The international standard guidelines for an information security management system, comprised of a framework of accepted state-of-the-art practices, are addressed in ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems – Requirements. This standard aims to specify the base requirements by which any organization can establish, implement, maintain, and continually improve an information security management system specific to that organization’s context.
ISO/IEC 27001:2013, like other ISO Management System Standards, has adopted the shared Annex SL format, making its non-prescriptive specifications clear for the user and even simpler to comprehend for users of other management system standards. In fact, due to this structure, the system covered by ISO/IEC 27001:2013 can be adopted alongside other ISO management standards with ease.
Since an information security management system is intended to preserve the confidentiality, integrity, and availability of an organization’s information, it must not only perform well after its establishment, but it needs to extend its reliability over a substantial period of time. ISO/IEC 27004:2016 - Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation helps to secure the longevity of the information security management system by evaluating its effectiveness.
This standard is intended to supplement, but not supersede, the guidelines covered in ISO/IEC 27001:2013. For example, it draws upon the clauses in the general requirements standard in the following way:
Specifically, ISO/IEC 27004:2016 establishes the monitoring and measurement of the following: the information security performance and the effectiveness of an information security management system (including its processes and controls). In addition, it forms the analysis and evaluation of the results drawn from the monitoring and measurement of those two things.
Monitoring determines the status of a system, process, or activity to determine whether it meets the specified information need. This can include implementation of ISMS processes, incident management, vulnerability management, configuration management, security awareness and training, access control/firewall, audit, risk assessment process, risk treatment process, third party risk management, business continuity management, physical and environmental security management, and system monitoring.
Measurement is undertaken to demonstrate a value, status, or trend in performance or effectiveness to help identify potential improvement needs; so identifying what to measure in a ISMS process can differ greatly than determining what to monitor. Some measurable processes and activities include planning, leadership, risk management, policy management, resource management, communicating, management review, documenting, and auditing.
Measures can be taken for performance (demonstrating progress in implementing ISMS processes) or effectiveness (describing the impact that the realizations of the ISMS risk treatment plan and ISMS processes and controls have on the organization’s information security objectives). Decisions related to these processes and the actual individuals carrying them out are addressed in the ISO/IEC 27004:2016 standard.
Ultimately, the monitoring, measurement, analysis, and evaluation of the ISMS system consists of six primary parts. These are visualized in the following figure from ISO/IEC 27004:2016:
Other than assuring that the diligent and thorough efforts placed into enacting a ISMS do not go to waste, fulfilling ISMS processes and controls and affirming information security performance through these processes provides many organizational and financial benefits. These can include increased accountability, improved information security performance and ISMS processes, evidence of meeting requirements, and support for decision making, among others.
Both ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems – Requirements and ISO/IEC 27004:2016 - Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation are available on the ANSI Webstore.
However, these two documents only comprise a portion of the standards in the ISO/IEC 27000 series of standards. Other documents in this series focus on vocabulary, security, and risk management of the standardized framework for information security management systems.
All ISO/IEC 27000 series standards can be found together as the ISO/IEC 27000 Information Technology Security Techniques Collection, available only on the ANSI Webstore.
1. International Organization for Standardization (ISO), ISO/IEC 27004:2016 - Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation (Geneva: ISO/IEC, 2016), 2.
2. International Organization for Standardization (ISO), ISO/IEC 27004:2016 - Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation (Geneva: ISO/IEC, 2016), 10.