoring

’‡˜—Ž‡”ƒ„‹Ž‹–›•‡˜‡”‹–›˜ƒŽ—‡ȋ‡Ǥ‰ǤȌȗ—„‡”‘ˆƒˆˆ‡…–‡†•›•–‡•

Target

‘„‡†‡ϐ‹‡†ƒ……‘”†‹‰Ž›–‘–Š‡‘”‰ƒ‹œƒ–‹‘ǯ•”‹•ƒ’’‡–‹–‡


ƒŽ›•‹•‘˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–ƒ…–‹˜‹–‹‡•

”‡“—‡…›

‘–ŠŽ›‘”“—ƒ”–‡”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒŽ›•–•‘”…‘–”ƒ…–‡†–Š‹”†’ƒ”–‹‡• ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒŽ›•–• ˆ‘”ƒ–‹‘…—•–‘‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”

Data source

—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–”‡’‘”–•


—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡––‘‘Ž• Reporting format

‰‰”‡‰ƒ–‡†•…‘”‡˜ƒŽ—‡•ˆ‘”Š‘‘‰‡‡‘—•‘”•‡•‹–‹˜‡•›•–‡•ȋ‡š–‡”ƒŽȀ‹–‡”ƒŽ ‡–™‘”•ǡ‹š•›•–‡•ǡ‡–…ǤȌ

Relationship

ISO/IEC 27001:2013, A.12.6.1: Management of technical vulnerabilities



49

ISO/IEC 27004:2016(E)

B.31 Security in third party agreements – A Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡–Š‡†‡‰”‡‡–‘™Š‹…Š•‡…—”‹–›‹•ƒ††”‡••‡†‹–Š‹”†’ƒ”–›ƒ‰”‡‡‡–•

Measure

˜‡”ƒ‰‡’‡”…‡–‘ˆ”‡Ž‡˜ƒ–•‡…—”‹–›”‡“—‹”‡‡–•ƒ††”‡••‡†‹–Š‹”†’ƒ”–› agreements

Formula/scoring

[Sum of (for each agreement (number of required requirements - number of ƒ††”‡••‡†”‡“—‹”‡‡–•ȌȌȀ—„‡”‘ˆƒ‰”‡‡‡–•ȐȗͳͲͲ

Target

ͳͲͲΨ


Supplier database, supplier agreement records

”‡“—‡…›

‘ŽŽ‡…–ǣ“—ƒ”–‡”Ž› ‡’‘”–ǣ•‡‹Ǧƒ—ƒŽŽ› ˆ‘”ƒ–‹‘‘™‡”ǣ‘–”ƒ…–‘ˆϐ‹…‡

Responsible Parties

ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ


‡ƒ•—”‡‡–…Ž‹‡–ǣ‡…—”‹–›ƒƒ‰‡”ǡ—•‹‡••ƒƒ‰‡”• Data source

Supplier database, supplier agreement records

Format

‹‡…Šƒ”–†‡’‹…–‹‰ƒ–”‡†‘˜‡”—Ž–‹’Ž‡”‡’‘”–‹‰’‡”‹‘†•Ǣ•Š‘”–•—ƒ”›‘ˆ ϐ‹†‹‰•ƒ†’‘••‹„Ž‡ƒƒ‰‡‡–ƒ…–‹‘•

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͷǤͳǤʹǣ††”‡••‹‰•‡…—”‹–›™‹–Š‹•—’’Ž‹‡”ƒ‰”‡‡‡–•

Š‹•ƒ••—‡•–Šƒ–ƒŽŽ•‡…—”‹–›”‡“—‹”‡‡–•ƒ”‡‡“—ƒŽǡ™Š‡”‡ƒ•‹’”ƒ…–‹…‡–Š‹•‹•‘–—•—ƒŽŽ›–Š‡…ƒ•‡Ǥ ƒ˜‡”ƒ‰‡…ƒ–Š‡”‡ˆ‘”‡Š‹†‡•‹‰‹ϐ‹…ƒ–˜ƒ”‹ƒ–‹‘•ƒ†–Š‡”‡„›’”‡•‡–ƒˆƒŽ•‡•‡•‡‘ˆ•‡…—”‹–›Ǥ‹‡™‹•‡ǡ–Š‡ ”‡“—‹”‡‡–•–Šƒ–ƒ‘”‰ƒ‹œƒ–‹‘’Žƒ…‡•‘‹–••—’’Ž‹‡”•ǡƒ†‹–••—’’Ž‹‡”•ǯƒ„‹Ž‹–›–‘‡‡––Š‡ǡƒ”‡Ž‹‡Ž›–‘ †‹ˆˆ‡”Ǥ Š‹• ‹’Ž‹‡• –Šƒ– •—’’Ž‹‡”• •Š‘—Ž† ‘– ƒŽŽ „‡ ‡ƒ•—”‡† ‹ –Š‡ •ƒ‡ ™ƒ›Ǥ Š‡ •—’’Ž‹‡” †ƒ–ƒ„ƒ•‡ •Š‘—Ž† ‹†‡ƒŽŽ›‹…Ž—†‡ƒ•‡…—”‹–›”ƒ–‹‰‘”…ƒ–‡‰‘”›–‘‡•—”‡‘”‡ƒ……—”ƒ–‡ƒ†‡ƒ‹‰ˆ—Ž‡ƒ•—”‡‡–Ǥ

50



ISO/IEC 27004:2016(E)

B.32 Security in third party agreements – B Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘‡˜ƒŽ—ƒ–‡–Š‡†‡‰”‡‡–‘™Š‹…Š•‡…—”‹–›‹•ƒ††”‡••‡†‹–Š‹”†’ƒ”–›ƒ‰”‡‡‡–• of personal information processing

Measure

˜‡”ƒ‰‡’‡”…‡–‘ˆ”‡Ž‡˜ƒ–•‡…—”‹–›”‡“—‹”‡‡–•ƒ††”‡••‡†‹–Š‹”†’ƒ”–›ƒ‰”‡‡‡–•

Formula/scoring

†‡–‹ˆ›—„‡”‘ˆ•‡…—”‹–›”‡“—‹”‡‡–•–Šƒ–Šƒ˜‡–‘„‡ƒ††”‡••‡†‹‡ƒ…Šƒ‰”‡‡‡– ’‡”’‘Ž‹…›ȋƒ˜ƒ‹Žƒ„‹Ž‹–›ǡ”ƒ–‹‘ǡ”‡•’‘•‡–‹‡ǡŠ‡Ž’†‡•Ž‡˜‡Žǡƒ‹–‡ƒ…‡Ž‡˜‡Ž‡–…ǤȌ Sum of (for each agreement (number of required requirements - number of addressed requirements))/number of agreements 1 Average ratio of difference of standard requirements to addressed requirements: —‘ˆȋˆ‘”‡ƒ…Šƒ‰”‡‡‡–ȋȏ‡…—”‹–›”‡“—‹”‡‡–•ƒ††”‡••‡†–‘–ƒŽȐȂȏ–ƒ†ƒ”† •‡…—”‹–›”‡“—‹”‡‡–•–‘–ƒŽǤȐȌȌȀȏ—„‡”‘ˆ–Š‹”†’ƒ”–›ƒ‰”‡‡‡–•Ȑ 2 Trend of the ratio: Compare with previous indicator 1

Target

1 Indicator 1 should be greater than 0.9


2 Indicator 2 should be stable or upward Implementation evidence

†‡–‹ˆ›—„‡”‘ˆ•‡…—”‹–›”‡“—‹”‡‡–•–Šƒ–Šƒ˜‡–‘„‡ƒ††”‡••‡†‹‡ƒ…Š ƒ‰”‡‡‡–’‡”’‘Ž‹…›

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ› ƒŽ›•‹•ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ—ƒ”–‡”Ž› ‡ƒ•—”‡‡–”‡˜‹•‹‘ǣʹ›‡ƒ”• ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ʹ›‡ƒ”•

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘–”ƒ…–‘ˆϐ‹…‡ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‡…—”‹–›•–ƒˆˆ ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ ǡ‡…—”‹–›ƒƒ‰‡”

Data source

Š‹”†’ƒ”–›ƒ‰”‡‡‡–•

Reporting format

‹‡…Šƒ”–†‡’‹…–‹‰ƒ–”‡†‘˜‡”—Ž–‹’Ž‡”‡’‘”–‹‰’‡”‹‘†•ǤŠ‘”–•—ƒ”›‘ˆ ϐ‹†‹‰•ƒ†’‘••‹„Ž‡ƒƒ‰‡‡–ƒ…–‹‘•Ǥ

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͷǤͳǤʹǣ††”‡••‹‰•‡…—”‹–›™‹–Š‹•—’’Ž‹‡”ƒ‰”‡‡‡–•



51

ISO/IEC 27004:2016(E)

B.33 Information security incident management effectiveness Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

••‡••–Š‡‡ˆˆ‡…–‹˜‡‡••‘ˆ ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–ƒƒ‰‡‡–

Measure

Incidents not resolved in target timeframe

Formula/scoring

ƒȌ‡ϐ‹‡•‡…—”‹–›‹…‹†‡–…ƒ–‡‰‘”‹‡•ƒ†–ƒ”‰‡––‹‡ˆ”ƒ‡•‹™Š‹…Š•‡…—”‹–› ‹…‹†‡–••Š‘—Ž†„‡”‡•‘Ž˜‡†ˆ‘”‡ƒ…Š•‡…—”‹–›‹…‹†‡–…ƒ–‡‰‘”› „Ȍ‡ϐ‹‡‹†‹…ƒ–‘”–Š”‡•Š‘Ž†•ˆ‘”•‡…—”‹–›‹…‹†‡–•‡š…‡‡†‹‰…ƒ–‡‰‘”›‰‹˜‡ target timeframes …Ȍ‘’ƒ”‡–Š‡—„‡”‘ˆ‹…‹†‡–•™Š‹…Š”‡•‘Ž˜‹‰–‹‡‡š…‡‡†•–Š‡…ƒ–‡‰‘”› target time frames and compare their count with the indicator thresholds

Target

…‹†‡–•‡š…‡‡†‹‰…ƒ–‡‰‘”›–ƒ”‰‡––‹‡ˆ”ƒ‡•™‹–Š‹†‡ϐ‹‡†‰”‡‡–Š”‡•Š‘Ž†


ƒ”‰‡–‹†‹…ƒ–‘”•‰‡–”‡’‘”–‡†‘–ŠŽ›

”‡“—‡…›

‘ŽŽ‡…–ǣ‘–ŠŽ› ƒŽ›•‹•ǣ‘–ŠŽ›


‡’‘”–ǣ‘–ŠŽ› Measurement revision: Six months ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ‘–ŠŽ› Responsible parties

Information owner: Managers responsible for an ISMS Information collector: Incident management manager ‡ƒ•—”‡‡–…Ž‹‡–ǣ ƒƒ‰‡‡–…‘‹––‡‡Ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ Ǣ‡…—”‹–›ƒƒ‰‡‡–Ǣ …‹†‡–ƒƒ‰‡‡–

Data source

Ǣ‹†‹˜‹†—ƒŽ‹…‹†‡–Ǣ‹…‹†‡–”‡’‘”–Ǣ‹…‹†‡–ƒƒ‰‡‡––‘‘Ž

Reporting format

‘–ŠŽ›–ƒ”‰‡–‹†‹…ƒ–‘”˜ƒŽ—‡•‹–ƒ„Ž‡ƒ†–”‡††‹ƒ‰”ƒˆ‘”ƒ–

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͸ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–ƒƒ‰‡‡–

52



ISO/IEC 27004:2016(E)

B.34 Security incidents trend Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

ͳǤ

”‡†‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•

ʹǤ

”‡†‘ˆ…ƒ–‡‰‘”‹‡•‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•

ͳǤ

—„‡”‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•‹ƒ†‡ϐ‹‡†–‹‡ˆ”ƒ‡ȋ‡Ǥ‰Ǥǡ‘–ŠȌ

Measure

ʹǤ —„‡”‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–•‘ˆƒ•’‡…‹ϐ‹……ƒ–‡‰‘”›‹ƒ†‡ϐ‹‡† timeframe (e.g., month) Formula/scoring

Compare average measure value for the last two timeframes with the average measurement value of the last 6 timeframes ‡ϐ‹‡–Š”‡•Š‘Ž†˜ƒŽ—‡•ˆ‘”–”‡†‹†‹…ƒ–‘”•ǡ‡Ǥ‰Ǥǡ δͳǤͲ‡“—ƒŽ• ”‡‡ 1.00 – 1.30 equals Yellow


>1.3 equals Red ͳǤ

‡”ˆ‘”ƒƒŽ›•‹•ˆ‘”ƒŽŽ‹…‹†‡–•

ʹǤ

‡”ˆ‘”ƒƒŽ›•‹•ˆ‘”‡ƒ…Š•’‡…‹ϐ‹……ƒ–‡‰‘”›

Target

Green


†‹…ƒ–‘”˜ƒŽ—‡•ƒ”‡”‡’‘”–‡†‘–ŠŽ›

”‡“—‡…›

‘–ŠŽ›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…—•–‘‡”ǣŠ‹‡ˆ‹ˆ‘”ƒ–‹‘‘ˆϐ‹…‡”ǡŠ‹‡ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘ˆϐ‹…‡”

Data source

ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–”‡’‘”–•

Reporting format

Table with indicator values Trend diagram

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͸Ǥͳǣƒƒ‰‡‡–‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›‹…‹†‡–• and improvements



53

ISO/IEC 27004:2016(E)

B.35 Security event reporting Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‡ƒ•—”‡™Š‡–Š‡”•‡…—”‹–›‡˜‡–•ƒ”‡”‡’‘”–‡†ƒ†ˆ‘”ƒŽŽ›–”‡ƒ–‡†Ǥ

Measure

—‘ˆ•‡…—”‹–›‡˜‡–•”‡’‘”–‡†–‘–Š‡‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒ (CSIRT) in relation to the size of the organization

Formula/scoring

—‘ˆ•‡…—”‹–›‡˜‡–•–Šƒ–Šƒ˜‡„‡‡”‡’‘”–‡†ƒ†ˆ‘”ƒŽŽ›–”‡ƒ–‡†–‘ Ȁ —„‡”‘ˆ•‡…—”‹–›”‘Ž‡•†‡ϐ‹‡†„›–Š‡‘”‰ƒ‹œƒ–‹‘

Target

–Ž‡ƒ•–‘‡•‡…—”‹–›‡˜‡–’‡”•‡…—”‹–›”‘Ž‡’‡”›‡ƒ”


‹…‡–‹‰•›•–‡—•‡†ˆ‘”–”‡ƒ–‹‰•‡…—”‹–›‡˜‡–•

”‡“—‡…›

‘ŽŽ‡…–ǣ‡ƒ”Ž› ‡’‘”–ǣ‡ƒ”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‘’—–‡”•‡…—”‹–›‹…‹†‡–”‡•’‘•‡–‡ƒȋ Ȍ ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”


ˆ‘”ƒ–‹‘…—•–‘‡”ǣ ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”ǡ–‘’ƒƒ‰‡‡– Data source

Incident reports

Reporting format

Trend line showing the evolution of reported events over last periods

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳ͸ǤͳǤ͵ǣ‡’‘”–‹‰‹ˆ‘”ƒ–‹‘•‡…—”‹–›™‡ƒ‡••‡•

54



ISO/IEC 27004:2016(E)

B.36 ISMS review process Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

‘ƒ••‡••–Š‡†‡‰”‡‡‘ˆƒ……‘’Ž‹•Š‡–‘ˆ‹†‡’‡†‡–”‡˜‹‡™‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›

Measure

Progress ratio of accomplished independent reviews

Formula/scoring

‹˜‹†‡ȏ—„‡”‘ˆ…‘†—…–‡†”‡˜‹‡™•„›–Š‹”†’ƒ”–› Ȑ„›ȏ‘–ƒŽ—„‡”‘ˆ’Žƒ‡†–Š‹”†’ƒ”–›”‡˜‹‡™•Ȑ

Target

‡•—Ž–‹‰”ƒ–‹‘‘ˆ‹†‹…ƒ–‘”•Š‘—Ž†ˆƒŽŽ’”‹ƒ”‹Ž›„‡–™‡‡ͲǤͺƒ†ͳǤͳ–‘…‘…Ž—†‡ –Š‡ƒ…Š‹‡˜‡‡–‘ˆ–Š‡…‘–”‘Ž‘„Œ‡…–‹˜‡ƒ†‘ƒ…–‹‘Ǥ†‹–•Š‘—Ž†„‡‘˜‡”ͲǤ͸‹ˆ ‹–ˆƒ‹Ž•–‘‡‡––Š‡’”‹ƒ”›…‘†‹–‹‘Ǥ


ͳ‘—–—„‡”‘ˆ”‡’‘”–‘ˆ…‘†—…–‡†”‡‰—Žƒ””‡˜‹‡™•„›–Š‹”†’ƒ”–› ʹǤ‘—––‘–ƒŽ—„‡”‘ˆ’Žƒ‡†–Š‹”†’ƒ”–›”‡˜‹‡™•

”‡“—‡…›

‘ŽŽ‡…–ǣ—ƒ”–‡”Ž› ƒŽ›•‹•ǣ—ƒ”–‡”Ž› ‡’‘”–ǣ—ƒ”–‡”Ž›


‡ƒ•—”‡‡–‡˜‹•‹‘ǣ‡˜‹‡™ƒ†—’†ƒ–‡‡˜‡”›ʹ›‡ƒ”• ‡”‹‘†‘ˆ‡ƒ•—”‡‡–ǣ’’Ž‹…ƒ„Ž‡ʹ›‡ƒ”• Responsible parties

Information owner: Managers responsible for an ISMS ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ –‡”ƒŽƒ—†‹–Ǣ—ƒŽ‹–›ƒƒ‰‡” ‡ƒ•—”‡‡–…Ž‹‡–ǣƒƒ‰‡”•”‡•’‘•‹„Ž‡ˆ‘”ƒ ǡ—ƒŽ‹–›•›•–‡ƒƒ‰‡”

Data source

ͳǤ‡’‘”–•‘ˆ–Š‹”†’ƒ”–›”‡˜‹‡™•

Reporting format

Bar graph depicting compliance over several reporting periods in relation to the –Š”‡•Š‘Ž†•†‡ϐ‹‡†„›–ƒ”‰‡–

Relationship

Ȁ ʹ͹ͲͲͳǣʹͲͳ͵ǡǤͳͺǤʹǤͳǣ †‡’‡†‡–”‡˜‹‡™‘ˆ‹ˆ‘”ƒ–‹‘•‡…—”‹–›

ʹǤŽƒ•‘ˆ–Š‹”†’ƒ”–›”‡˜‹‡™•



55

ISO/IEC 27004:2016(E)

B.37 Vulnerability coverage Information descriptor

Meaning or purpose

Measure ID

”‰ƒ‹œƒ–‹‘Ǧ†‡ϐ‹‡†

Information need

˜ƒŽ—ƒ–‡–Š‡…—””‡–˜‹•‹„‹Ž‹–›‘‘”‰ƒ‹œƒ–‹‘ǯ••›•–‡•˜—Ž‡”ƒ„‹Ž‹–‹‡•

Measure

ƒ–‹‘‘ˆ•›•–‡•™Š‹…ŠŠƒ˜‡„‡‡‘„Œ‡…–‘ˆ˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–Ȁ’‡‡–”ƒ–‹‘ testing activities

Formula/scoring

—„‡”‘ˆ•›•–‡•‘„Œ‡…–‘ˆƒ˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–‹–Š‡Žƒ•–“—ƒ”–‡”‘”‘ˆƒ ’‡‡–”ƒ–‹‘–‡•–‹–Š‡Žƒ•–›‡ƒ”Ȁ–‘–ƒŽ•›•–‡•

Target

1


ƒŽ›•‹•‘˜—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–ƒ†’‡‡–”ƒ–‹‘–‡•–‹‰ƒ…–‹˜‹–‹‡•

”‡“—‡…›

—ƒ”–‡”Ž›

Responsible parties

ˆ‘”ƒ–‹‘‘™‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒŽ›•–•‘”…‘–”ƒ…–‡†–Š‹”†’ƒ”–‹‡• ˆ‘”ƒ–‹‘…‘ŽŽ‡…–‘”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒŽ›•–• ˆ‘”ƒ–‹‘…—•–‘‡”ǣ‹ˆ‘”ƒ–‹‘•‡…—”‹–›ƒƒ‰‡”

Data source

—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡–”‡’‘”–•


—Ž‡”ƒ„‹Ž‹–›ƒ••‡••‡––‘‘Ž• Penetration test reports Reporting format

‰‰”‡‰ƒ–‡’‹‡…Šƒ”–ƒ†Š‘‘‰‡‡‘—•‘”•‡•‹–‹˜‡•›•–‡•ƒ””ƒ›•Ǧ™‹†‡’‹‡…Šƒ”– showing the obtained ratios

Relationship

ISO/IEC 27001:2013, A.18.2.3: Technical compliance review

56



ISO/IEC 27004:2016(E)

Annex C (informative) An example of free-text form measurement construction

C.1 ‘Training effectiveness’ – effectiveness measurement construct –Š‹•‡šƒ’Ž‡ƒǮˆ”‡‡–‡š–ǯƒ’’”‘ƒ…Š‹•–ƒ‡–‘†‡–‡”‹‡™Š‡–Š‡”ˆ‘”ƒŽ‹œ‡†–”ƒ‹‹‰‹•ƒ„‡––‡”™ƒ› –‘…‘˜‡›‹ˆ‘”ƒ–‹‘•‡…—”‹–›‘„Œ‡…–‹˜‡•–ŠƒŒ—•–ƒ‹‰–Š‡’‘Ž‹…›ƒ˜ƒ‹Žƒ„Ž‡‘Ž‹‡Ǥ Assume all of staff (S1) are required to read the online version of the organization’s ‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ƒ•ƒ’ƒ”–‘ˆ–Š‡‹”–‡”•‘ˆ‡’Ž‘›‡–ȋ…‘–”ƒ…–ȌǤ –ƒ›–‹‡ǡʹα–‘–ƒŽ—„‡”‘ˆ•–ƒˆˆ™Š‘Šƒ˜‡ƒ…‘™Ž‡†‰‡†”‡ƒ†‹‰–Š‡’‘Ž‹…›‘Ž‹‡ȋ‹Ǥ‡Ǥ–Š‡›Šƒ˜‡ gone online and at least scrolled-through to the end of the text).


͵α—„‡”‘ˆ‡’Ž‘›‡‡•™Š‘Šƒ˜‡ƒ––‡†‡†•’‡…‹ϐ‹…‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›ƒ™ƒ”‡‡••–”ƒ‹‹‰Ǥ ȋ͵™‹ŽŽƒŽ™ƒ›•„‡ƒ•—„Ǧ•‡–‘ˆʹǡ•‹…‡–Š‡…‘—”•‡™‹ŽŽ”‡“—‹”‡–Š‡‹”’”‹‘”‘Ž‹‡”‡ƒ†‹‰‘ˆ–Š‡’‘Ž‹…›ȌǤ ŽŽ•–ƒˆˆ™Š‘Šƒ˜‡ƒ–Ž‡ƒ•–”‡ƒ†–Š‡’‘Ž‹…›ƒ”‡”‡“—‹”‡†–‘–ƒ‡ƒ‘Ž‹‡–‡•–ǡ‹…Ž—†‹‰–Š‘•‡™Š‘Šƒ˜‡ attended the formal training. S4Pα—„‡”‘ˆ•–ƒˆˆ™Š‘Šƒ˜‡–ƒ‡–Š‡–‡•–ƒˆ–‡”‘Ž›”‡ƒ†‹‰–Š‡‹–”ƒ‡–’‘Ž‹…›ƒ†™Š‘ƒ…Š‹‡˜‡ the mark. S4Fα—„‡”‘ˆ’‡‘’Ž‡™Š‘Šƒ˜‡–ƒ‡–Š‡–‡•–ƒˆ–‡”‘Ž›”‡ƒ†‹‰–Š‡‹–”ƒ‡–’‘Ž‹…›ƒ†™Š‘ˆƒ‹Ž–‘ achieve the mark. S5P = number of people who have taken the same test after attending the formal training and who achieve the mark. S5F = number of people who have taken the same test after attending the training and who fail to achieve the mark. ͳαͳǦʹǡ–Š‡—„‡”‘ˆ•–ƒˆˆ›‡––‘Šƒ˜‡ƒ›‡š’‘•—”‡–‘–Š‡‹ˆ‘”ƒ–‹‘•‡…—”‹–›’‘Ž‹…›Ǥ E2= S4P / (S4P + S4F Ȍǡ‹Ǥ‡Ǥ–Š‡’”‘’‘”–‹‘‘ˆ•–ƒˆˆ™Š‘Šƒ˜‡‘Ž›”‡ƒ†–Š‡’‘Ž‹…›ƒ†™Š‘Šƒ˜‡ƒ‰‘‘† …‘’”‡Š‡•‹‘‘ˆ‹–ȋ–Šƒ–„‡‹‰†‡–‡”‹‡†„›–Š‡’ƒ••–Š”‡•Š‘Ž†ȌǤ E3= S5P / (S5P + S5F), as above, for S5, but for those staff who have attended the formal training. E4 = E3/E2, i.e. the effectiveness ratio of training versus plain self-instruction. ͳǦʹ‹•ƒŽ•‘ƒ—•‡ˆ—Ž‡ƒ•—”‡ǡ‹†‹…ƒ–‹‰Š‘™ƒ›•–ƒˆˆ‡„‡”•Šƒ˜‡›‡––‘”‡ƒ†–Š‡‘Ž‹‡’‘Ž‹…›Ǥ This can have a threshold which triggers something an alert when either (or both) of a proportion of –‘–ƒŽ—„‡”•‘ˆ•–ƒˆˆ‹•‡š…‡‡†‡†ǡ„—–…ƒƒŽ•‘ƒ……‘‘†ƒ–‡ƒ†—”ƒ–‹‘™‹–Š‹™Š‹…Š–Š‡‘Ž‹‡’‘Ž‹…› —•–„‡”‡ƒ†ǡ‹–Šƒ––Š‡”‡Šƒ•–‘„‡ƒ’”ƒ…–‹…ƒŽ’‡”‹‘†‘ˆ–‹‡ˆ”‘™Š‡ƒ‡’Ž‘›‡‡„‡‰‹•ƒ†–Š‡‹” ‹‹–‹ƒŽ‹–”‘†—…–‘”›ƒ…–‹‘•ƒ”‡–‘„‡…‘’Ž‡–‡†Ǥ ‡ …ƒ ‹ƒ‰‹‡ –Šƒ– ‘˜‡” –‹‡ǡ ƒ• –Š‡ ‹ˆ‘”ƒ–‹‘ •‡…—”‹–› ƒ™ƒ”‡‡•• ƒ† …—Ž–—”‡ ƒ†˜ƒ…‡ǡ –Š‡ –Š”‡•Š‘Ž†‹‰Š–„‡”ƒ‹•‡†ƒ•–”‡†•ƒ”‡‹†‡–‹ϐ‹‡†ǡƒ•…ƒƒƒŽ›•‹•‘ˆ“—‡•–‹‘•ˆƒ‹Ž‡†ǡ™Š‹…Š‹‰Š–Ž‡ƒ† –‘‘”‡‡ˆˆ‡…–‹˜‡‡š’”‡••‹‘‘ˆ–Š‡’‘Ž‹…›ǡ‘”–Š‡•‡––‹‰‘ˆ‘”‡”‡ƒŽ‹•–‹…‰‘ƒŽ•Ǥ



57

ISO/IEC 27004:2016(E)


Bibliography [1]

ISO/TR 10017, Guidance on statistical techniques for ISO 9001:2000

[2]

ISO/IEC 15939, Systems and software engineering – Measurement process

[3]

ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary

[4]

ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements

[5]

NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information ‡…—”‹–›ǡ —Ž›2008. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

58




This page is intentionally blank.









ISO/IEC 27004:2016(E)

౧Ͳ͵ǤͳͲͲǤ͹ͲǢ͵ͷǤͲ͵Ͳ Price based on 58 pages © ISO/IEC 2016 – All rights reserved


Iso-iec-27004-2016-english 36211e

Overview 4q3b3c

More details 26j3b

More Documents from "sirdba" 29565b

Iso Iec Tr 27008 2011 English 82u65

2c82t

Iso-iec-27004-2016-english 36211e