ISO/IEC 27004:2009
(Main)Information technology - Security techniques - Information security management - Measurement
Information technology - Security techniques - Information security management - Measurement
ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. ISO/IEC 27004:2009 is applicable to all types and sizes of organization.
Technologies de l'information — Techniques de sécurité — Management de la sécurité de l'information — Mesurage
Informacijska tehnologija - Varnostne tehnike - Upravljanje informacijske varnosti - Merjenje
Ta mednarodni standard podaja navodilo za razvoj in uporabo mer in merjenj za ocenitev učinkovitosti uvedenega sistema upravljanja informacijske varnosti (ISMS) in kontrol oziroma skupin kontrol, kot je določeno v ISO/IEC 27001. Ta mednarodni standard velja za vse vrste in velikosti organizacij.
General Information
Relations
Frequently Asked Questions
ISO/IEC 27004:2009 is a standard published by the International Organization for Standardization (ISO). Its full title is "Information technology - Security techniques - Information security management - Measurement". This standard covers: ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. ISO/IEC 27004:2009 is applicable to all types and sizes of organization.
ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. ISO/IEC 27004:2009 is applicable to all types and sizes of organization.
ISO/IEC 27004:2009 is classified under the following ICS (International Classification for Standards) categories: 03.100.70 - Management systems; 35.030 - IT Security; 35.040 - Information coding. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO/IEC 27004:2009 has the following relationships with other standards: It is inter standard links to ISO/IEC 27004:2016. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO/IEC 27004:2009 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27004
First edition
2009-12-15
Information technology — Security
techniques — Information security
management — Measurement
Technologies de l'information — Techniques de sécurité —
Management de la sécurité de l'information — Mesurage
Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
Contents Page
Foreword .v
0 Introduction.vi
0.1 General .vi
0.2 Management overview .vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .3
5 Information security measurement overview.4
5.1 Objectives of information security measurement.4
5.2 Information Security Measurement Programme .5
5.3 Success factors .6
5.4 Information security measurement model.6
5.4.1 Overview.6
5.4.2 Base measure and measurement method .7
5.4.3 Derived measure and measurement function .9
5.4.4 Indicators and analytical model.10
5.4.5 Measurement results and decision criteria .11
6 Management responsibilities .12
6.1 Overview.12
6.2 Resource management.13
6.3 Measurement training, awareness, and competence.13
7 Measures and measurement development.13
7.1 Overview.13
7.2 Definition of measurement scope.13
7.3 Identification of information need .14
7.4 Object and attribute selection.14
7.5 Measurement construct development.15
7.5.1 Overview.15
7.5.2 Measure selection .15
7.5.3 Measurement method .15
7.5.4 Measurement function .16
7.5.5 Analytical model .16
7.5.6 Indicators .16
7.5.7 Decision criteria.16
7.5.8 Stakeholders .17
7.6 Measurement construct.17
7.7 Data collection, analysis and reporting .17
7.8 Measurement implementation and documentation .18
8 Measurement operation.18
8.1 Overview.18
8.2 Procedure integration .18
8.3 Data collection, storage and verification .19
9 Data analysis and measurement results reporting.19
9.1 Overview.19
9.2 Analyse data and develop measurement results.19
9.3 Communicate measurement results .20
© ISO/IEC 2009 – All rights reserved iii
10 Information Security Measurement Programme Evaluation and Improvement.20
10.1 Overview.20
10.2 Evaluation criteria identification for the Information Security Measurement Programme .21
10.3 Monitor, review, and evaluate the Information Security Measurement Programme .21
10.4 Implement improvements .21
Annex A (informative) Template for an information security measurement construct.22
Annex B (informative) Measurement construct examples .24
Bibliography .55
iv © ISO/IEC 2009 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2009 – All rights reserved v
0 Introduction
0.1 General
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls, processes and
procedures, and support the process of its revision, helping to determine whether any of the ISMS processes
or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can
guarantee complete security.
The implementation of this approach constitutes an Information Security Measurement Programme. The
Information Security Measurement Programme will assist management in identifying and evaluating non-
compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement
or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security
risk management processes.
This International Standard assumes that the starting point for the development of measures and
measurement is a sound understanding of the information security risks that an organization faces, and that
an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as
required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an
organization to provide reliable information to relevant stakeholders concerning its information security risks
and the status of the implemented ISMS to manage these risks.
Effectively implemented, the Information Security Measurement Programme would improve stakeholder
confidence in measurement results, and enable the stakeholders to use these measures to effect continual
improvement of information security and the ISMS.
The accumulated measurement results will allow comparison of progress in achieving information security
objectives over a period of time as part of an organization’s ISMS continual improvement process.
0.2 Management overview
ISO/IEC 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS taking
into account results from effectiveness measurement” and to “measure the effectiveness of controls to verify
that security requirements have been met”. ISO/IEC 27001 also requires the organization to “define how to
measure the effectiveness of the selected controls or groups of controls and specify how these measures are
to be used to assess control effectiveness to produce comparable and reproducible results”.
The approach adopted by an organization to fulfil the measurement requirements specified in ISO/IEC 27001
will vary based on a number of significant factors, including the information security risks that the organization
faces, its organizational size, resources available, and applicable legal, regulatory and contractual
requirements. Careful selection and justification of the method used to fulfil the measurement requirements
are important to ensure that excessive resources are not devoted to these activities of the ISMS to the
detriment of others. Ideally, ongoing measurement activities are to be integrated into the regular operations of
the organization with minimal additional resource requirements.
This International Standard gives recommendations concerning the following activities as a basis for an
organization to fulfil measurement requirements specified in ISO/IEC 27001:
a) developing measures (i.e. base measures, derived measures and indicators);
vi © ISO/IEC 2009 – All rights reserved
b) implementing and operating an Information Security Measurement Programme;
c) collecting and analysing data;
d) developing measurement results;
e) communicating developed measurement results to the relevant stakeholders;
f) using measurement results as contributing factors to ISMS-related decisions;
g) using measurement results to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures; and
h) facilitating continual improvement of the Information Security Measurement Programme.
One of the factors that will impact the organization’s ability to achieve measurement is its size. Generally the
size and complexity of the business in combination with the importance of information security affect the
extent of measurement needed, both in terms of the numbers of measures to be selected and the frequency
of collecting and analysing data. For SMEs (Small and Medium Enterprises) a less comprehensive information
security measurement program will be sufficient, whereas large enterprises will implement and operate
multiple Information Security Measurement Programmes.
A single Information Security Measurement Programme may be sufficient for small organizations, whereas for
large enterprises the need may exist for multiple Information Security Measurement Programmes.
The guidance provided by this International Standard will result in the production of documentation that will
contribute to demonstrating that control effectiveness is being measured and assessed.
© ISO/IEC 2009 – All rights reserved vii
INTERNATIONAL STANDARD ISO/IEC 27004:2009(E)
Information technology — Security techniques — Information
security management — Measurement
1 Scope
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.
This International Standard is applicable to all types and sizes of organization.
NOTE This document uses the verbal forms for the expression of provisions (e.g. “shall”, “shall not”, “should”, “should
not”, “may”, “need not”, “can” and “cannot”) that are specified in the ISO/IEC Directives, Part 2, 2004, Annex H. See also
ISO/IEC 27000:2009, Annex A.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
analytical model
algorithm or calculation combining one or more base and/or derived measures with associated decision
criteria
[ISO/IEC 15939:2007]
3.2
attribute
property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or
automated means
[ISO/IEC 15939:2007]
3.3
base measure
measure defined in terms of an attribute and the method for quantifying it
[ISO/IEC 15939:2007]
NOTE A base measure is functionally independent of other measures.
© ISO/IEC 2009 – All rights reserved 1
3.4
data
collection of values assigned to base measures, derived measures and/or indicators
[ISO/IEC 15939:2007]
3.5
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe
the level of confidence in a given result
[ISO/IEC 15939:2007]
3.6
derived measure
measure that is defined as a function of two or more values of base measures
[ISO/IEC 15939:2007]
3.7
indicator
measure that provides an estimate or evaluation of specified attributes derived from an analytical model with
respect to defined information needs
3.8
information need
insight necessary to manage objectives, goals, risks and problems
[ISO/IEC 15939:2007]
3.9
measure
variable to which a value is assigned as the result of measurement
[ISO/IEC 15939:2007]
NOTE The term “measures” is used to refer collectively to base measures, derived measures, and indicators.
EXAMPLE A comparison of a measured defect rate to planned defect rate along with an assessment of whether or
not the difference indicates a problem.
3.10
measurement
process of obtaining information about the effectiveness of ISMS and controls using a measurement method,
a measurement function, an analytical model, and decision criteria
3.11
measurement function
algorithm or calculation performed to combine two or more base measures
[ISO/IEC 15939:2007]
3.12
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
[ISO/IEC 15939:2007]
2 © ISO/IEC 2009 – All rights reserved
NOTE The type of measurement method depends on the nature of the operations used to quantify an attribute. Two
types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
3.13
measurement results
one or more indicators and their associated interpretations that address an information need
3.14
object
item characterized through the measurement of its attributes
3.15
scale
ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped
[ISO/IEC 15939:2007]
NOTE The type of scale depends on the nature of the relationship between values on the scale. Four types of scale
are commonly defined:
— nominal: the measurement values are categorical;
— ordinal: the measurement values are rankings;
— interval: the measurement values have equal distances corresponding to equal quantities of the attribute;
— ratio: the measurement values have equal distances corresponding to equal quantities of the attribute, where
the value of zero corresponds to none of the attribute.
These are just examples of the types of scale.
3.16
unit of measurement
particular quantity, defined and adopted by convention, with which other quantities of the same kind are
compared in order to express their magnitude relative to that quantity
[ISO/IEC 15939:2007]
3.17
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended use or
application have been fulfilled
3.18
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
[ISO 9000:2005]
NOTE This could also be called compliance testing.
4 Structure of this International Standard
This International Standard provides an explanation of measures and measurement activities needed to
assess the effectiveness of ISMS requirements for the management of adequate and proportionate security
controls as required in ISO/IEC 27001:2005, 4.2.
© ISO/IEC 2009 – All rights reserved 3
This International Standard is structured as follows:
- Overview on the Information Security Measurement Programme and the Information Security
Measurement Model (Clause 5);
- Management responsibilities for information security measurements (Clause 6); and
- Measurement constructs and the processes (i.e. planning and developing, implementing and
operating, and improving measurements: communicating measurement results) to be implemented in
the Information Security Measurement Programme (Clauses 7-10).
In addition, Annex A provides an example template for the measurement construct of which the constituents
are the elements of the Information Security Measurement Model (see Clause 7). Annex B provides the
measurement construct examples for specific controls or processes of an ISMS, using the template provided
in Annex A.
These examples are intended to help an organization on how to implement the Information Security
Measurement and how to record measurement activities and outcomes from them.
5 Information security measurement overview
5.1 Objectives of information security measurement
The objectives of information security measurement in the context of an ISMS includes:
a) evaluating the effectiveness of the implemented controls or groups of controls (See “4.2.2 d)” in Figure 1);
b) evaluating the effectiveness of the implemented ISMS (See “4.2.3 b)” in Figure 1);
c) verifying the extent to which identified security requirements have been met (See “4.2.3 c)” in Figure 1);
d) facilitating performance improvement of information security in terms of the organization’s overall
business risks;
e) providing input for management review to facilitate ISMS-related decision making and justify needed
improvements of the implemented ISMS.
Figure 1 illustrates the cyclical input–output relationship of the measurement activities in relation to the Plan-
Do-Check-Act (PDCA) cycle, specified in ISO/IEC 27001. Numbers in each figure represent relevant sub-
clauses of ISO/IEC 27001:2005.
4 © ISO/IEC 2009 – All rights reserved
Plan
Act
4.2.1 g) Select control
4.2.1 e) 2) Assess the realistic
objectives and controls for
likelihood of security failures occurring
the treatment of risks.
in the light of prevailing threats and
4.2.4 a) Implement the identified
Control objectives and
vulnerabilities, and impacts improvements in the ISMS
controls shall be selected
associated with these assets, and
and implemented to meet the
the effectiveness of controls
requirements identified by
currently implemented
the risk assessment and risk
treatment process.
Do Check
The output from the
4.2.2 c) Implement controls
4.2.3 b) Regular review of the
management review
selected to meet
effectiveness of the ISMS
shall include any decision and
the control objectives
actions related to;
7.3 b) Update of risk and the
risk treatment plan,
4.2.3 d) Review risk assessments
7.3 e) Improvement to how
at planned intervals and review the
4.2.2 d) Define how
the effectiveness of controls is
residual risks and the identified
to measure the effectiveness
being measured
acceptable levels of risks, taking
of selected controls or
into account changes to effectiveness
groups of controls
of implemented controls
4.2.3 f) Undertake a
Management review of the
7.2 a), f) The input to a
ISMS on a regular basis to
4.2.3 c) Measure the
management review shall include
ensure that the scope remains
effectiveness of controls to
results from effectiveness
adequate and improvements
verify that security requirements
measurement and ISMS review
in the ISMS process are identified
have been met
Figure 1 — Measurement inputs and outputs in ISMS PDCA cycle of information security management
The organization should establish measurement objectives based on a number of considerations, including:
a) The role of information security in support of the organization’s overall business activities and the risks
it faces;
b) Applicable legal, regulatory, and contractual requirements;
c) Organizational structure;
d) Costs and benefits of implementing information security measures;
e) Risk acceptance criteria for the organization; and
f) A need to compare several ISMSs within the same organization.
5.2 Information Security Measurement Programme
An organization should establish and manage an Information Security Measurement Programme in order to
achieve the established measurement objectives and adopt the PDCA model within the organization’s overall
measurement activities. An organization should also develop and implement measurement constructs in order
to obtain repeatable, objective and useful results of measurement based on the Information Security
Measurement Model (see 5.4).
The Information Security Measurement Programme and the developed measurement construct should ensure
that an organization effectively achieves objective and repeatable measurement and provides measurement
results for relevant stakeholders to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures.
© ISO/IEC 2009 – All rights reserved 5
An Information Security Measurement Programme should include the following processes:
a) Measures and measurement development (see Clause 7) ;
b) Measurement operation (see Clause 8);
c) Data analysis and measurement results reporting (see Clause 9); and
d) Information Security Measurement Programme evaluation and improvement (see Clause 10).
The organisational and operational structure of an Information Security Measurement Programme should be
determined by taking into account the scale and complexity of the ISMS of which it is a part. In all cases, roles
and responsibilities for the Information Security Measurement Programme should be explicitly assigned to
competent personnel (see 7.5.8).
The measures selected and implemented by the Information Security Measurement Programme should be
directly related to the operation of an ISMS, other measures, as well as organization’s business processes.
Measurement can be integrated into regular operational activities or performed at regular intervals determined
by ISMS management.
5.3 Success factors
The following are some contributing factors to the success of Information Security Measurement Programme
in facilitating continual ISMS improvement:
a) Management commitment supported by appropriate resources;
b) Existence of ISMS processes and procedures;
c) A repeatable process capable of capturing and reporting meaningful data to provide relevant trends over
a period of time;
d) Quantifiable measures based on ISMS objectives;
e) Easily obtainable data that can be used for measurement;
f) Evaluation of effectiveness of Information Security Measurement Programme and implementation of
identified improvements;
g) Consistent periodic collection, analysis, and reporting of measurement data in a manner that is
meaningful;
h) Use of the measurement results by relevant stakeholders to identify needs for improving the implemented
ISMS, including its scope, policies, objectives, controls, processes and procedures;
i) Acceptance of feedback on measurement results from relevant stakeholders; and
j) Evaluations of the usefulness of measurement results and implementation of identified improvements.
Once successfully implemented, an Information Security Measurement Programme can:
1) Demonstrate an organization’s compliance with applicable legal or regulatory requirements and
contractual obligations;
2) Support identification of previously undetected or unknown information security issues;
3) Assist in satisfying management reporting needs when stating measures for historical and current
activities; and
4) Be used as input into information security risk management process, internal ISMS audits and
management reviews.
5.4 Information security measurement model
NOTE. The concepts of the information security measurement model and measurement constructs adopted in this
International Standard are based on those in ISO/IEC 15939. The term “information product” used in ISO/IEC 15939 is a
synonym with “measurement results” in this International Standard and “measurement process” used in ISO/IEC 15939 is
a synonym with “Measurement Programme” in this International Standard.
5.4.1 Overview
The information security measurement model is a structure linking an information need to the relevant objects
of measurement and their attributes. Objects of measurement may include planned or implemented
processes, procedures, projects and resources.
6 © ISO/IEC 2009 – All rights reserved
The information security measurement model describes how the relevant attributes are quantified and
converted to indicators that provide a basis for decision making. Figure 2 depicts the information security
measurement model.
Figure 2 — Information security measurement model
NOTE Clause 7 provides detailed information about the individual elements of information security measurement
model.
Subsequent sub-clauses introduce individual elements of the model. They also provide examples of how
these individual elements are used.
The information needs or purpose of measurement used in examples contain in Tables 1 to 4 of the following
sub-clauses is to assess the awareness status of compliance with organization security policy among relevant
personnel (Control objective.A.8.2, and Controls A.8.2.1 and A.8.2.2. of ISO/IEC 27001:2005).
5.4.2 Base measure and measurement method
A base measure is the simplest measure that can be obtained. A base measure results from applying a
measurement method to the attributes selected of an object of measurement. An object of measurement may
have many attributes, only some of which may provide useful values to be assigned to a base measure. A
given attribute may be used for several different base measures.
© ISO/IEC 2009 – All rights reserved 7
A measurement method is a logical sequence of operations used in quantifying an attribute with respect to a
specified scale. The operation may involve activities such as counting occurrences or observing the passage
of time.
A measurement method can apply attributes to an object of measurement. Examples of an object of
measurement include but are not limited to:
- Performance of controls implemented in the ISMS;
- Status of information assets protected by the controls;
- Performance of processes implemented in the ISMS;
- Behaviour of personnel who are responsible to the implemented ISMS;
- Activities of organizational units responsible for information security; and
- Extent of satisfaction of interested parties.
A measurement method may use measurement objects of measurement and attributes from a variety of
sources, such as:
- Risk analysis and risk assessment results;
- Questionnaires and personal interviews;
- Internal and/or external audits reports;
- Records of events, such as logs, report statistics, and audit trails;
- Incident reports, particularly those that result in the occurrence of an impact;
- Test results, e.g. from penetration testing, social engineering, compliance tools, and security audit tools;
or
- Records from the organization’s information security related procedures and programmes, eg. information
security awareness training results.
Tables 1-4 below present the application of the information security model for the following controls:
- “Control 2” refers to control A.8.2.1 Management responsibility of ISO/IEC 27001:2005 (“Management
shall require employees, contractors and third party users to apply security in accordance with
established policies and procedures of the organization”); being implemented as follows: “All
personnel relevant to the ISMS must sign user agreements before being granted access to an
information system”;
- “Control 1” refers to control A.8.2.2 “Information security awareness, education and training” of
ISO/IEC 27001:2005 (“All employees of the organization and, where relevant, contractors and third
party users shall receive appropriate awareness training and regular updates in organizational policies
and procedures, as relevant for their job function”); being implemented as follows: “All personnel
relevant to the ISMS must receive information security awareness training before being granted
access to an information system”.
The corresponding measurement constructs are contained in B.1.
NOTE Table 1-4 consists of various columns (Table 1, four columns; Table 2-4, three columns) of which are assigned a
letter designator. Each box within individual columns is assigned a number designator. The combinations of letter and
number designators are used in subsequent boxes to refer to previous boxes. Arrows designate the data flows between
individual elements of the information security measurement model within the specific example.
Table 1 includes an example of the relationships between object of measurement, attribute, measurement
method and base measure for measuring the objects established for implemented controls described above.
8 © ISO/IEC 2009 – All rights reserved
Table 1 — Example of base measure and measurement method
5.4.3 Derived measure and measurement function
A derived measure is an aggregate of two or more base measures. A given base measure may serve as input
for several derived measures.
A measurement function is a calculation used to combine base measures together to create a derived
measure.
The scale and unit of the derived measure depends on the scales and units of the base measures from which
it is composed as well as how they are combined by the measurement function.
The measurement function may involve a variety of techniques, such as averaging base measures, applying
weights to base measures, or assigning qualitative values to base measures. The measurement function may
combine base measures using different scales, such as percentages and qualitative assessment results.
An example of the relationship of further elements of the information security measurement model application
i.e. base measure, measurement function and derived measure is presented in Table 2.
© ISO/IEC 2009 – All rights reserved 9
Table 2 — Example of derived measure and measurement function
5.4.4 Indicators and analytical model
An indicator is a measure that provides an estimate or evaluation of specified attributes derived from an
analytical model with respect to defined information need. Indicators are obtained by applying an analytical
model to a base and/or a derived measure and combining them with decision criteria. The scale and
measurement method affect the choice of analytical techniques used to produce indicators.
An example of the relationships between derived measures, analytical model and indicators for the
information security measurement model application is presented in Table 3.
10 © ISO/IEC 2009 – All rights reserved
Table 3 — Example of indicator and analytical model
NOTE If an indicator is represented in a graphical form, it should be usable by visually impaired users or when
monochrome copies are used. To make that possible the indicator description should include colors, shading, fonts or
other visual methods
5.4.5 Measurement results and decision criteria
Measurement results are developed with interpreting applicable indicators based on defined decision criteria
and should be considered in the context of the overall measurement objectives of assessing the ISMS
effectiveness. Decision criteria is used to determine the need for action or further investigation, as well as to
describe the level of confidence in measurement results. Decision criteria may be applied to a series of
indicators, for example to conduct trend analysis based on indicators received at different point in time.
Targets provide detailed performance specifications, applicable to the organization or parts thereof, derived
from the information security objectives such as the ISMS objectives and control objectives, and that need to
be set and met in order to achieve those objectives.
An example of the relationship of final elements of the information security measurement model application
(i.e. indicator, decision criteria and measurement results) is presented in Table 4.
© ISO/IEC 2009 – All rights reserved 11
Table 4 — Example of measurement results and analytical model
6 Management responsibilities
6.1 Overview
Management is responsible for establishing the Information Security Measurement Programme, involving
relevant stakeholders (see 7.5.8) in the measurement activities, accepting measurement results as an input
into management review and using measurement result in improvement activities within the ISMS.
To achieve this, management should:
a) Establish objectives for the Information Security Measurement Programme;
b) Establish a policy for the Information Security Measurement Programme;
c) Establish roles and responsibilities for the Information Security Measurement Programme;
d) Provide adequate resources to perform measurement including personnel, funding, tools and
infrastructure;
e) Ensure that the objectives of the Information Security Measurement Programme are achieved;
f) Ensure that tools and equipment used to collect data are maintained properly;
g) Establish the purpose of measurement for each measurement construct;
h) Ensure that measurement provides sufficient information to relevant stakeholders with regard to
effectiveness of the ISMS and needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures; and
i) Ensure that measurement provides sufficient information to relevant stakeholders with regard to
effectiveness of controls or group of controls and needs for improving the implemented controls.
Through the appropriate assignment of measurement roles and responsibilities, management should ensure
measurement results are not influenced by information owners (see 7.5.8). This may be achieved through
segregation of duties or, if this is not possible, through the use of detailed documentation that allows
12 © ISO/IEC 2009 – All rights reserved
independent checks.
6.2 Resource management
Management should assign and provide resources to support essential activities of measurement, such as
data collection, analysis, storage, reporting, and distribution. Resource allocations should include the
assignment of:
a) Individuals with responsibility for all aspects of Information Security Measurement Programme;
b) Appropriate financial support; and
c) Appropriate infrastructure support, such as physical infrastructure and tools used to perform the
measurement process.
NOTE Clause 5.2.1 of ISO/IEC 27001:2005 specifies requirement on the provision of resources for implementation
and operation of an ISMS.
6.3 Measurement training, awareness, and competence
Management should ensure that:
a) The stakeholders (see 7.5.8) are trained adequately for achieving their roles and responsibilities in the
implemented Information Security Measurement Programme, and appropriately qualified to perform their
roles and responsibilities; and
b) The stakeholders understand that their duties include making suggestions for improvements in the
implemented Information Security Measurement Programme.
7 Measures and measurement development
7.1 Overview
This clause provides guidance on how to develop measures and measurement for the purpose of assessing
the effectiveness of the implemented ISMS and controls or group of controls, and identifying organisation-
specific sets of measurement constructs. Activities needed to develop measures and measurement should be
established and documented, including the following:
a) Defining the measurement scope (see 7.2);
b) Identifying an information need (see 7.3);
c) Selecting the object of measurement and its attributes (see 7.4) ;
d) Developing measurement constructs (see 7.5);
e) Applying measurement constructs (see 7.6);
f) Establishing data collection and analysis processes and tools (see 7.7), and
g) Establishing measurement implementation approach and documentation (see 7.8).
When establishing these activities, the organization should take into account financial, human, and
infrastructure (physical and tools) resources.
7.2 Definition of measurement scope
Depending on an organization’s capabilities and resources, the initial scope of an organization’s measurement
activities will be limited to such elements as specific controls, information assets
...
SLOVENSKI STANDARD
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Upravljanje informacijske varnosti -
Merjenje
Information technology - Security techniques - Information security management -
Measurement
Technologies de l'information - Techniques de sécurité - Management de la sécurité de
l'information - Mesurage
Ta slovenski standard je istoveten z: ISO/IEC 27004:2009
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO/IEC
STANDARD 27004
First edition
2009-12-15
Information technology — Security
techniques — Information security
management — Measurement
Technologies de l'information — Techniques de sécurité —
Management de la sécurité de l'information — Mesurage
Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
Contents Page
Foreword .v
0 Introduction.vi
0.1 General .vi
0.2 Management overview .vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .3
5 Information security measurement overview.4
5.1 Objectives of information security measurement.4
5.2 Information Security Measurement Programme .5
5.3 Success factors .6
5.4 Information security measurement model.6
5.4.1 Overview.6
5.4.2 Base measure and measurement method .7
5.4.3 Derived measure and measurement function .9
5.4.4 Indicators and analytical model.10
5.4.5 Measurement results and decision criteria .11
6 Management responsibilities .12
6.1 Overview.12
6.2 Resource management.13
6.3 Measurement training, awareness, and competence.13
7 Measures and measurement development.13
7.1 Overview.13
7.2 Definition of measurement scope.13
7.3 Identification of information need .14
7.4 Object and attribute selection.14
7.5 Measurement construct development.15
7.5.1 Overview.15
7.5.2 Measure selection .15
7.5.3 Measurement method .15
7.5.4 Measurement function .16
7.5.5 Analytical model .16
7.5.6 Indicators .16
7.5.7 Decision criteria.16
7.5.8 Stakeholders .17
7.6 Measurement construct.17
7.7 Data collection, analysis and reporting .17
7.8 Measurement implementation and documentation .18
8 Measurement operation.18
8.1 Overview.18
8.2 Procedure integration .18
8.3 Data collection, storage and verification .19
9 Data analysis and measurement results reporting.19
9.1 Overview.19
9.2 Analyse data and develop measurement results.19
9.3 Communicate measurement results .20
© ISO/IEC 2009 – All rights reserved iii
10 Information Security Measurement Programme Evaluation and Improvement.20
10.1 Overview.20
10.2 Evaluation criteria identification for the Information Security Measurement Programme .21
10.3 Monitor, review, and evaluate the Information Security Measurement Programme .21
10.4 Implement improvements .21
Annex A (informative) Template for an information security measurement construct.22
Annex B (informative) Measurement construct examples .24
Bibliography .55
iv © ISO/IEC 2009 – All rights reserved
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
© ISO/IEC 2009 – All rights reserved v
0 Introduction
0.1 General
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls, processes and
procedures, and support the process of its revision, helping to determine whether any of the ISMS processes
or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can
guarantee complete security.
The implementation of this approach constitutes an Information Security Measurement Programme. The
Information Security Measurement Programme will assist management in identifying and evaluating non-
compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement
or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security
risk management processes.
This International Standard assumes that the starting point for the development of measures and
measurement is a sound understanding of the information security risks that an organization faces, and that
an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as
required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an
organization to provide reliable information to relevant stakeholders concerning its information security risks
and the status of the implemented ISMS to manage these risks.
Effectively implemented, the Information Security Measurement Programme would improve stakeholder
confidence in measurement results, and enable the stakeholders to use these measures to effect continual
improvement of information security and the ISMS.
The accumulated measurement results will allow comparison of progress in achieving information security
objectives over a period of time as part of an organization’s ISMS continual improvement process.
0.2 Management overview
ISO/IEC 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS taking
into account results from effectiveness measurement” and to “measure the effectiveness of controls to verify
that security requirements have been met”. ISO/IEC 27001 also requires the organization to “define how to
measure the effectiveness of the selected controls or groups of controls and specify how these measures are
to be used to assess control effectiveness to produce comparable and reproducible results”.
The approach adopted by an organization to fulfil the measurement requirements specified in ISO/IEC 27001
will vary based on a number of significant factors, including the information security risks that the organization
faces, its organizational size, resources available, and applicable legal, regulatory and contractual
requirements. Careful selection and justification of the method used to fulfil the measurement requirements
are important to ensure that excessive resources are not devoted to these activities of the ISMS to the
detriment of others. Ideally, ongoing measurement activities are to be integrated into the regular operations of
the organization with minimal additional resource requirements.
This International Standard gives recommendations concerning the following activities as a basis for an
organization to fulfil measurement requirements specified in ISO/IEC 27001:
a) developing measures (i.e. base measures, derived measures and indicators);
vi © ISO/IEC 2009 – All rights reserved
b) implementing and operating an Information Security Measurement Programme;
c) collecting and analysing data;
d) developing measurement results;
e) communicating developed measurement results to the relevant stakeholders;
f) using measurement results as contributing factors to ISMS-related decisions;
g) using measurement results to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures; and
h) facilitating continual improvement of the Information Security Measurement Programme.
One of the factors that will impact the organization’s ability to achieve measurement is its size. Generally the
size and complexity of the business in combination with the importance of information security affect the
extent of measurement needed, both in terms of the numbers of measures to be selected and the frequency
of collecting and analysing data. For SMEs (Small and Medium Enterprises) a less comprehensive information
security measurement program will be sufficient, whereas large enterprises will implement and operate
multiple Information Security Measurement Programmes.
A single Information Security Measurement Programme may be sufficient for small organizations, whereas for
large enterprises the need may exist for multiple Information Security Measurement Programmes.
The guidance provided by this International Standard will result in the production of documentation that will
contribute to demonstrating that control effectiveness is being measured and assessed.
© ISO/IEC 2009 – All rights reserved vii
INTERNATIONAL STANDARD ISO/IEC 27004:2009(E)
Information technology — Security techniques — Information
security management — Measurement
1 Scope
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.
This International Standard is applicable to all types and sizes of organization.
NOTE This document uses the verbal forms for the expression of provisions (e.g. “shall”, “shall not”, “should”, “should
not”, “may”, “need not”, “can” and “cannot”) that are specified in the ISO/IEC Directives, Part 2, 2004, Annex H. See also
ISO/IEC 27000:2009, Annex A.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
analytical model
algorithm or calculation combining one or more base and/or derived measures with associated decision
criteria
[ISO/IEC 15939:2007]
3.2
attribute
property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or
automated means
[ISO/IEC 15939:2007]
3.3
base measure
measure defined in terms of an attribute and the method for quantifying it
[ISO/IEC 15939:2007]
NOTE A base measure is functionally independent of other measures.
© ISO/IEC 2009 – All rights reserved 1
3.4
data
collection of values assigned to base measures, derived measures and/or indicators
[ISO/IEC 15939:2007]
3.5
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe
the level of confidence in a given result
[ISO/IEC 15939:2007]
3.6
derived measure
measure that is defined as a function of two or more values of base measures
[ISO/IEC 15939:2007]
3.7
indicator
measure that provides an estimate or evaluation of specified attributes derived from an analytical model with
respect to defined information needs
3.8
information need
insight necessary to manage objectives, goals, risks and problems
[ISO/IEC 15939:2007]
3.9
measure
variable to which a value is assigned as the result of measurement
[ISO/IEC 15939:2007]
NOTE The term “measures” is used to refer collectively to base measures, derived measures, and indicators.
EXAMPLE A comparison of a measured defect rate to planned defect rate along with an assessment of whether or
not the difference indicates a problem.
3.10
measurement
process of obtaining information about the effectiveness of ISMS and controls using a measurement method,
a measurement function, an analytical model, and decision criteria
3.11
measurement function
algorithm or calculation performed to combine two or more base measures
[ISO/IEC 15939:2007]
3.12
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
[ISO/IEC 15939:2007]
2 © ISO/IEC 2009 – All rights reserved
NOTE The type of measurement method depends on the nature of the operations used to quantify an attribute. Two
types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
3.13
measurement results
one or more indicators and their associated interpretations that address an information need
3.14
object
item characterized through the measurement of its attributes
3.15
scale
ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped
[ISO/IEC 15939:2007]
NOTE The type of scale depends on the nature of the relationship between values on the scale. Four types of scale
are commonly defined:
— nominal: the measurement values are categorical;
— ordinal: the measurement values are rankings;
— interval: the measurement values have equal distances corresponding to equal quantities of the attribute;
— ratio: the measurement values have equal distances corresponding to equal quantities of the attribute, where
the value of zero corresponds to none of the attribute.
These are just examples of the types of scale.
3.16
unit of measurement
particular quantity, defined and adopted by convention, with which other quantities of the same kind are
compared in order to express their magnitude relative to that quantity
[ISO/IEC 15939:2007]
3.17
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended use or
application have been fulfilled
3.18
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
[ISO 9000:2005]
NOTE This could also be called compliance testing.
4 Structure of this International Standard
This International Standard provides an explanation of measures and measurement activities needed to
assess the effectiveness of ISMS requirements for the management of adequate and proportionate security
controls as required in ISO/IEC 27001:2005, 4.2.
© ISO/IEC 2009 – All rights reserved 3
This International Standard is structured as follows:
- Overview on the Information Security Measurement Programme and the Information Security
Measurement Model (Clause 5);
- Management responsibilities for information security measurements (Clause 6); and
- Measurement constructs and the processes (i.e. planning and developing, implementing and
operating, and improving measurements: communicating measurement results) to be implemented in
the Information Security Measurement Programme (Clauses 7-10).
In addition, Annex A provides an example template for the measurement construct of which the constituents
are the elements of the Information Security Measurement Model (see Clause 7). Annex B provides the
measurement construct examples for specific controls or processes of an ISMS, using the template provided
in Annex A.
These examples are intended to help an organization on how to implement the Information Security
Measurement and how to record measurement activities and outcomes from them.
5 Information security measurement overview
5.1 Objectives of information security measurement
The objectives of information security measurement in the context of an ISMS includes:
a) evaluating the effectiveness of the implemented controls or groups of controls (See “4.2.2 d)” in Figure 1);
b) evaluating the effectiveness of the implemented ISMS (See “4.2.3 b)” in Figure 1);
c) verifying the extent to which identified security requirements have been met (See “4.2.3 c)” in Figure 1);
d) facilitating performance improvement of information security in terms of the organization’s overall
business risks;
e) providing input for management review to facilitate ISMS-related decision making and justify needed
improvements of the implemented ISMS.
Figure 1 illustrates the cyclical input–output relationship of the measurement activities in relation to the Plan-
Do-Check-Act (PDCA) cycle, specified in ISO/IEC 27001. Numbers in each figure represent relevant sub-
clauses of ISO/IEC 27001:2005.
4 © ISO/IEC 2009 – All rights reserved
Plan
Act
4.2.1 g) Select control
4.2.1 e) 2) Assess the realistic
objectives and controls for
likelihood of security failures occurring
the treatment of risks.
in the light of prevailing threats and
4.2.4 a) Implement the identified
Control objectives and
vulnerabilities, and impacts improvements in the ISMS
controls shall be selected
associated with these assets, and
and implemented to meet the
the effectiveness of controls
requirements identified by
currently implemented
the risk assessment and risk
treatment process.
Do Check
The output from the
4.2.2 c) Implement controls
4.2.3 b) Regular review of the
management review
selected to meet
effectiveness of the ISMS
shall include any decision and
the control objectives
actions related to;
7.3 b) Update of risk and the
risk treatment plan,
4.2.3 d) Review risk assessments
7.3 e) Improvement to how
at planned intervals and review the
4.2.2 d) Define how
the effectiveness of controls is
residual risks and the identified
to measure the effectiveness
being measured
acceptable levels of risks, taking
of selected controls or
into account changes to effectiveness
groups of controls
of implemented controls
4.2.3 f) Undertake a
Management review of the
7.2 a), f) The input to a
ISMS on a regular basis to
4.2.3 c) Measure the
management review shall include
ensure that the scope remains
effectiveness of controls to
results from effectiveness
adequate and improvements
verify that security requirements
measurement and ISMS review
in the ISMS process are identified
have been met
Figure 1 — Measurement inputs and outputs in ISMS PDCA cycle of information security management
The organization should establish measurement objectives based on a number of considerations, including:
a) The role of information security in support of the organization’s overall business activities and the risks
it faces;
b) Applicable legal, regulatory, and contractual requirements;
c) Organizational structure;
d) Costs and benefits of implementing information security measures;
e) Risk acceptance criteria for the organization; and
f) A need to compare several ISMSs within the same organization.
5.2 Information Security Measurement Programme
An organization should establish and manage an Information Security Measurement Programme in order to
achieve the established measurement objectives and adopt the PDCA model within the organization’s overall
measurement activities. An organization should also develop and implement measurement constructs in order
to obtain repeatable, objective and useful results of measurement based on the Information Security
Measurement Model (see 5.4).
The Information Security Measurement Programme and the developed measurement construct should ensure
that an organization effectively achieves objective and repeatable measurement and provides measurement
results for relevant stakeholders to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures.
© ISO/IEC 2009 – All rights reserved 5
An Information Security Measurement Programme should include the following processes:
a) Measures and measurement development (see Clause 7) ;
b) Measurement operation (see Clause 8);
c) Data analysis and measurement results reporting (see Clause 9); and
d) Information Security Measurement Programme evaluation and improvement (see Clause 10).
The organisational and operational structure of an Information Security Measurement Programme should be
determined by taking into account the scale and complexity of the ISMS of which it is a part. In all cases, roles
and responsibilities for the Information Security Measurement Programme should be explicitly assigned to
competent personnel (see 7.5.8).
The measures selected and implemented by the Information Security Measurement Programme should be
directly related to the operation of an ISMS, other measures, as well as organization’s business processes.
Measurement can be integrated into regular operational activities or performed at regular intervals determined
by ISMS management.
5.3 Success factors
The following are some contributing factors to the success of Information Security Measurement Programme
in facilitating continual ISMS improvement:
a) Management commitment supported by appropriate resources;
b) Existence of ISMS processes and procedures;
c) A repeatable process capable of capturing and reporting meaningful data to provide relevant trends over
a period of time;
d) Quantifiable measures based on ISMS objectives;
e) Easily obtainable data that can be used for measurement;
f) Evaluation of effectiveness of Information Security Measurement Programme and implementation of
identified improvements;
g) Consistent periodic collection, analysis, and reporting of measurement data in a manner that is
meaningful;
h) Use of the measurement results by relevant stakeholders to identify needs for improving the implemented
ISMS, including its scope, policies, objectives, controls, processes and procedures;
i) Acceptance of feedback on measurement results from relevant stakeholders; and
j) Evaluations of the usefulness of measurement results and implementation of identified improvements.
Once successfully implemented, an Information Security Measurement Programme can:
1) Demonstrate an organization’s compliance with applicable legal or regulatory requirements and
contractual obligations;
2) Support identification of previously undetected or unknown information security issues;
3) Assist in satisfying management reporting needs when stating measures for historical and current
activities; and
4) Be used as input into information security risk management process, internal ISMS audits and
management reviews.
5.4 Information security measurement model
NOTE. The concepts of the information security measurement model and measurement constructs adopted in this
International Standard are based on those in ISO/IEC 15939. The term “information product” used in ISO/IEC 15939 is a
synonym with “measurement results” in this International Standard and “measurement process” used in ISO/IEC 15939 is
a synonym with “Measurement Programme” in this International Standard.
5.4.1 Overview
The information security measurement model is a structure linking an information need to the relevant objects
of measurement and their attributes. Objects of measurement may include planned or implemented
processes, procedures, projects and resources.
6 © ISO/IEC 2009 – All rights reserved
The information security measurement model describes how the relevant attributes are quantified and
converted to indicators that provide a basis for decision making. Figure 2 depicts the information security
measurement model.
Figure 2 — Information security measurement model
NOTE Clause 7 provides detailed information about the individual elements of information security measurement
model.
Subsequent sub-clauses introduce individual elements of the model. They also provide examples of how
these individual elements are used.
The information needs or purpose of measurement used in examples contain in Tables 1 to 4 of the following
sub-clauses is to assess the awareness status of compliance with organization security policy among relevant
personnel (Control objective.A.8.2, and Controls A.8.2.1 and A.8.2.2. of ISO/IEC 27001:2005).
5.4.2 Base measure and measurement method
A base measure is the simplest measure that can be obtained. A base measure results from applying a
measurement method to the attributes selected of an object of measurement. An object of measurement may
have many attributes, only some of which may provide useful values to be assigned to a base measure. A
given attribute may be used for several different base measures.
© ISO/IEC 2009 – All rights reserved 7
A measurement method is a logical sequence of operations used in quantifying an attribute with respect to a
specified scale. The operation may involve activities such as counting occurrences or observing the passage
of time.
A measurement method can apply attributes to an object of measurement. Examples of an object of
measurement include but are not limited to:
- Performance of controls implemented in the ISMS;
- Status of information assets protected by the controls;
- Performance of processes implemented in the ISMS;
- Behaviour of personnel who are responsible to the implemented ISMS;
- Activities of organizational units responsible for information security; and
- Extent of satisfaction of interested parties.
A measurement method may use measurement objects of measurement and attributes from a variety of
sources, such as:
- Risk analysis and risk assessment results;
- Questionnaires and personal interviews;
- Internal and/or external audits reports;
- Records of events, such as logs, report statistics, and audit trails;
- Incident reports, particularly those that result in the occurrence of an impact;
- Test results, e.g. from penetration testing, social engineering, compliance tools, and security audit tools;
or
- Records from the organization’s information security related procedures and programmes, eg. information
security awareness training results.
Tables 1-4 below present the application of the information security model for the following controls:
- “Control 2” refers to control A.8.2.1 Management responsibility of ISO/IEC 27001:2005 (“Management
shall require employees, contractors and third party users to apply security in accordance with
established policies and procedures of the organization”); being implemented as follows: “All
personnel relevant to the ISMS must sign user agreements before being granted access to an
information system”;
- “Control 1” refers to control A.8.2.2 “Information security awareness, education and training” of
ISO/IEC 27001:2005 (“All employees of the organization and, where relevant, contractors and third
party users shall receive appropriate awareness training and regular updates in organizational policies
and procedures, as relevant for their job function”); being implemented as follows: “All personnel
relevant to the ISMS must receive information security awareness training before being granted
access to an information system”.
The corresponding measurement constructs are contained in B.1.
NOTE Table 1-4 consists of various columns (Table 1, four columns; Table 2-4, three columns) of which are assigned a
letter designator. Each box within individual columns is assigned a number designator. The combinations of letter and
number designators are used in subsequent boxes to refer to previous boxes. Arrows designate the data flows between
individual elements of the information security measurement model within the specific example.
Table 1 includes an example of the relationships between object of measurement, attribute, measurement
method and base measure for measuring the objects established for implemented controls described above.
8 © ISO/IEC 2009 – All rights reserved
Table 1 — Example of base measure and measurement method
5.4.3 Derived measure and measurement function
A derived measure is an aggregate of two or more base measures. A given base measure may serve as input
for several derived measures.
A measurement function is a calculation used to combine base measures together to create a derived
measure.
The scale and unit of the derived measure depends on the scales and units of the base measures from which
it is composed as well as how they are combined by the measurement function.
The measurement function may involve a variety of techniques, such as averaging base measures, applying
weights to base measures, or assigning qualitative values to base measures. The measurement function may
combine base measures using different scales, such as percentages and qualitative assessment results.
An example of the relationship of further elements of the information security measurement model application
i.e. base measure, measurement function and derived measure is presented in Table 2.
© ISO/IEC 2009 – All rights reserved 9
Table 2 — Example of derived measure and measurement function
5.4.4 Indicators and analytical model
An indicator is a measure that provides an estimate or evaluation of specified attributes derived from an
analytical model with respect to defined information need. Indicators are obtained by applying an analytical
model to a base and/or a derived measure and combining them with decision criteria. The scale and
measurement method affect the choice of analytical techniques used to produce indicators.
An example of the relationships between derived measures, analytical model and indicators for the
information security measurement model application is presented in Table 3.
10 © ISO/IEC 2009 – All rights reserved
Table 3 — Example of indicator and analytical model
NOTE If an indicator is represented in a graphical form, it should be usable by visually impaired users or when
monochrome copies are used. To make that possible the indicator description should include colors, shading, fonts or
other visual methods
5.4.5 Measurement results and decision criteria
Measurement results are developed with interpreting applicable indicators based on defined decision criteria
and should be considered in the context of the overall measurement objectives of assessing the ISMS
effectiveness. Decision criteria is used to determine the need for action or further investigation, as well as to
describe the level of confidence in measurement results. Decision criteria may be applied to a series of
indicators, for example to conduct trend analysis based on indicators received at different point in time.
Targets provide detailed performance specifications, applicable to the organization or parts thereof, derived
from the information security objectives such as the ISMS objectives and control objectives, and that need to
be set and met in order to achieve those objectives.
An example of the relationship of final elements of the information security measurement model application
(i.e. indicator, decision criteria and measurement results) is presented in Table 4.
© ISO/IEC 2009 – All rights reserved 11
Table 4 — Example of measurement results and analytical model
6 Management responsibilities
6.1 Overview
Management is responsible for establishing the Information Security Measurement Programme, involving
relevant stakeholders (see 7.5.8) in the measurement activities, accepting measurement results as an input
into management review and using measurement result in improvement activities within the ISMS.
To achieve this, management should:
a) Establish objectives for the Information Security Measurement Programme;
b) Establish a policy for the Information Security Measurement Programme;
c) Establish roles and responsibilities for the Information Security Measurement Programme;
d) Provide adequate resources to perform measurement including personnel, funding, tools and
infrastructure;
e) Ensure that the objectives of the Information Security Measurement Programme are achieved;
f) Ensure that tools and equipment used to collect data are maintained properly;
g) Establish the purpose of measurement for each measurement construct;
h) Ensure that measurement provides sufficient information to relevant stakeholders with regard to
effectiveness of the ISMS and needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures; and
i) Ensure that measurement provides sufficient information to relevant stakeholders with regard to
effectiveness of controls or group of controls and needs for improving the implemented controls.
Through the appropriate assignment of measurement roles and responsibilities, management should ensure
measurement results are not influenced by information owners (see 7.5.8). This may be achieved through
segregation of duties or, if this is not possible, through the use of detailed documentation that allows
12 © ISO/IEC 2009 – All rights reserved
independent checks.
6.2 Resource management
Management should assign and provide resources to support essential activities of measurement, such as
data collection, analysis, storage, reporting, and distribution. Resource allocations should include the
assignment of:
a) Individuals with responsibility for all aspects of Information Security Measurement Programme;
b) Appropriate financial support; and
c) Appropriate infrastructure support, such as physical infrastructure and tools used to perform the
measurement process.
NOTE Clause 5.2.1 of ISO/IEC 27001:2005 specifies requirement on the provision of resources for implementation
and operation of an ISMS.
6.3 Measurement training, awareness, and competence
Management should ensure that:
a) The stakeholders (see 7.5.8) are trained adequately for achieving their roles and responsibilities in the
implemented Information Security Measurement Programme, and appropriately qualified to perform their
roles and responsibilities; and
b) The st
...
SLOVENSKI SIST ISO/IEC 27004
STANDARD
marec 2011
Informacijska tehnologija – Varnostne tehnike – Upravljanje informacijske
varnosti – Merjenje
Information technology – Security techniques – Information security management
– Measurement
Technologies de l'information – Techniques de sécurité – Management de la
sécurité de l'information – Mesurge
Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27004:2011 (sl)
Nadaljevanje na straneh 2 do 65
© 2014-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.
SIST ISO/IEC 27004 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27004 (sl), Informacijska tehnologija – Varnostne tehnike – Upravljanje
informacijske varnosti – Merjenje, 2011, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27004 (en), Information technology – Security techniques –
Information security management – Measurement, 2009.
NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27004:2009 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.
Slovenski standard SIST ISO/IEC 27004:2011 je prevod mednarodnega standarda ISO/IEC
27004:2009. Slovenski standard SIST ISO/IEC 27004:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.
Odločitev za izdajo tega standarda je dne 25. novembra 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI
SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
SIST ISO/IEC 27001:2010 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27004:2009
OPOMBE
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27004:2011 to pomeni “slovenski standard”.
– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27004 : 2011
Vsebina Stran
Predgovor .5
0 Uvod .6
0.1 Splošno.6
0.2 Vodstveni pregled.6
1 Področje uporabe .8
2 Zveze s standardi .8
3 Izrazi in definicije .8
4 Struktura tega mednarodnega standarda.10
5 Pregled merjenja informacijske varnosti.10
5.1 Cilji merjenja informacijske varnosti .10
5.2 Program merjenja informacijske varnosti .11
5.3 Dejavniki uspeha .12
5.4 Model merjenja informacijske varnosti .12
5.4.1 Pregled .13
5.4.2 Osnovno merilo in metoda merjenja.13
5.4.3 Izpeljano merilo in funkcija merjenja .15
5.4.4 Kazalci in analitični model .16
5.4.5 Rezultati merjenja in odločitveni kriteriji .17
6 Odgovornosti vodstva.17
6.1 Pregled .17
6.2 Upravljanje virov.18
6.3 Merjenje usposabljanja, ozaveščenosti in usposobljenosti.18
7 Merila in razvoj merjenja.18
7.1 Pregled .18
7.2 Določitev obsega merjenja .19
7.3 Prepoznavanje informacijske potrebe .19
7.4 Izbor predmetov in lastnosti .19
7.5 Razvoj konstruktov merjenja .20
7.5.1 Pregled .20
7.5.2 Izbor merila.21
7.5.3 Metoda merjenja.21
7.5.4 Funkcija merjenja .21
7.5.5 Analitični model .22
7.5.6 Kazalci .22
7.5.7 Odločitveni kriteriji .22
7.5.8 Deležniki .23
7.6 Konstrukt merjenja.23
7.7 Zbiranje podatkov, analize in poročanje.23
7.8 Izvajanje in dokumentiranje merjenja.24
SIST ISO/IEC 27004 : 2011
8 Postopek merjenja.24
8.1 Pregled .24
8.2 Integracija postopkov.24
8.3 Zbiranje, shranjevanje in preverjanje podatkov.25
9 Analize podatkov in poročanje o rezultatih merjenja.25
9.1 Pregled .25
9.2 Analiza podatkov in rezultati razvitih merjenj .25
9.3 Sporočanje rezultatov merjenja.26
10 Ocenjevanje in izboljšanje programa merjenja informacijske varnosti.26
10.1 Pregled .26
10.2 Prepoznavanje kriterijev za vrednotenje programa merjenja informacijske varnosti .27
10.3 Spremljanje, pregledovanje in vrednotenje programa merjenja informacijske varnosti.28
10.4 Izvajanje izboljšav.28
Dodatek A (informativni): Predloga za konstrukt merjenja informacijske varnosti .29
Dodatek B (informativni): Primeri konstrukta merjenja.32
Literatura.65
SIST ISO/IEC 27004 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27004 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
SIST ISO/IEC 27004 : 2011
0 Uvod
0.1 Splošno
Ta mednarodni standard daje napotke za razvoj in uporabo meril in merjenja, da se oceni uspešnost
izvajanega sistema upravljanja informacijske varnosti (SUIV) ter kontrol ali skupine kontrol, kot jih
določa ISO/IEC 27001.
To naj vključuje politiko, obvladovanje tveganj informacijske varnosti, cilje kontrol, kontrole, procese in
postopke ter podpira procese njihovih revizij, kar naj bi pomagalo ugotoviti, ali je katerega od procesov
ali kontrol SUIV treba spremeniti ali izboljšati. Pri tem je treba upoštevati, da nobeno merjenje kontrol
ne more jamčiti za popolno varnost.
Izvajanje tega pristopa predstavlja program merjenja informacijske varnosti. Program merjenja
informacijske varnosti bo vodstvu pomagal pri prepoznavanju in vrednotenju neskladnih in neuspešnih
postopkov in kontrol SUIV ter pri določanju prednostnih ukrepov za izboljšanje ali spreminjanje teh
procesov in/ali kontrol. Prav tako lahko pomaga organizaciji pri dokazovanju skladnosti z ISO/IEC
27001 in poda dodatna dokazila za vodstveni pregled procesov obvladovanja tveganj informacijske
varnosti.
Ta mednarodni standard predpostavlja, da je izhodišče za razvoj meril in merjenja dobro razumevanje
tveganj informacijske varnosti, s katerimi se organizacija sooča, in da so bile aktivnosti ocenjevanja
tveganj organizacije pravilno izvedene (tj. temeljijo na ISO/IEC 27005), kot zahteva ISO/IEC 27001.
Program merjenja informacijske varnosti bo spodbudil organizacijo, da bo deležnikom dala zanesljive
informacije v zvezi z njenimi informacijskimi varnostnimi tveganji in statusom izvajanega SUIV pri
obvladovanju teh tveganj.
Uspešno izveden program merjenja informacijske varnosti bi izboljšal zaupanje deležnikov v rezultate
merjenja in jim omogočil, da uporabljajo ta merila za nenehno izboljševanje informacijske varnosti in
SUIV.
Zbrani rezultati merjenja bodo omogočili primerjavo napredka pri doseganju ciljev informacijske
varnosti v nekem časovnem obdobju kot dela procesa nenehnega izboljševanja SUIV v organizaciji.
0.2 Vodstveni pregled
ISO/IEC 27001 zahteva od organizacije, da "izvaja redne preglede uspešnosti SUIV z upoštevanjem
rezultatov merjenja uspešnosti" in da "meri uspešnost kontrol, da preveri, ali so izpolnjene varnostne
zahteve". ISO/IEC 27001 tudi zahteva, da organizacija "določi, kako meriti uspešnost izbranih kontrol
ali skupin kontrol, in opredeli, kako te meritve uporabiti za oceno uspešnosti kontrol, da proizvede
primerljive in ponovljive rezultate".
Pristop, ki ga organizacija sprejme za izpolnitev zahtev po merjenju, določenih v ISO/IEC 27001, se bo
razlikoval glede na število pomembnih dejavnikov, vključno z informacijskimi varnostnimi tveganji, s
katerimi se organizacija sooča, njeno velikostjo, razpoložljivimi viri ter relevantnimi zakonskimi,
pravnimi in pogodbenimi zahtevami. Skrbna izbira in utemeljitev metode, uporabljene za izpolnjevanje
zahtev po merjenju, sta pomembni za zagotovitev, da aktivnostim SUIV niso namenjeni prekomerni viri
v škodo drugim aktivnostim. Idealno bi bilo, da so tekoča merjenja vključena v redne dejavnosti
organizacije z minimalnimi dodatnimi potrebami po virih.
Kot podlago za izpolnitev zahtev po merjenju, določenih v ISO/IEC 27001, daje ta mednarodni
standard organizaciji ustrezna priporočila za naslednje aktivnosti:
a) razvoj meril (npr. osnovnih meril, izpeljanih meril in kazalcev),
b) uvajanje in izvajanje programa merjenja informacijske varnosti,
c) zbiranje in analiziranje podatkov,
SIST ISO/IEC 27004 : 2011
d) pridobivanje rezultatov merjenja,
e) sporočanje rezultatov razvitih merjenj deležnikom,
f) uporaba rezultatov merjenja kot prispevek k odločitvam v zvezi s SUIV,
g) uporaba rezultatov merjenja za prepoznavanje potreb po izboljšanju uporabljenega SUIV,
vključno z njegovim obsegom, politikami, cilji, kontrolami, procesi in postopki, ter
h) spodbujanje nenehnega izboljševanja programa merjenja informacijske varnosti.
Eden od dejavnikov, ki vplivajo na sposobnost organizacije pri doseganju merjenja, je njena velikost.
Na splošno velikost in kompleksnost poslovanja v kombinaciji s pomenom informacijske varnosti
vplivata na obseg zahtevanega merjenja, in sicer tako glede števila meril, ki jih je treba izbrati, kot
glede pogostosti zbiranja in analiziranja podatkov. Za MSP (majhna in srednje velika podjetja) bo
zadostoval program merjenja informacijske varnosti z manj obsežnimi informacijami, medtem ko bodo
večja podjetja hkrati uvedla in uporabila več programov merjenja informacijske varnosti.
V majhnih organizacijah lahko zadostuje enojni program merjenja informacijske varnosti, medtem ko
lahko v velikih podjetjih obstaja potreba po večkratnem programu merjenja informacijske varnosti.
Napotki, ki jih zagotavlja ta mednarodni standard, bodo imeli za posledico izdelavo dokumentacije, ki
bo prispevala k dokazovanju, da se uspešnost kontrol meri in ocenjuje.
SIST ISO/IEC 27004 : 2011
Informacijska tehnologija – Varnostne tehnike – Upravljanje informacijske
varnosti – Merjenje
1 Področje uporabe
Ta mednarodni standard daje napotke za razvoj in uporabo meril in meritev, namenjenih oceni
uspešnosti izvajanega sistema upravljanja informacijske varnosti (SUIV) in kontrol ali skupin kontrol,
določenih v ISO/IEC 27001.
Ta mednarodni standard se uporablja za vse vrste in velikosti organizacij.
OPOMBA: Ta dokument uporablja glagolske oblike za izražanje določb (npr. "morati, je treba", "se ne sme", "naj bi", "naj
ne bi", "lahko", "ni treba", " je mogoče" in "ni mogoče"), ki so določene v Direktivah ISO/IEC, 2. del, 2004,
Dodatek H. Glej tudi ISO/IEC 27000:2009, Dodatek A.
2 Zveze s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).
ISO/IEC 27000:2009 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve
3 Izrazi in definicije
V tem dokumentu se uporabljajo izrazi in definicije iz ISO/IEC 27000 ter naslednje:
3.1 analitični model
algoritem ali izračun, ki združuje eno ali več osnovnih in/ali izpeljanih meril, povezanih z odločitvenimi
kriteriji
[ISO/IEC 15939:2007]
3.2 lastnost
lastnost ali značilnost predmeta, ki jo je na podlagi človeške ali avtomatske ocene mogoče količinsko
ali kakovostno razlikovati
[ISO/IEC 15939:2007]
3.3 osnovno merilo
merilo, opredeljeno z lastnostjo in metodo za določitev njene količine
[ISO/IEC 15939:2007]
OPOMBA: Osnovno merilo je funkcionalno neodvisno od drugih meril.
3.4 podatki
zbirka vrednosti, dodeljenih osnovnim merilom, izpeljanim merilom in/ali kazalcem
[ISO/IEC 15939:2007]
3.5 odločitveni kriteriji
pragovi, cilji ali vzorci, uporabljeni za določanje potrebe po nadaljnjem ukrepu ali preiskavi ali za opis
stopnje zaupanja v dani rezultat
[ISO/IEC 15939:2007]
SIST ISO/IEC 27004 : 2011
3.6 izpeljano merilo
merilo, ki je opredeljeno kot funkcija vrednosti dveh ali več osnovnih meril
[ISO/IEC 15939:2007]
3.7 kazalec
merilo, ki zagotovi oceno ali vrednotenje določenih lastnosti, izpeljanih iz analitičnega modela, glede
na opredeljene informacijske potrebe
3.8 informacijska potreba
vpogled, ki je potreben za upravljanje ciljev, nalog, tveganj in problemov
[ISO/IEC 15939:2007]
3.9 merilo
spremenljivka, katere vrednost je določena kot rezultat merjenja
[ISO/IEC 15939:2007]
OPOMBA: Izraz "merilo" se uporablja kot skupno poimenovanje osnovnih meril, izpeljanih meril in kazalcev.
PRIMER: Primerjava izmerjene stopnje napake z načrtovano stopnjo napake skupaj z oceno ali razliko nakazuje na problem.
3.10 merjenje
proces pridobivanja informacij o uspešnosti SUIV in kontrol z uporabo metode merjenja, merilne
funkcije merjenja, analitičnega modela in odločitvenega kriterija
3.11 funkcija merjenja
algoritem ali izračun, izpeljan z združitvijo dveh ali več osnovnih meril
[ISO/IEC 15939:2007]
3.12 metoda merjenja
logično zaporedje generično opisanih postopkov, uporabljenih pri določanju velikosti lastnosti z
upoštevanjem določene lestvice
[ISO/IEC 15939:2007]
OPOMBA: Vrsta metode merjenja je odvisna od narave postopkov, uporabljenih za določanje velikosti lastnosti. Razlikovati
je mogoče dve vrsti metod:
– subjektivne metode: določanje velikosti, ki vključuje človeško presojo;
– objektivne metode: določanje velikosti, ki temelji na numeričnih pravilih.
3.13 rezultati merjenja
eden ali več kazalcev in z njimi povezane razlage, ki se nanašajo na neko informacijsko potrebo
3.14 predmet
stvar, opredeljena z merjenjem njenih lastnosti
3.15 lestvica
urejen niz vrednosti, zvezni in diskretni, ali niz kategorij, na katere so vezane lastnosti
[ISO/IEC 15939:2007]
OPOMBA: Vrsta lestvice je odvisna od narave razmerja med vrednostmi na lestvici. Splošno so opredeljene štiri vrste lestvic:
– nominalna: vrednosti merjenja so kategorične;
– vrstilna: vrednosti merjenja so razvrstitvene;
– intervalna: vrednosti merjenja so enakih razdalj, ki ustrezajo enakim velikostim lastnosti;
– razmernostna: vrednosti merjenja so enakih razdalj, ki ustrezajo enakim velikostim lastnosti, kjer vrednost nič
ne ustreza nobeni lastnosti.
To so le primeri vrste lestvic.
SIST ISO/IEC 27004 : 2011
3.16 merska enota
specifična velikost, določena in sprejeta s konvencijo, s katero se druge velikosti iste vrste primerjajo z
namenom, da se izrazijo njihove velikosti glede na to količino
[ISO/IEC 15939:2007]
3.17 potrjevanje
potrdilo z zagotavljanjem stvarnih dokazov, da so izpolnjene zahteve za posebej predvideno uporabo
ali aplikacijo
3.18 preverjanje (preveritev)
potrdilo z zagotavljanjem stvarnih dokazov, da so določene zahteve izpolnjene
[ISO 9000:2005]
OPOMBA: To se lahko imenuje tudi preskušanje skladnosti.
4 Struktura tega mednarodnega standarda
Ta mednarodni standard pojasnjuje merila in aktivnosti merjenja, potrebne za oceno uspešnosti
zahtev SUIV za upravljanje ustreznih in sorazmernih varnostnih kontrol, kot je zahtevano v ISO/IEC
27001:2005, 4.2.
Ta mednarodni standard je strukturiran na naslednji način:
– pregled programa merjenja informacijske varnosti in modela merjenja informacijske varnosti
(točka 5),
– odgovornosti vodstva za merjenja informacijske varnosti (točka 6) ter
– konstrukti merjenja in procesi (tj. načrtovanje in razvoj, izvajanje in delovanje ter izboljševanje
merjenj: sporočanje rezultatov merjenja), ki se izvajajo v okviru programa merjenja informacijske
varnosti (točke 7–10).
Poleg tega dodatek A navaja vzorčno predlogo konstrukta merjenja, katerega sestavine so elementi
modela merjenja informacijske varnosti (glej točko 7). Dodatek B določa vzorce konstrukta merjenja za
posebne kontrole ali procese SUIV z uporabo vzorca iz dodatka A.
Namen teh primerov je pomagati organizaciji pri načinu, kako izvajati merjenje informacijske varnosti
ter kako merjenja in njihove rezultate dokumentirati.
5 Pregled merjenja informacijske varnosti
5.1 Cilji merjenja informacijske varnosti
Cilji merjenja informacijske varnosti v okviru SUIV vključujejo:
a) vrednotenje uspešnosti izvajanih kontrol ali skupin kontrol (glej "4.2.2.d)" na sliki 1);
b) vrednotenje uspešnosti izvajanega SUIV (glej "4.2.3.b)" na sliki 1);
c) preverjanje obsega, do katerega so bile izpolnjene prepoznane varnostne zahteve (glej "4.2.3.c)"
na sliki 1);
d) pospeševanje izboljšanja uspešnosti informacijske varnosti glede na celotna poslovna tveganja
organizacije;
e) zagotavljanje vstopnih podatkov za vodstveni pregled, namenjen pospeševanju sprejemanja
odločitev v zvezi s SUIV in utemeljitvi potrebnih izboljšav pri izvedbi SUIV.
Slika 1 prikazuje ciklično vhodno-izhodno razmerje meritev v razmerju do cikla Načrtuj–Izvedi–
Preveri–Ukrepaj (PDCA), opredeljenega v standardu ISO/IEC 27001. Številke v vsaki sliki
predstavljajo ustrezne podtočke ISO/IEC 27001:2005.
SIST ISO/IEC 27004 : 2011
Načrtuj Ukrepaj
4.2.1.g) Izberi cilje kontrol 4.2.1.e)2) Oceni realno
in kontrole za obravnavo verjetnost pojava varnostnih
tveganj. Cilji kontrol in odpovedi v luči prevladujočih
4.2.4.a) Uvedi prepoznane izboljšave
kontrole morajo biti izbrani groženj in ranljivosti ter vplivov,
v SUIV
in izvajani tako, da izpolnju- povezanih s temi dobrinami, ter
jejo zahteve, prepoznane v uspešnost trenutno izvedenih
procesih ocenjevanja in kontrol
obravnavanja tveganj
Izvedi Preveri
Izhodni podatki vodstvenega
4.2.2.c) Izvedi kontrole, ki so 4.2.3.b) Redno pregleduj
pregleda morajo vključevati
bile izbrane za doseganje uspešnost SUIV
vsako odločitev in merilo,
ciljev kontrol
povezano s:
7.3.b) posodobitvijo tveganj
in načrtom obravnave tveganj,
4.2.3.d) Preglej ocenjevanja tveganj v
7.3 e) izboljšavo merjenja
načrtovanih časovnih presledkih ter
4.2.2.d) Določi, kako meriti
uspešnosti kontrol
preglej preostala tveganja in prepoznane
uspešnost izbranih kontrol ali
sprejemljive ravni tveganj z
skupin kontrol
upoštevanjem sprememb uspešnosti
izvedenih kontrol
4.2.3.f) Zaveži se k rednim
vodstvenim pregledom
SUIV, da zagotoviš, da obseg
4.2.3.c) Meri uspešnost 7.2)a), f) Vstopni podatki za
ostaja ustrezen in da so
kontrol, da preveriš, ali so vodstveni pregled morajo
prepoznane izboljšave v
izpolnjene varnostne zahteve vključevati rezultate merjenja
procesih SUIV
uspešnosti in pregleda SUIV
Slika 1: Merjenje vhodnih in izhodnih podatkov v ciklusu PDCA SUIV upravljanja informacijske
varnosti
Organizacija naj vzpostavi cilje merjenja, ki temeljijo na številnih dejavnikih, vključno z:
a) vlogo informacijske varnosti pri podpori celotne poslovne dejavnosti organizacije in tveganjih, s
katerimi se sooča,
b) veljavnimi zakonodajnimi, regulatornimi in pogodbenimi zahtevami,
c) organizacijsko strukturo,
d) stroški in koristmi merjenja izvedenih ukrepov informacijske varnosti,
e) kriteriji sprejemljivosti tveganj za organizacijo in
f) potrebo po primerjanju več SUIV znotraj iste organizacije.
5.2 Program merjenja informacijske varnosti
Organizacija naj vzpostavi in upravlja program merjenja informacijske varnosti, da doseže zastavljene
cilje merjenja in sprejme model PDCA v okviru celotnih dejavnosti merjenja organizacije. Organizacija
naj tudi razvije in izvaja konstrukte merjenja za doseganje ponovljivih, objektivnih in koristnih
rezultatov merjenja, ki temeljijo na modelu merjenja informacijske varnosti (glej 5.4).
Program merjenja informacijske varnosti in razviti konstrukt merjenja naj zagotovi, da organizacija
uspešno doseže objektivne in ponovljive meritve ter deležnikom zagotovi rezultate merjenja za
prepoznavanje potreb po izboljšanju izvajanja SUIV, vključno z njegovim obsegom, politikami, cilji,
kontrolami, procesi in postopki.
SIST ISO/IEC 27004 : 2011
Program merjenja informacijske varnosti naj vsebuje naslednje postopke:
a) razvoj meril in merjenja (glej točko 7),
b) postopek merjenja (glej točko 8),
c) analizo podatkov in poročanje o rezultatih merjenja (glej točko 9) ter
d) vrednotenje in izboljševanje programa merjenja informacijske varnosti (glej točko 10).
Organizacijska in izvedbena struktura programa merjenja informacijske varnosti naj se določita ob
upoštevanju obsega in zahtevnosti SUIV, katerega del sta. V vseh primerih naj se vloge in
odgovornosti za program merjenja informacijske varnosti izrecno dodelijo kompetentnemu
strokovnemu osebju (glej 7.5.8).
Merila, izbrana in izvedena s programom merjenja informacijske varnosti, naj bodo neposredno
povezana s postopkom SUIV, z drugimi merili in tudi s poslovnimi procesi organizacije. Merjenje je
mogoče vključiti v običajne operativne dejavnosti ali ga izvajati v točnih časovnih razmikih, ki jih določi
vodstvo SUIV.
5.3 Dejavniki uspeha
V nadaljevanju so podani nekateri dejavniki, ki prispevajo k uspehu programa merjenja informacijske
varnosti pri spodbujanju nenehnega izboljševanja SUIV:
a) zavezanost vodstva, podprta z ustreznimi viri,
b) obstoj procesov in postopkov SUIV,
c) ponovljivi procesi, sposobni zajemanja in poročanja o pomembnih podatkih za zagotovitev
ustreznih trendov v določenem časovnem obdobju,
d) merljivi ukrepi na podlagi ciljev SUIV,
e) preprosto dosegljivi podatki, ki jih je mogoče uporabiti za merjenje,
f) vrednotenje uspešnosti programa merjenja informacijske varnosti in izvajanje prepoznanih
izboljšav,
g) dosledno periodično zbiranje in analiziranje podatkov merjenja ter poročanje o njih na smiseln
način,
h) uporaba rezultatov merjenja pri deležnikih za prepoznavanje potreb po izboljšanju izvajanja SUIV,
vključno z njegovim obsegom, politikami, cilji, kontrolami, procesi in postopki,
i) sprejem povratnih informacij o rezultatih merjenja od ustreznih deležnikov in
j) vrednotenje uporabnosti rezultatov merjenja in izvajanja prepoznanih izboljšav.
Ko je program merjenja informacijske varnosti uspešno izveden, je z njim mogoče:
1) prikazati skladnost organizacije z veljavnimi zakonskimi ali regulatornimi zahtevami in
pogodbenimi obveznostmi;
2) podpreti prepoznavanje prej nezaznanih ali neznanih vprašanj informacijske varnosti;
3) pomagati pri izpolnjevanju potreb upravljavskega poročanja, ko se podajajo merila za pretekle in
sedanje aktivnosti, ter
4) ga uporabiti kot vir vstopnih podatkov za proces obvladovanja tveganja informacijske varnosti,
notranje presoje SUIV in vodstvene preglede.
5.4 Model merjenja informacijske varnosti
OPOMBA: Koncepti modela merjenja informacijske varnosti in konstruktov merjenja, sprejetih v tem mednarodnem
standardu, temeljijo na tistih, ki so navedeni v ISO/IEC 15939. Izraz "podatki o izdelku", ki se uporablja v
ISO/IEC 15939, je sinonim za "rezultati merjenja" v tem mednarodnem standardu, in izraz "proces merjenja",
uporabljen v ISO/IEC 15939, je sinonim za “program merjenja” v tem mednarodnem standardu.
SIST ISO/IEC 27004 : 2011
5.4.1 Pregled
Model merjenja informacijske varnosti je struktura, ki povezuje informacijske potrebe z ustreznimi
predmeti merjenja in njihovimi lastnostmi. Predmeti merjenja lahko vključujejo načrtovane ali izvedene
procese, postopke, projekte ali vire.
Model merjenja informacijske varnosti opisuje, kako so ustrezne lastnosti kvantificirane in pretvorjene
v kazalce, ki so podlaga za sprejemanje odločitev. Slika 2 prikazuje model merjenja informacijske
varnosti.
Informacijske potrebe
Uspešnost
Rezultati merjenja
Proces upravljanja
informacijske varnosti
Cilji kontrol
Odločitveni kriterij
Kontrole
Procesi izvajanja,
postopki
Kazalec
Analitični
model
Izpeljana merila
Predmet merjenja
Funkcija
Lastnost
Metoda merjenja
merjenja
Lastnost Osnovna merila
Lastnost Merjenje
Slika 2: Model merjenja informacijske varnosti
OPOMBA: Točka 7 zagotavlja podrobne informacije o posameznih elementih modela merjenja informacijske varnosti.
Naslednje podtočke uvajajo posamezne elemente modela. Navajajo tudi primere, kako so ti
posamezni elementi uporabljeni.
Informacijske potrebe ali namen merjenj, uporabljenih v primerih, ki jih vsebujejo preglednice 1 do 4
naslednjih podtočk, so namenjeni oceni ozaveščenosti ustreznega osebja organizacije o stanju
skladnosti z varnostno politiko organizacije (cilj kontrole A.8.2 ter kontrol A.8.2.1 in A.8.2.2 standarda
ISO/IEC 27001:2005).
5.4.2 Osnovno merilo in metoda merjenja
Osnovno merilo je najenostavnejše merilo, ki ga je mogoče pridobiti. Osnovno merilo je rezultat
uporabe metode merjenja na izbranih lastnostih predmeta merjenja. Predmet merjenja ima lahko
veliko lastnosti, vendar lahko le nekatere nudijo uporabne vrednosti, povezljive z osnovnim merilom.
Dana lastnost se lahko uporablja za več različnih osnovnih meril.
SIST ISO/IEC 27004 : 2011
Metoda merjenja je logično zaporedje postopkov, uporabljenih pri kvantifikaciji lastnosti v zvezi z
določenim merilom. Postopek lahko vključuje aktivnosti, kot so štetje dogodkov ali opazovanje skozi čas.
Metoda merjenja lahko omogoča dodelitev lastnosti predmetu merjenja. Primeri predmeta merjenja
vključujejo, vendar niso omejeni na:
– delovanje kontrol, izvedenih v SUIV;
– status informacijskih dobrin, zaščitenih s kontrolami;
– delovanje procesov, ki se izvajajo v SUIV;
– ravnanje osebja, ki je odgovorno za izvajanje SUIV;
– aktivnosti organizacijske enote, odgovorne za informacijsko varnost; in
– obseg zadovoljstva zainteresiranih strani.
Metoda merjenja lahko uporabi za merjenje predmete merjenja in lastnosti iz različnih virov, kot so:
– rezultati analize tveganj in ocene tveganj;
– vprašalniki in osebni intervjuji;
– notranja in/ali zunanja poročila o presoji;
– zapisi dogodkov, kot so dnevniki, statistična poročila in revizijske sledi;
– poročila o incidentih, še posebej tistih, ki povzročijo nastanek vpliva na dogodke;
– rezultati testov, na primer testiranja penetracije, socialnega inženiringa, skladnosti orodij in orodij
za presojo varnosti; ali
– zapisi iz postopkov in programov v zvezi z informacijsko varnostjo organizacije, na primer
rezultati usposabljanja o ozaveščanju o informacijski varnosti.
Spodnje preglednice 1 do 4 predstavljajo uporabo modela informacijske varnosti za naslednji kontroli:
– "kontrola 2" se nanaša na kontrolo A.8.2.1 Odgovornosti vodstva iz ISO/IEC 27001:2005
("Vodstvo mora zahtevati od zaposlenih, pogodbenikov in uporabnikov tretje stranke varnostno
ravnanje v skladu z vzpostavljenimi politikami in postopki organizacije"), ki se izvaja na naslednji
način: "Vse osebje, ki je pomembno za SUIV, mora podpisati uporabniško izjavo, preden se mu
odobri dostop do določenega informacijskega sistema."
– "kontrola 1" se nanaša na kontrolo A.8.2.2 Ozaveščenost, izobraževanje in usposabljanje o
informacijski varnosti" iz ISO/IEC 27001:2005 ("Vsi zaposleni v organizaciji, in kadar je to
ustrezno, pogodbeniki in uporabniki tretje stranke morajo biti ustrezno ozaveščeni in seznanjeni z
rednimi posodobitvami organizacijskih politik in postopkov, ki so pomembni za njihovo delovno
mesto"), ki se izvaja na naslednji način: "Vse osebje, pomembno za SUIV, mora opraviti
informativno usposabljanje o informacijski varnosti, preden se jim dodeli dostop do določenega
informacijskega sistema".
Ustrezni konstrukti merjenje so vsebovani v B.1.
OPOMBA: Preglednice 1 do 4 so sestavljene iz različnih stolpcev (preglednica 1 iz štirih stolpcev, preglednice 2 do 4 iz treh
stolpcev), katerim so dodeljene črkovne oznake. Vsakemu polju v posameznem stolpcu je dodeljena številčna
oznaka. Kombinacije oznak s črko in številko se uporabljajo v poljih, ki sledijo prejšnjim poljem. Puščice označujejo
pretok podatkov med posameznimi elementi modela merjenja informacijske varnosti v nekem konkretnem primeru.
Preglednica 1 vsebuje primer odnosov med predmetom merjenja, lastnostjo, metodo merjenja in
osnovnim merilom za merjenje predmetov, določenih za izvajanje zgoraj opisanih kontrol.
SIST ISO/IEC 27004 : 2011
Preglednica 1: Primer osnovnega merila in metode merjenja
Predmet merjenja (O) Lastnost (A) Metoda merjenja (M) Osnovno merilo (B)
Kontrola1
A.1.1 Osebje, M.1 Štetje oseb, ki so B.1 Osebje, načrtovano
O.1.1 Načrt
prepoznano v načrtu podpisale (A.2.1) in do danes (A.2.1, A.1.1)
usposabljanja za
(O.1.1) zaključile usposabljanje
ozaveščanje o
do danes (A1.1)
informacijski varnosti
O.1.2 Osebje, ki je končalo A.1.2 Stanje osebja v zvezi M.2 Zaprosilo odgovornim B.2 Osebje, ki je
usposabljanje ali se z usposabljanjem (O.1.2) posameznikom za podatek podpisalo, odstotek
usposablja o odstotku osebja (A.1.2), osebja (A.1.2, A.2.2)
ki je zaključilo usposab-
ljanje in podpisalo izjavo
(A.2.2)
Kontrola2
O.2.1 Načrt za podpis A.2.1 Osebje, M.3 Šteje oseb, ki naj bi B.3 Osebje, načrtovano
uporabniških izjav prepoznano v načrtu za po urniku podpisale do za podpis do danes
podpis (O.2.1) danes (A.2.1) (A.2.1)
O.2.2 Osebje, ki je A.2.2 Status osebja v M.1 Šteje oseb, ki so B.4 Osebje, ki bo
podpisalo izjavo zvezi s podpisom izjave podpisale uporabniško podpisalo do danes
(O.2.2) izjavo (A.2.2) (A.2.2)
5.4.3 Izpeljano merilo in funkcija merjenja
Izpeljano merilo je agregat dveh ali več osnovnih meril. Dano osnovno merilo lahko služi kot vhodni
podatek za več izpeljanih meril.
Funkcija merjenja je izračun, uporabljen za kombiniranje osnovnih meril za oblikovanje izpeljanega
merila.
Lestvica in enota izpeljanega merila sta odvisni od lestvic in enot osnovnih meril, iz katerih sta
sestavljeni, ter tudi, kako so te kombinirane s pomočjo funkcije merjenja.
Funkcija merjenja lahko vključuje različne tehnike, kot so povpreček osnovnih meril, uporaba uteži pri
osnovnih merilih ali dodelitev kvalitativne vrednosti osnovnim merilom. Funkcija merjenja lahko
kombinira osnovna merila z uporabo različnih obsegov, kot so odstotki in rezultati kakovostnega
ocenjevanja.
Primer razmerja drugih elementov uporabe modela merjenja informacijske varnosti, to je osnovnega
merila, merilne funkcije in izpeljanega merila, je predstavljen v preglednici 2.
SIST ISO/IEC 27004 : 2011
Preglednica 2: Primer izpeljanega merila in funkcije merjenja
Osnovno merilo (B) Funkcija merjenja (F) Izpeljano merilo (D)
B.1 Osebje, načrtovano do
danes (A.2.1, A.1.1)
nadaljuje neposredno v analitičnem modelu (glej preglednico 3)
F.1 Dodajanje statusa za vse
B.2 Osebje, ki je podpisalo,
osebje, ki je podpisalo in je bilo
D.1 Dosedanji napredek (B.2)
odstotek osebja (A.1.2, A.2.2)
načrtovano, da podpiše do
danes (B.2)
F.2 Razdelitev osebja, ki je
B.3 Osebje, načrtovano za
podpisalo do danes (B.4), od
podpis do danes (A.2.1) D.2 Dosedanji napredek s
osebja, za katerega je
podpisovanjem (B.4, B.3)
načrtovano, da podpiše do
danes (B.3)
B.4 Osebje, ki bo podpisalo do
danes (A.2.2)
5.4.4 Kazalci in analitični model
Kazalec je merilo, ki omogoča oceno ali vrednotenje določenih lastnosti, izvedenih s pomočjo
analitičnega modela, z upoštevanjem določene informacijske potrebe. Kazalci so pridobljeni z uporabo
določenega analitičnega modela pri nekem osnovnem in/ali izpeljanem merilu ter z njihovim
kombiniranjem z odločitvenimi kriteriji. Lestvica in metoda merjenja vplivata na izbiro analitičnih tehnik
za izdelavo kazalcev.
Primer razmerij med izpeljanimi merili, analitičnim modelom in kazalci pri uporabljenem modelu
merjenja informacijske varnosti je predstavljen v preglednici 3.
Preglednica 3: Primer kazalca in analitičnega modela
Izpeljano merilo (D) Analitični model (AM) Kazalec (I)
(iz B.1 – glej preglednico 2)
AM.1 [Delitev napredka do I.1 Stanje, izraženo kot
danes (D.1) z osebjem, kombinacija razmerij
načrtovanim do danes (B.1), (D.1/B.1 x 100, D.2)
D.1 Dosedanji napredek (B.2)
krat 100] in napredkom do
danes podpisanih (D.2)
AM.2 Primerjanje stanja I.1 s I.2 Trend (I.1 in pretekli I.1-ji)
prejšnjimi stanji I.1
D.2 Dosedanji napredek s
podpisovanjem (B.4, B.3)
SIST ISO/IEC 27004 : 2011
OPOMBA: Če je kazalec predstavljen v grafični obliki ali če so uporabljene enobarvne kopije, naj bodo uporabne za
slabovidne uporabnike. Da bi to omogočili, naj opis kazalca vključuje barve, senčenja, različne pisave ali druge
vizualne metode.
5.4.5 Rezultati merjenja in odločitveni kriteriji
Rezultati merjenja so pripravljeni z razlaganjem uporabljenih kazalcev, ki temeljijo na opredeljenih
odločitvenih kriterijih, in naj se obravnavajo v okviru celotnih ciljev merjenja za ocenjevanje uspešnosti
SUIV. Odločitveni kriterij se uporablja za določanje potrebe po ukrepu ali nadaljnji preiskavi ter tudi za
opis stopnje zaupanja v rezultate merjenja. Odločitveni kriterij se lahko uporablja za serijo kazalcev,
na primer za izvedbo analiz trendov, ki temeljijo na kazalcih, pridobljenih v različnih trenutkih.
Cilji zagotavljajo podrobne specifikacije zmogljivosti, ki so uporabne v organizaciji ali njenih
posameznih delih in ki izhajajo iz ciljev informacijske varnosti, kot so cilji SUIV in cilji kontrol, in ki jih je
treba določiti in izpolniti za dosego teh ciljev.
Primer razmerja končnih elementov pri uporabljenem modelu merjenja informacijske varnosti
(tj. kazalec, odločitveni kriterij in rezultati merjenja) je predstavljen v preglednici 4.
Preglednica 4: Primer rezultatov merjenja in analitičnega modela
Kazalec (I) Odločitveni kriterij (DC) Rezultati merjenja
Interpretacija za I.1:
Organizacijski kriteriji za sklad-
nost s politiko organizacije o
ozaveščenosti o varnosti so
zadovoljivo izpolnjeni, če je
DC.1 Dobljena razmerja
0,9 ≤ D.1/B.1 ≤ 1. razmerje ≤ 1,1
(I.1 –D.1/B.1, D.2) naj bi imela
in 0,99 ≤ D2 ≤ 1,01
vrednost med 0,9 in 1,1 ter med
0,99 in 1,01, da se lahko
Organizacijski kriteriji so
ugotovi doseganje cilja kontrole;
I.1 Stanje, izraženo kot
izpolnjeni nezadovoljivo, če je
sicer je potreben ukrep vodstva
kombinacija razmerij
D.1/B.1 < 0,9 ali prvi D.1/B.1 >
(D.1/B.1 x 100, D.2)
1,1] in 0,99 ≤ D.2 ≤ 1,01;
Organizacijski kriteriji niso
izpolnjeni, če je [D.2 < 0,99 ali
D.2 > 1,01].
Interpretacija za I.2:
Trend naraščanja kaže izbolj-
DC.2 Trend (I.2) naj bi bil
I.2 Trend (I.1 in pretekli I.1-ji)
šanje skladnosti, trend upadanja
obrnjen navzgor ali stabilen,
kaže slabšanje skladnosti. Stop-
sicer je potreben ukrep vodstva
nja spremembe trenda lahko
nudi vpogled v uspešnost
kontrol.
6 Odgovornosti vodstva
6.1 Pregled
Vodstvo je odgovorno za vzpostavitev programa merjenja informacijske varnosti, ki vključuje ustrezne
deležnike (glej 7.5.8) v aktivnosti merjenja, sprejemanje rezultatov merjenja kot vhodnih podatkov za
vodstveni pregled in uporabo rezultatov merjenja za izboljšanje delovanja SUIV.
SIST ISO/IEC 27004 : 2011
Za dosego tega naj vodstvo:
a) vzpostavi cilje za program merjenja informacijske varnosti;
b) vzpostavi politiko za program merjenja informacijske varnosti;
c) vzpostavi vloge in odgovornosti za program merjenja informacijske varnosti;
d) zagotovi ustrezne vire za opravljanje merjenja, vključno z osebjem, finančnimi sredstvi, orodji in
infrastrukturo;
e) zagotovi, da so cilji programa merjenja informacijske varnosti doseženi;
f) zagotovi, da so orodja in oprema, uporabljeni za zbiranje podatkov, pravilno vzdrževani;
g) vzpostavi namen merjenja za vsak predmet merjenja;
h) zagotovi, da merjenje zagotavlja deležnikom dovolj informacij v zvezi z uspešnostjo SUIV in
potrebami za izboljšanje izvajanega SUIV, vključno z njegovim obsegom, politikami, cilji,
kontrolami, procesi in postopki, ter
i) zagotovi, da merjenje zagotavlja deležnikom dovolj informacij v zvezi z uspešnostjo kontrol ali
skupine kontrol in potrebami za izboljšanje izvajanih kontrol.
Z ustrezno dodelitvijo merilnih vlog in odgovornosti naj poslovodstvo zagotovi, da lastniki informacij ne
morejo vplivati na rezultate merjenja (glej 7.5.8). To je mogoče doseči z ločitvijo nalog, ali če to ni
mogoče, z uporabo podrobne dokumentacije, ki omogoča neodvisna preverjanja.
6.2 Upravljanje virov
Vodstvo naj določi in zagotovi sredstva za podporo bistvenih dejavnosti merjenja, kot so
zbiranje podatkov, analize, shranjevanje, poročanje in distribucija. Dodelitev virov naj vključuje
določitev:
a) posameznikov, odgovornih za vse vidike programa merjenja informacijske varnosti;
b) ustrezne finančne podpore in
c) ustrezne infrastrukturne podpore, kot so fizična infrastruktura in orodja za izvedbo procesov
merjenja.
OPOMBA: Točka 5.2.1 standarda ISO/IEC 27001:2005 do
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...