Compliance to the ISO 27001 standard and associated controls helps an organization to understand information security risks and develop an information security management system (ISMS) in order to address the risks identified. The ISO 27001 implementation process aims to provide management an intuitive understanding of information security.
However, management also requires answers to the following questions in order to take effective strategic and tactical business decisions regarding information security management system (ISMS) and plan future investments in information security accordingly. (Brotby, 2009)
- How secure is the organization at present?
- How much security is enough?
- How do we know when we have achieved the required level of security?
- What are the most cost-effective solutions?
- How do we prevent over-spending on IT assets or under-protecting assets?
- How well can risk be predicted?
- What level of maturity have the controls that are implemented so far achieved?
- Is the security program going in the right direction?
In order to get answers to these questions, an effective method to measure the effectiveness of ISMS controls are required.
Moreover, ISO 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS” and to “measure the effectiveness of controls to verify that security requirements have been met”. ISO 27004 standard has been developed in order to accomplish this.
The International Standard ISO/IEC 27004:2009(E) provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system and controls or groups of controls, as specified in ISO/IEC 27001.
What is ISO 27004 ?
ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an organization. The standard specifies how to set up a measurement program, what parameters to measure, when to measure, how to measure and helps organizations to decide on how to set performance targets and success criteria.
Need for measuring security
It is often quoted that it is impossible to manage something that you cannot measure accurately. This applies to information security as it does for other fields.
Effectiveness measurements will help an organization to determine whether any ISMS processes or controls need to be improved or managed in a better way. Good metrics produce quantifiable values in the form of numbers and percentages that are necessary to facilitate management attention and analysis.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are derived by comparing to a predetermined baseline two or more measurements taken over time. (Payne, 2009).
Technical security metrics provide an assurance in the capability of systems or products in detecting, protecting and responding to security threats.
According to the ISO 27004 standard, the kind of measurements that are required would depend on the size and complexity of the organization, cost benefit to the organization and the level of integration of information security in the overall business processes of the organization.
How to measure security
ISO 27004 defines how data should be collected and analyzed, how measurements should be constructed and how the measurement program should be documented and integrated into the ISMS. (Steffen Weiss, 2005)
The standard provides Plan-do-check-act (PDCA) model for measurement of security where
- Plan phase consists of integration with the ISMS and identification of the objects to be measured
- Do phase consist of the actual implementation of the security metric
- Check Phase consists of the monitoring and review of results
- Act Phase consists of improvements to ISMS measurement and implementation
The steps that are proposed by ISO 27004 in order to measure ISMS effectiveness can be summarized as
- Select processes and objects for measurement: Organizations need to define what needs to be measured and the scope of measurement. Only well documented processes that are consistent and repeatable should be considered for measurement. An object may include processes, plans, projects, resources, and systems, or system components. Objects of measurement can also be performance of controls or processes, behavior of personnel, and activities of units responsible for information security. (Tarnes, 2012)
- Define baselines: Baseline values that indicate point of reference should be defined for each object that is being measured. Threshold values, targets or patterns that indicate an acceptable level of performance must be finalized and approved by the relevant stakeholders.
- Collect Data: Collecting timely, accurate, measurable, multi dimensional data from systems and processes that are in the scope of measurement would be the most critical activity in creating security metrics. Automated data collection techniques can be used to achieve standardized data collection and reporting.
- Develop a measurement Method: According to ISO 27004, logical sequence of operations are applied on various attributes of the object that is selected for measurement, in order to arrive at an output ‘indicator’ that makes sense for stakeholders. These indicators can be used as data sources for improving performance of information security programs.
- Interpret measured values: Having processes and technology for analysis and interpretation of quantitative and qualitative measurement values (indicators) would be the next step in ISMS measurement. The analysis of results from measurement process should identify gaps between the baseline value and the actual measurement value.
- Communicate measurement values: Outputs of ISMS measurement should be communicated to relevant stakeholders. Measurement values can be communicated in the form of charts, operational dashboards, reports or newsletters. A comparable, consistent result from the measurement process forms the basis for the management review meeting decisions and ISMS improvement activities.
The above sequence of steps can be diagrammatically shown as below (Tarnes, 2012)
The following list shows some of the advantages of implementing ISO 27004:
- Provides seamless integration with the ISO 27001 standard based ISMS
- Provides structured, quantitatively focused, and easy to understand metrics and measurements
- Provides constant review of trends and better visibility of security risks and weak links in the security posture
- Provides comparability of the security at different times and between different organizations.
- Provides increased accountability and improved information security effectiveness
- Assists in management review and provides decision indicators for continual improvement of ISMS
- Provides quantifiable inputs for resource allocation decisions
- Creates comprehensive repository for security metrics data
- Provides streamlined security reporting process
- Provides overall data security, cost savings and increased efficiency
- Brotby, W. K. (2009). Information Security Management Metrics: A Definitive Guide to Effective Security
- Monitoring and Measurement . In W. K. Brotby, ISBN:1420052853 9781420052855. Auerbach Publications Boston, MA, USA.
- Payne, S. C. (2009). A Guide to Security Metrics. SANS Institute InfoSec Reading Room.
- Steffen Weiss, O. W. (n.d.). A Comprehensive and Comparitive metric for information security. Retrieved from Dept. of Computer Science, University of Erlangen, Germany : http://www.ccslabs.org/bib/weiss2005comprehensive/weiss2005comprehensive.pdf
- Tarnes, M. (2012, December 17). Information Security Metrics – An empirical study of current practice.
- Retrieved from Norwegian Insitute of Science and Technology: http://infosec.sintef.no/wpcontent/uploads/2012/12/20121217-Marte-Taarnes-prosjekt-maaling-av-infosikkerhet.pdf