Jump to content

ISO/IEC 27004

From Wikipedia, the free encyclopedia

ISO/IEC 27004 Information Technology – Security techniques – Information Security Management – Measurement. It is part of a family of standards of information security management system (ISMS), which is a systematic approach to securing sensitive information,[1] of ISO/IEC. It provides standards for a robust approach to managing information security (infosec) and building resilience.[2] It was published on December 7, 2009 and revised in December 2016. It is currently not certifiable and is not translated into Spanish.

This standard appears in ISO/IEC 27000-series (more information can be found in ISO/IEC 27000). The ISO/IEC 27004 standard provides guidelines intended to assist organizations to evaluate the performance of information security and the efficiency of a management system in order to meet the requirements of the ISO/IEC 27001.[3]

What does the standard establish?

[edit]

This standard establishes:[4]

  • Monitoring and measuring of information security performance.
  • Monitoring and measuring the effectiveness of an Information Security Management System (ISMS), including processes and controls.
  • Analysis and evaluating of monitoring and measurement results.

This standard is applicable to all types of organizations regardless of size.

Terms and structure

[edit]

The terms and definitions given in this standard are defined within the standard ISO/IEC 27000. The ISO/IEC 27004 standard is structured as follows:[5]

  • Logic Base
  • Characteristics - this section defines, among other things, what to monitor, who and what to measure, when to monitor, measure and evaluate it.
  • Types of measures - this section describes the two main types of measures: performance and effectiveness.
  • Processes - this section defines the types of processes to follow.

In addition to that, it has 3 annexes (A, B, C):

  • Annex A - describes an information security measurement model which includes the relationship of the components of the measurement model and the requirements of ISO/IEC 27001.
  • Annex B - provides a wide range of examples that are used as a guide.
  • Annex C - provides a more complete example.

References

[edit]
  1. ^ "BS EN ISO/IEC 27001 Information Security Management – Precise definition of ISMS". www.iso.org. Retrieved 7 April 2020.
  2. ^ "BS EN ISO/IEC 27001 Information Security Management – More about ISMS in ISO/IEC 27001". www.bsigroup.com. Retrieved 3 April 2020.
  3. ^ "BS EN ISO/IEC 27004:2016 – What is ISO 27004?". www.iso.org. Retrieved 3 April 2020.
  4. ^ "BS EN ISO/IEC 27004 Information Security Management – What ISO/IEC 27004 establishes?". webstore.iec.ch. Retrieved 7 April 2020.
  5. ^ "BS EN ISO/IEC 27004:2016 – Preview of contents of ISO/IEC 27004:2016". www.iso.org. Retrieved 3 April 2020.
[edit]