ISO/IEC 27004 discusses security techniques. ISO/IEC 27004 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfill the requirements of ISO/IEC 27001:2013, 9.1. ISO/IEC 27004 helps to develop and operate measurement processes, and how to assess and report the results of the associated measurement constructs. ISO/IEC 27004 establishes:
ISO/IEC 27004 on information security management system is useful for:
The objective of an information security management system (ISMS) is the preservation of confidentiality, integrity, and availability of information. There are information security management system (ISMS) activities that concern the planning of how to do this, and the implementation of those plans. However, by themselves, these activities cannot guarantee that the realisation of those plans fulfills the information security objectives. Therefore, in the ISMS as defined by ISO/IEC 27001, there are several requirements to evaluate if the plans and activities ensure the fulfillment of the information security objectives.
ISO/IEC 27004 shows how to construct an information security measurement program, how to select what to measure, and how to operate the necessary measurement processes. ISO/IEC 27004 includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed. A successful measurement program built using ISO/IEC 27004 will meet the performance monitoring requirements set out in ISO/IEC 27001.
BS ISO/IEC 27004:2016 cancels and replaces BS ISO/IEC 27004:2009. BS ISO/IEC 27004:2016 includes the following principal changes:
ISO/IEC 27004:2016