ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an organization. The standard specifies how to set up a measurement program, what parameters to measure, when to measure, how to measure and helps organizations to decide on how to set performance targets and success criteria.

1. Information Security Metrics Implementation
Based on ISO 27004

2. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 2
Contents
Introduction ..............................................................................................................................................3
What is ISO 27004.....................................................................................................................................3
Need for measuring security.....................................................................................................................4
How to measure security..........................................................................................................................4
Advantages of implementing ISO 27004 based measurement ................................................................6
Works Cited...................................................................................................................................................7

3. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 3
Introduction
Compliance to the ISO 27001 standard and associated controls helps an organization to understand
information security risks and develop an information security management system (ISMS) in order to
address the risks identified. The ISO 27001 implementation process aims to provide management an
intuitive understanding of information security.
However, management also requires answers to the following questions in order to take effective
strategic and tactical business decisions regarding information security management system (ISMS) and
plan future investments in information security accordingly. (Brotby, 2009)
 How secure is the organization at present?
 How much security is enough?
 How do we know when we have achieved the required level of security?
 What are the most cost-effective solutions?
 How do we prevent over-spending on IT assets or under-protecting assets?
 How well can risk be predicted?
 What level of maturity have the controls that are implemented so far achieved?
 Is the security program going in the right direction?
In order to get answers to these questions, an effective method to measure the effectiveness of ISMS
controls are required.
Moreover, ISO 27001 requires the organization to “undertake regular reviews of the effectiveness of the
ISMS” and to “measure the effectiveness of controls to verify that security requirements have been
met”. ISO 27004 standard has been developed in order to accomplish this.
The International Standard ISO/IEC 27004:2009(E) provides guidance on the development and use of
measures and measurement in order to assess the effectiveness of an implemented information security
management system and controls or groups of controls, as specified in ISO/IEC 27001.
What is ISO 27004
ISO 27004 provides guidance and describes a set of best practices for measuring the result of ISMS in an
organization. The standard specifies how to set up a measurement program, what parameters to
measure, when to measure, how to measure and helps organizations to decide on how to set
performance targets and success criteria.

4. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 4
Need for measuring security
It is often quoted that it is impossible to manage something that you cannot measure accurately. This
applies to information security as it does for other fields.
Effectiveness measurements will help an organization to determine whether any ISMS processes or
controls need to be improved or managed in a better way. Good metrics produce quantifiable values in
the form of numbers and percentages that are necessary to facilitate management attention and
analysis.
Measurements provide single-point-in-time views of specific, discrete factors, while metrics are derived
by comparing to a predetermined baseline two or more measurements taken over time. (Payne, 2009).
Technical security metrics provide an assurance in the capability of systems or products in detecting,
protecting and responding to security threats.
According to the ISO 27004 standard, the kind of measurements that are required would depend on the
size and complexity of the organization, cost benefit to the organization and the level of integration of
information security in the overall business processes of the organization.
How to measure security
ISO 27004 defines how data should be collected and analyzed, how measurements should be
constructed and how the measurement program should be documented and integrated into the ISMS.
(Steffen Weiss, 2005)
The standard provides Plan-do-check-act (PDCA) model for measurement of security where
 Plan phase consists of integration with the ISMS and identification of the objects to be
measured
 Do phase consist of the actual implementation of the security metric
 Check Phase consists of the monitoring and review of results
 Act Phase consists of improvements to ISMS measurement and implementation

5. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 5
The steps that are proposed by ISO 27004 in order to measure ISMS effectiveness can be summarized as
below.
1. Select processes and objects for measurement: Organizations need to define what needs to be
measured and the scope of measurement. Only well documented processes that are consistent
and repeatable should be considered for measurement. An object may include processes, plans,
projects, resources, and systems, or system components. Objects of measurement can also be
performance of controls or processes, behavior of personnel, and activities of units responsible
for information security. (Tarnes, 2012)
2. Define baselines: Baseline values that indicate point of reference should be defined for each
object that is being measured. Threshold values, targets or patterns that indicate an acceptable
level of performance must be finalized and approved by the relevant stakeholders.
3. Collect Data: Collecting timely, accurate, measurable, multi dimensional data from systems and
processes that are in the scope of measurement would be the most critical activity in creating
security metrics. Automated data collection techniques can be used to achieve standardized
data collection and reporting.
4. Develop a measurement Method: According to ISO 27004, logical sequence of operations are
applied on various attributes of the object that is selected for measurement, in order to arrive at
an output ‘indicator’ that makes sense for stakeholders. These indicators can be used as data
sources for improving performance of information security programs.
5. Interpret measured values: Having processes and technology for analysis and interpretation of
quantitative and qualitative measurement values (indicators) would be the next step in ISMS
measurement. The analysis of results from measurement process should identify gaps between
the baseline value and the actual measurement value.
6. Communicate measurement values: Outputs of ISMS measurement should be communicated
to relevant stakeholders. Measurement values can be communicated in the form of charts,
operational dashboards, reports or newsletters. A comparable, consistent result from the
measurement process forms the basis for the management review meeting decisions and ISMS
improvement activities.

6. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 6
The above sequence of steps can be diagrammatically shown as below (Tarnes, 2012)
Advantages of implementing ISO 27004 based measurement
The following list shows some of the advantages of implementing ISO 27004:
 Provides seamless integration with the ISO 27001 standard based ISMS
 Provides structured, quantitatively focused, and easy to understand metrics and measurements
 Provides constant review of trends and better visibility of security risks and weak links in the
security posture
 Provides comparability of the security at different times and between different organizations.
 Provides increased accountability and improved information security effectiveness
 Assists in management review and provides decision indicators for continual improvement of
ISMS
 Provides quantifiable inputs for resource allocation decisions
 Creates comprehensive repository for security metrics data
 Provides streamlined security reporting process
 Provides overall data security, cost savings and increased efficiency

7. Information Security Metrics Implementation Based on ISO 27004
© Network Intelligence India Pvt. Ltd. 7
Works Cited
Brotby, W. K. (2009). Information Security Management Metrics: A Definitive Guide to Effective Security
Monitoring and Measurement . In W. K. Brotby, ISBN:1420052853 9781420052855. Auerbach
Publications Boston, MA, USA.
Payne, S. C. (2009). A Guide to Security Metrics. SANS Institute InfoSec Reading Room .
Steffen Weiss, O. W. (n.d.). A Comprehensive and Comparitive metric for information security. Retrieved
from Dept. of Computer Science, University of Erlangen, Germany : http://www.ccs-
labs.org/bib/weiss2005comprehensive/weiss2005comprehensive.pdf
Tarnes, M. (2012, December 17). Information Security Metrics - An empirical study of current practice.
Retrieved from Norwegian Insitute of Science and Technology: http://infosec.sintef.no/wp-
content/uploads/2012/12/20121217-Marte-Taarnes-prosjekt-maaling-av-infosikkerhet.pdf