ISO/IEC INTERNATIONAL STANDARD 27004 Second edition 2016-12-15 Information technology - Security techniques Information security management Monitoring, measurement, analysis and evaluation Technologies de I'information - Techniques de sécurité - Management de la sécurité de I'information Surveillance, mesurage, analyse et évaluation Reference number IS0/IEC 27004:2016(E) E( @IS0/IEC2016 http:/mahdi.hashemitabar.com IS0/IEC 27004:2016(E) der Forderung inz COPYRIGHTPROTECTED DOCUMENT @ IS0/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior the requester. Normen-Download-Beuth-Max ISO copyright office Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel.+41227490111 Fax +4122 749 09 47 copyright@iso.org www.iso.org ii @IS0/IEC2016-Allrightsreserved http://mahdi.hashemitabar.com IS0/IEC27004:2016(E) Contents Page Foreword .iv Introduction .V 1 Scope. .1 2 Normative references 1 3 Terms and definitions 1 4 Structure and overview .1 5 Rationale .2 5.1 The need for measurement. 2 5.2 Fulfilling the IS0/IEC 27001 requirements .3 5.3 Validity of results 3 5.4 Benefits 3 6 Characteristics. .4 6.1 General 4 6.2 What to monitor. .4 6.3 What to measure .5 6.4 When to monitor, measure, analyse and evaluate 6 6.5 Who will monitor, measure, analyse and evaluate .6 956-LfNr.7894926001-2017-03-17 13:49 7 Types of measures .7 7.1 General .7 7.2 Performance measures .7 7.3 Effectiveness measures. .8 8 Processes .9 8.1 General .9 8.2 Identify information needs 10 8.3 Create and maintain measures. 11 8.3.1 General 11 8.3.2 Identify current security practices that can support information needs 11 8.3.3 Develop or update measures 12 8.3.4 Document measures and prioritize for implementation 13 8.3.5 Keep management informed and engaged. 13 8.4 Establish procedures. 14 8.5 Monitor and measure 14 8.6 Analyse results 15 8.7 Evaluate information security performance and ISMS effectiveness 15 8.8 Review and improve monitoring, measurement, analysis and evaluation processes 15 8.9 Retainandcommunicatedocumentedinformation. 15 Annex A (informative) An information security measurement model. .17 Annex B (informative) Measurement construct examples .19 Gesellschaftzur Annex C (informative) An example of free-text form measurement construction .57 Bibliography .58 Planck IS0/IEC2016-Allrightsreserved iii http://mahdi.hashemitabar.com