The main objectives of ISO 27004 are to:
establish the monitoring and measurement of information security performance;
establish the monitoring and measurement of the effectiveness of the ISMS, including its processes and controls;
provide guidance on how to analyse and evaluate the results of monitoring and measurement;
provide guidance on how to report and communicate the results of monitoring and measurement.
ISO 27004 is applicable to all types and sizes of organizations that have implemented or are implementing an ISMS based on ISO 27001. It can also be used by external parties, such as auditors or consultants, to assess the performance and effectiveness of an organization's ISMS.
The standard consists of the following main clauses:
Scope
Normative references
Terms and definitions
Monitoring and measurement overview
Monitoring and measurement of information security performance
Monitoring and measurement of ISMS effectiveness
Analysis and evaluation
Reporting and communication
The standard also includes three informative annexes that provide examples of information security performance indicators, information security performance metrics, and information security effectiveness metrics.
The standard is available in PDF format from the official website of ISO or from other authorized sources. The current edition is ISO/IEC 27004:2016, which was published in December 2016. It replaces the previous edition, ISO/IEC 27004:2009, which was withdrawn in January 2017.
: [ISO/IEC 27004:2016 - Information technology Security techniques Information security management Monitoring, measurement, analysis and evaluation] : [ISO/IEC 27004:2016(en), Information technology ? Security techniques ? Information security management ? Monitoring, measurement, analysis and evaluation]
a7a7d27f09