SIST ISO/IEC 27004:2011

INTERNATIONAL ISO/IEC
STANDARD 27004
First edition
2009-12-15


Information technology — Security
techniques — Information security
management — Measurement
Technologies de l'information — Techniques de sécurité —
Management de la sécurité de l'information — Mesurage




Reference number
ISO/IEC 27004:2009(E)
©
ISO/IEC 2009

---------------------- Page: 1 ----------------------
ISO/IEC 27004:2009(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2009 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 27004:2009(E)
Contents Page
Foreword .v
0 Introduction.vi
0.1 General .vi
0.2 Management overview .vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .3
5 Information security measurement overview.4
5.1 Objectives of information security measurement.4
5.2 Information Security Measurement Programme .5
5.3 Success factors .6
5.4 Information security measurement model.6
5.4.1 Overview.6
5.4.2 Base measure and measurement method .7
5.4.3 Derived measure and measurement function .9
5.4.4 Indicators and analytical model.10
5.4.5 Measurement results and decision criteria .11
6 Management responsibilities .12
6.1 Overview.12
6.2 Resource management.13
6.3 Measurement training, awareness, and competence.13
7 Measures and measurement development.13
7.1 Overview.13
7.2 Definition of measurement scope.13
7.3 Identification of information need .14
7.4 Object and attribute selection.14
7.5 Measurement construct development.15
7.5.1 Overview.15
7.5.2 Measure selection .15
7.5.3 Measurement method .15
7.5.4 Measurement function .16
7.5.5 Analytical model .16
7.5.6 Indicators .16
7.5.7 Decision criteria.16
7.5.8 Stakeholders .17
7.6 Measurement construct.17
7.7 Data collection, analysis and reporting .17
7.8 Measurement implementation and documentation .18
8 Measurement operation.18
8.1 Overview.18
8.2 Procedure integration .18
8.3 Data collection, storage and verification .19
9 Data analysis and measurement results reporting.19
9.1 Overview.19
9.2 Analyse data and develop measurement results.19
9.3 Communicate measurement results .20
© ISO/IEC 2009 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 27004:2009(E)
10 Information Security Measurement Programme Evaluation and Improvement.20
10.1 Overview.20
10.2 Evaluation criteria identification for the Information Security Measurement Programme .21
10.3 Monitor, review, and evaluate the Information Security Measurement Programme .21
10.4 Implement improvements .21
Annex A (informative) Template for an information security measurement construct.22
Annex B (informative) Measurement construct examples .24
Bibliography .55

iv © ISO/IEC 2009 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 27004:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2009 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 27004:2009(E)
0 Introduction

0.1 General

This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.

This would include policy, information security risk management, control objectives, controls, processes and
procedures, and support the process of its revision, helping to determine whether any of the ISMS processes
or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can
guarantee complete security.

The implementation of this approach constitutes an Information Security Measurement Programme. The
Information Security Measurement Programme will assist management in identifying and evaluating non-
compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement
or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security
risk management processes.

This International Standard assumes that the starting point for the development of measures and
measurement is a sound understanding of the information security risks that an organization faces, and that
an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as
required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an
organization to provide reliable information to relevant stakeholders concerning its information security risks
and the status of the implemented ISMS to manage these risks.

Effectively implemented, the Information Security Measurement Programme would improve stakeholder
confidence in measurement results, and enable the stakeholders to use these measures to effect continual
improvement of information security and the ISMS.

The accumulated measurement results will allow comparison of progress in achieving information security
objectives over a period of time as part of an organization’s ISMS continual improvement process.

0.2 Management overview

ISO/IEC 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS taking
into account results from effectiveness measurement” and to “measure the effectiveness of controls to verify
that security requirements have been met”. ISO/IEC 27001 also requires the organization to “define how to
measure the effectiveness of the selected controls or groups of controls and specify how these measures are
to be used to assess control effectiveness to produce comparable and reproducible results”.

The approach adopted by an organization to fulfil the measurement requirements specified in ISO/IEC 27001
will vary based on a number of significant factors, including the information security risks that the organization
faces, its organizational size, resources available, and applicable legal, regulatory and contractual
requirements. Careful selection and justification of the method used to fulfil the measurement requirements
are important to ensure that excessive resources are not devoted to these activities of the ISMS to the
detriment of others. Ideally, ongoing measurement activities are to be integrated into the regular operations of
the organization with minimal additional resource requirements.

This International Standard gives recommendations concerning the following activities as a basis for an
organization to fulfil measurement requirements specified in ISO/IEC 27001:

a) developing measures (i.e. base measures, derived measures and indicators);
vi © ISO/IEC 2009 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 27004:2009(E)
b) implementing and operating an Information Security Measurement Programme;
c) collecting and analysing data;
d) developing measurement results;
e) communicating developed measurement results to the relevant stakeholders;
f) using measurement results as contributing factors to ISMS-related decisions;
g) using measurement results to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures; and
h) facilitating continual improvement of the Information Security Measurement Programme.

One of the factors that will impact the organization’s ability to achieve measurement is its size. Generally the
size and complexity of the business in combination with the importance of information security affect the
extent of measurement needed, both in terms of the numbers of measures to be selected and the frequency
of collecting and analysing data. For SMEs (Small and Medium Enterprises) a less comprehensive information
security measurement program will be sufficient, whereas large enterprises will implement and operate
multiple Information Security Measurement Programmes.

A single Information Security Measurement Programme may be sufficient for small organizations, whereas for
large enterprises the need may exist for multiple Information Security Measurement Programmes.

The guidance provided by this International Standard will result in the production of documentation that will
contribute to demonstrating that control effectiveness is being measured and assessed.

© ISO/IEC 2009 – All rights reserved vii

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27004:2009(E)

Information technology — Security techniques — Information
security management — Measurement
1 Scope

This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.

This International Standard is applicable to all types and sizes of organization.

NOTE This document uses the verbal forms for the expression of provisions (e.g. “shall”, “shall not”, “should”, “should
not”, “may”, “need not”, “can” and “cannot”) that are specified in the ISO/IEC Directives, Part 2, 2004, Annex H. See also
ISO/IEC 27000:2009, Annex A.
2 Normative references

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

ISO/IEC 27000:2009, Information technology — Security techniques — Information security management
systems — Overview and vocabulary

ISO/IEC 27001:2005, Information technology — Security techniques — Information security management
systems — Requirements


3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.

3.1
analytical model
algorithm or calculation combining one or more base and/or derived measures with associated decision
criteria

[ISO/IEC 15939:2007]

3.2
attribute
property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or
automated means

[ISO/IEC 15939:2007]

3.3
base measure
measure defined in terms of an attribute and the method for quantifying it

[ISO/IEC 15939:2007]
NOTE A base measure is functionally independent of other measures.
© ISO/IEC 2009 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/IEC 27004:2009(E)
3.4
data
collection of values assigned to base measures, derived measures and/or indicators

[ISO/IEC 15939:2007]

3.5
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe
the level of confidence in a given result

[ISO/IEC 15939:2007]

3.6
derived measure
measure that is defined as a function of two or more values of base measures

[ISO/IEC 15939:2007]

3.7
indicator
measure that provides an estimate or evaluation of specified attributes derived from an analytical model with
respect to defined information needs

3.8
information need
insight necessary to manage objectives, goals, risks and problems

[ISO/IEC 15939:2007]

3.9
measure
variable to which a value is assigned as the result of measurement

[ISO/IEC 15939:2007]

NOTE The term “measures” is used to refer collectively to base measures, derived measures, and indicators.
EXAMPLE A comparison of a measured defect rate to planned defect rate along with an assessment of whether or
not the difference indicates a problem.

3.10
measurement
process of obtaining information about the effectiveness of ISMS and controls using a measurement method,
a measurement function, an analytical model, and decision criteria

3.11
measurement function
algorithm or calculation performed to combine two or more base measures

[ISO/IEC 15939:2007]

3.12
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale

[ISO/IEC 15939:2007]

2 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 27004:2009(E)
NOTE The type of measurement method depends on the nature of the operations used to quantify an attribute. Two
types can be distinguished:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.

3.13
measurement results
one or more indicators and their associated interpretations that address an information need

3.14
object
item characterized through the measurement of its attributes

3.15
scale
ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped

[ISO/IEC 15939:2007]

NOTE The type of scale depends on the nature of the relationship between values on the scale. Four types of scale
are commonly defined:
— nominal: the measurement values are categorical;
— ordinal: the measurement values are rankings;
— interval: the measurement values have equal distances corresponding to equal quantities of the attribute;
— ratio: the measurement values have equal distances corresponding to equal quantities of the attribute, where
the value of zero corresponds to none of the attribute.

These are just examples of the types of scale.

3.16
unit of measurement
particular quantity, defined and adopted by convention, with which other quantities of the same kind are
compared in order to express their magnitude relative to that quantity

[ISO/IEC 15939:2007]

3.17
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended use or
application have been fulfilled

3.18
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

[ISO 9000:2005]

NOTE This could also be called compliance testing.

4 Structure of this International Standard

This International Standard provides an explanation of measures and measurement activities needed to
assess the effectiveness of ISMS requirements for the management of adequate and proportionate security
controls as required in ISO/IEC 27001:2005, 4.2.
© ISO/IEC 2009 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/IEC 27004:2009(E)
This International Standard is structured as follows:
- Overview on the Information Security Measurement Programme and the Information Security
Measurement Model (Clause 5);
- Management responsibilities for information security measurements (Clause 6); and
- Measurement constructs and the processes (i.e. planning and developing, implementing and
operating, and improving measurements: communicating measurement results) to be implemented in
the Information Security Measurement Programme (Clauses 7-10).

In addition, Annex A provides an example template for the measurement construct of which the constituents
are the elements of the Information Security Measurement Model (see Clause 7). Annex B provides the
measurement construct examples for specific controls or processes of an ISMS, using the template provided
in Annex A.

These examples are intended to help an organization on how to implement the Information Security
Measurement and how to record measurement activities and outcomes from them.

5 Information security measurement overview

5.1 Objectives of information security measurement

The objectives of information security measurement in the context of an ISMS includes:
a) evaluating the effectiveness of the implemented controls or groups of controls (See “4.2.2 d)” in Figure 1);
b) evaluating the effectiveness of the implemented ISMS (See “4.2.3 b)” in Figure 1);
c) verifying the extent to which identified security requirements have been met (See “4.2.3 c)” in Figure 1);
d) facilitating performance improvement of information security in terms of the organization’s overall
business risks;
e) providing input for management review to facilitate ISMS-related decision making and justify needed
improvements of the implemented ISMS.

Figure 1 illustrates the cyclical input–output relationship of the measurement activities in relation to the Plan-
Do-Check-Act (PDCA) cycle, specified in ISO/IEC 27001. Numbers in each figure represent relevant sub-
clauses of ISO/IEC 27001:2005.

4 © ISO/IEC 2009 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 27004:2009(E)
Plan
Act
4.2.1 g) Select control
4.2.1 e) 2) Assess the realistic
objectives and controls for
likelihood of security failures occurring
the treatment of risks.
in the light of prevailing threats and
4.2.4 a) Implement the identified
Control objectives and
vulnerabilities, and impacts improvements in the ISMS
controls shall be selected
associated with these assets, and
and implemented to meet the
the effectiveness of controls
requirements identified by
currently implemented
the risk assessment and risk
treatment process.
Do Check
The output from the
4.2.2 c) Implement controls
4.2.3 b) Regular review of the
management review
selected to meet
effectiveness of the ISMS
shall include any decision and
the control objectives
actions related to;
7.3 b) Update of risk and the
risk treatment plan,
4.2.3 d) Review risk assessments
7.3 e) Improvement to how
at planned intervals and review the
4.2.2 d) Define how
the effectiveness of controls is
residual risks and the identified
to measure the effectiveness
being measured
acceptable levels of risks, taking
of selected controls or
into account changes to effectiveness
groups of controls
of implemented controls
4.2.3 f) Undertake a
Management review of the
7.2 a), f) The input to a
ISMS on a regular basis to
4.2.3 c) Measure the
management review shall include
ensure that the scope remains
effectiveness of controls to
results from effectiveness
adequate and improvements
verify that security requirements
measurement and ISMS review
in the ISMS process are identified
have been met

Figure 1 — Measurement inputs and outputs in ISMS PDCA cycle of information security management

The organization should establish measurement objectives based on a number of considerations, including:
a) The role of information security in support of the organization’s overall business activities and the risks
it faces;
b) Applicable legal, regulatory, and contractual requirements;
c) Organizational structure;
d) Costs and benefits of implementing information security measures;
e) Risk acceptance criteria for the organization; and
f) A need to compare several ISMSs within the same organization.

5.2 Information Security Measurement Programme

An organization should establish and manage an Information Security Measurement Programme in order to
achieve the established measurement objectives and adopt the PDCA model within the organization’s overall
measurement activities. An organization should also develop and implement measurement constructs in order
to obtain repeatable, objective and useful results of measurement based on the Information Security
Measurement Model (see 5.4).

The Information Security Measurement Programme and the developed measurement construct should ensure
that an organization effectively achieves objective and repeatable measurement and provides measurement
results for relevant stakeholders to identify needs for improving the implemented ISMS, including its scope,
policies, objectives, controls, processes and procedures.
© ISO/IEC 2009 – All rights reserved 5

---------------------- Page: 12 ----------------------
ISO/IEC 27004:2009(E)
An Information Security Measurement Programme should include the following processes:
a) Measures and measurement development (see Clause 7) ;
b) Measurement operation (see Clause 8);
c) Data analysis and measurement results reporting (see Clause 9); and
d) Information Security Measurement Programme evaluation and improvement (see Clause 10).

The organisational and operational structure of an Information Security Measurement Programme should be
determined by taking into account the scale and complexity of the ISMS of which it is a part. In all cases, roles
and responsibilities for the Information Security Measurement Programme should be explicitly assigned to
competent personnel (see 7.5.8).

The measures selected and implemented by the Information Security Measurement Programme should be
directly related to the operation of an ISMS, other measures, as well as organization’s business processes.
Measurement can be integrated into regular operational activities or performed at regular intervals determined
by ISMS management.

5.3 Success factors

The following are some contributing factors to the success of Information Security Measurement Programme
in facilitating continual ISMS im
...

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Informacijska tehnologija - Varnostne tehnike - Upravljanje informacijske varnosti - MerjenjeTechnologies de l'information - Techniques de sécurité - Management de la sécurité de l'information - MesurageInformation technology - Security techniques - Information security management - Measurement35.040Nabori znakov in kodiranje informacijCharacter sets and information codingICS:Ta slovenski standard je istoveten z:ISO/IEC 27004:2009oSIST ISO/IEC 27004:2010en01-december-2010oSIST ISO/IEC 27004:2010SLOVENSKI
STANDARD



oSIST ISO/IEC 27004:2010



Reference numberISO/IEC 27004:2009(E)© ISO/IEC 2009
INTERNATIONAL STANDARD ISO/IEC27004First edition2009-12-15Information technology — Security techniques — Information security management — Measurement Technologies de l'information — Techniques de sécurité — Management de la sécurité de l'information — Mesurage
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
©
ISO/IEC 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 • CH-1211 Geneva 20 Tel.
+ 41 22 749 01 11 Fax
+ 41 22 749 09 47 E-mail
copyright@iso.org Web
www.iso.org Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved iii Contents Page Foreword.v 0 Introduction.vi 0.1 General.vi 0.2 Management overview.vi 1 Scope.1 2 Normative references.1 3 Terms and definitions.1 4 Structure of this International Standard.3 5 Information security measurement overview.4 5.1 Objectives of information security measurement.4 5.2 Information Security Measurement Programme.5 5.3 Success factors.6 5.4 Information security measurement model.6 5.4.1 Overview.6 5.4.2 Base measure and measurement method.7 5.4.3 Derived measure and measurement function.9 5.4.4 Indicators and analytical model.10 5.4.5 Measurement results and decision criteria.11 6 Management responsibilities.12 6.1 Overview.12 6.2 Resource management.13 6.3 Measurement training, awareness, and competence.13 7 Measures and measurement development.13 7.1 Overview.13 7.2 Definition of measurement scope.13 7.3 Identification of information need.14 7.4 Object and attribute selection.14 7.5 Measurement construct development.15 7.5.1 Overview.15 7.5.2 Measure selection.15 7.5.3 Measurement method.15 7.5.4 Measurement function.16 7.5.5 Analytical model.16 7.5.6 Indicators.16 7.5.7 Decision criteria.16 7.5.8 Stakeholders.17 7.6 Measurement construct.17 7.7 Data collection, analysis and reporting.17 7.8 Measurement implementation and documentation.18 8 Measurement operation.18 8.1 Overview.18 8.2 Procedure integration.18 8.3 Data collection, storage and verification.19 9 Data analysis and measurement results reporting.19 9.1 Overview.19 9.2 Analyse data and develop measurement results.19 9.3 Communicate measurement results.20 oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) iv © ISO/IEC 2009 – All rights reserved 10 Information Security Measurement Programme Evaluation and Improvement.20 10.1 Overview.20 10.2 Evaluation criteria identification for the Information Security Measurement Programme.21 10.3 Monitor, review, and evaluate the Information Security Measurement Programme.21 10.4 Implement improvements.21 Annex A (informative)
Template for an information security measurement construct.22 Annex B (informative)
Measurement construct examples.24 Bibliography.55
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved v Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) vi © ISO/IEC 2009 – All rights reserved 0 Introduction
0.1
General
This International Standard provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can guarantee complete security.
The implementation of this approach constitutes an Information Security Measurement Programme. The Information Security Measurement Programme will assist management in identifying and evaluating non-compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security risk management processes.
This International Standard assumes that the starting point for the development of measures and measurement is a sound understanding of the information security risks that an organization faces, and that an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an organization to provide reliable information to relevant stakeholders concerning its information security risks and the status of the implemented ISMS to manage these risks.
Effectively implemented, the Information Security Measurement Programme would improve stakeholder confidence in measurement results, and enable the stakeholders to use these measures to effect continual improvement of information security and the ISMS.
The accumulated measurement results will allow comparison of progress in achieving information security objectives over a period of time as part of an organization’s ISMS continual improvement process.
0.2 Management overview
ISO/IEC 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS taking into account results from effectiveness measurement” and to “measure the effectiveness of controls to verify that security requirements have been met”. ISO/IEC 27001 also requires the organization to “define how to measure the effectiveness of the selected controls or groups of controls and specify how these measures are to be used to assess control effectiveness to produce comparable and reproducible results”.
The approach adopted by an organization to fulfil the measurement requirements specified in ISO/IEC 27001 will vary based on a number of significant factors, including the information security risks that the organization faces, its organizational size, resources available, and applicable legal, regulatory and contractual requirements. Careful selection and justification of the method used to fulfil the measurement requirements are important to ensure that excessive resources are not devoted to these activities of the ISMS to the detriment of others. Ideally, ongoing measurement activities are to be integrated into the regular operations of the organization with minimal additional resource requirements.
This International Standard gives recommendations concerning the following activities as a basis for an organization to fulfil measurement requirements specified in ISO/IEC 27001:
a) developing measures (i.e. base measures, derived measures and indicators); oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved vii b) implementing and operating an Information Security Measurement Programme; c) collecting and analysing data; d) developing measurement results; e) communicating developed measurement results to the relevant stakeholders; f) using measurement results as contributing factors to ISMS-related decisions; g) using measurement results to identify needs for improving the implemented ISMS, including its scope, policies, objectives, controls, processes and procedures; and h) facilitating continual improvement of the Information Security Measurement Programme.
One of the factors that will impact the organization’s ability to achieve measurement is its size.
Generally the size and complexity of the business in combination with the importance of information security affect the extent of measurement needed, both in terms of the numbers of measures to be selected and the frequency of collecting and analysing data. For SMEs (Small and Medium Enterprises) a less comprehensive information security measurement program will be sufficient, whereas large enterprises will implement and operate multiple Information Security Measurement Programmes.
A single Information Security Measurement Programme may be sufficient for small organizations, whereas for large enterprises the need may exist for multiple Information Security Measurement Programmes.
The guidance provided by this International Standard will result in the production of documentation that will contribute to demonstrating that control effectiveness is being measured and assessed.
oSIST ISO/IEC 27004:2010



oSIST ISO/IEC 27004:2010



INTERNATIONAL STANDARD ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved 1 Information technology — Security techniques — Information security management — Measurement 1 Scope
This International Standard provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
This International Standard is applicable to all types and sizes of organization.
NOTE This document uses the verbal forms for the expression of provisions (e.g. “shall”, “shall not”, “should”, “should not”, “may”, “need not”, “can” and “cannot”) that are specified in the ISO/IEC Directives, Part 2, 2004, Annex H. See also ISO/IEC 27000:2009, Annex A. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2009, Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2005, Information technology — Security techniques — Information security management systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1 analytical model algorithm or calculation combining one or more base and/or derived measures with associated decision criteria
[ISO/IEC 15939:2007]
3.2 attribute property or characteristic of an object that can be distinguished quantitatively or qualitatively by human or automated means
[ISO/IEC 15939:2007]
3.3 base measure measure defined in terms of an attribute and the method for quantifying it
[ISO/IEC 15939:2007] NOTE
A base measure is functionally independent of other measures. oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) 2 © ISO/IEC 2009 – All rights reserved 3.4 data collection of values assigned to base measures, derived measures and/or indicators
[ISO/IEC 15939:2007]
3.5 decision criteria thresholds, targets, or patterns used to determine the need for action or further investigation, or to describe the level of confidence in a given result
[ISO/IEC 15939:2007]
3.6 derived measure measure that is defined as a function of two or more values of base measures
[ISO/IEC 15939:2007]
3.7 indicator measure that provides an estimate or evaluation of specified attributes derived from an analytical model with respect to defined information needs
3.8 information need insight necessary to manage objectives, goals, risks and problems
[ISO/IEC 15939:2007]
3.9 measure variable to which a value is assigned as the result of measurement
[ISO/IEC 15939:2007]
NOTE
The term “measures” is used to refer collectively to base measures, derived measures, and indicators. EXAMPLE A comparison of a measured defect rate to planned defect rate along with an assessment of whether or not the difference indicates a problem.
3.10 measurement process of obtaining information about the effectiveness of ISMS and controls using a measurement method, a measurement function, an analytical model, and decision criteria
3.11 measurement function algorithm or calculation performed to combine two or more base measures
[ISO/IEC 15939:2007]
3.12 measurement method logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale
[ISO/IEC 15939:2007]
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved 3 NOTE
The type of measurement method depends on the nature of the operations used to quantify an attribute. Two types can be distinguished: — subjective: quantification involving human judgment; — objective: quantification based on numerical rules.
3.13 measurement results one or more indicators and their associated interpretations that address an information need
3.14 object item characterized through the measurement of its attributes
3.15 scale ordered set of values, continuous or discrete, or a set of categories to which the attribute is mapped
[ISO/IEC 15939:2007]
NOTE The type of scale depends on the nature of the relationship between values on the scale. Four types of scale are commonly defined: — nominal: the measurement values are categorical; — ordinal: the measurement values are rankings; — interval: the measurement values have equal distances corresponding to equal quantities of the attribute; — ratio: the measurement values have equal distances corresponding to equal quantities of the attribute, where the value of zero corresponds to none of the attribute.
These are just examples of the types of scale.
3.16 unit of measurement particular quantity, defined and adopted by convention, with which other quantities of the same kind are compared in order to express their magnitude relative to that quantity
[ISO/IEC 15939:2007]
3.17 validation confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled
3.18 verification confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
[ISO 9000:2005]
NOTE This could also be called compliance testing.
4 Structure of this International Standard
This International Standard provides an explanation of measures and measurement activities needed to assess the effectiveness of ISMS requirements for the management of adequate and proportionate security controls as required in ISO/IEC 27001:2005, 4.2. oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) 4 © ISO/IEC 2009 – All rights reserved This International Standard is structured as follows: - Overview on the Information Security Measurement Programme and the Information Security Measurement Model (Clause 5); - Management responsibilities for information security measurements (Clause 6); and - Measurement constructs and the processes (i.e. planning and developing, implementing and operating, and improving measurements: communicating measurement results) to be implemented in the Information Security Measurement Programme (Clauses 7-10).
In addition, Annex A provides an example template for the measurement construct of which the constituents are the elements of the Information Security Measurement Model (see Clause 7). Annex B provides the measurement construct examples for specific controls or processes of an ISMS, using the template provided in Annex A.
These examples are intended to help an organization on how to implement the Information Security Measurement and how to record measurement activities and outcomes from them.
5 Information security measurement overview
5.1 Objectives of information security measurement
The objectives of information security measurement in the context of an ISMS includes: a) evaluating the effectiveness of the implemented controls or groups of controls (See “4.2.2 d)” in Figure 1); b) evaluating the effectiveness of the implemented ISMS (See “4.2.3 b)” in Figure 1); c) verifying the extent to which identified security requirements have been met (See “4.2.3 c)” in Figure 1); d) facilitating performance improvement of information security in terms of the organization’s overall business risks; e) providing input for management review to facilitate ISMS-related decision making and justify needed improvements of the implemented ISMS.
Figure 1 illustrates the cyclical input–output relationship of the measurement activities in relation to the Plan-Do-Check-Act (PDCA) cycle, specified in ISO/IEC 27001. Numbers in each figure represent relevant sub-clauses of ISO/IEC 27001:2005.
oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) © ISO/IEC 2009 – All rights reserved 5 Plan4.2.1 g) Select control objectives and controlsfor the treatment of risks. Control objectives andcontrols shall be selected and implemented to meet therequirements identified by the risk assessment and risktreatment process.4.2.1 e) 2) Assess the realisticlikelihoodof security failures occurringin the light of prevailing threatsandvulnerabilities, and impacts associated with these assets, and the effectiveness of controlscurrently implemented4.2.2 c) Implement controlsselected to meetthe control objectives4.2.2 d) Define howto measurethe effectivenessof selected controls orgroups of controls 4.2.3 c) Measure the effectiveness of controlstoverify that security requirementshave been met4.2.3 b) Regular
reviewof the effectiveness
of the ISMSDo4.2.3 d) Review risk assessmentsat planned intervals and review theresidual risks and the identified acceptable levels of risks, takinginto account changes to effectivenessof implemented controls 7.2 a), f) The input to a managementreview shall includeresults from effectiveness measurement and ISMS review4.2.3 f) Undertake aManagement review of theISMSon a regular basis to ensure that the scope remains adequate and improvementsin the ISMS process are identifiedThe output from the management reviewshall include any decision and actions related to; 7.3 b) Update of riskand the risk treatment plan,7.3 e) Improvementto how the effectiveness of controls is being measuredCheckAct4.2.4 a) Implement the identified improvements in
the ISMS Figure 1 — Measurement inputs and outputs in ISMS PDCA cycle of information security management
The organization should establish measurement objectives based on a number of considerations, including: a) The role of information security in support of the organization’s overall business activities and the risks it faces; b) Applicable legal, regulatory, and contractual requirements; c) Organizational structure; d) Costs and benefits of implementing information security measures; e) Risk acceptance criteria for the organization; and f) A need to compare several ISMSs within the same organization.
5.2 Information Security Measurement Programme
An organization should establish and manage an Information Security Measurement Programme in order to achieve the established measurement objectives and adopt the PDCA model within the organization’s overall measurement activities. An organization should also develop and implement measurement constructs in order to obtain repeatable, objective and useful results of measurement based on the Information Security Measurement Model (see 5.4).
The Information Security Measurement Programme and the developed measurement construct should ensure that an organization effectively achieves objective and repeatable measurement and provides measurement results for relevant stakeholders to identify needs for improving the implemented ISMS, including its scope, policies, objectives, controls, processes and procedures. oSIST ISO/IEC 27004:2010



ISO/IEC 27004:2009(E) 6 © ISO/IEC 2009 – All rights reserved An Information Security Measurement Programme should include the following processes: a) Measures and measurement development (see Clause 7) ; b) Measurement operation (see Clause 8); c) Data analysis and measurement results reporting
(see Clause 9); and
d) Information Security Measurement Programme evaluation and improvement (see Clause 10).
The organisational and operational structure of an Information Security Measurement Programme should be determined by taking into account the scale and complexity of the ISMS of which it is a part. In all cases, roles and responsibilities for the Information Security Measurement Programme should be explicitly assigned to competent personnel (see 7.5.8).
The measures selected and implemented by the Information Security Measurement Programme should be directly related to the operation of an ISMS, other measures, as well as organization’s business processes.
Measurement can be integrated into regular operational activities or performed at regular intervals determined by ISMS management.
5.3 Success factors
The following are some contributing factors to the success of Information Security Measurement Programme in facilitating continual ISMS improvement: a) Management commitment supported by appropriate resources; b) Existence of ISMS processes and procedures; c) A repeatable process capable of capturing and reporting meaningful data to provide relevant trends over a period of time; d) Quantifiable measures based on ISMS objectives
...

SLOVENSKI SIST ISO/IEC 27004

STANDARD
marec 2011











Informacijska tehnologija – Varnostne tehnike – Upravljanje informacijske
varnosti – Merjenje

Information technology – Security techniques – Information security management
– Measurement

Technologies de l'information – Techniques de sécurité – Management de la
sécurité de l'information – Mesurge
























Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27004:2011 (sl)


Nadaljevanje na straneh 2 do 65



© 2014-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO/IEC 27004 : 2011
NACIONALNI UVOD

Standard SIST ISO/IEC 27004 (sl), Informacijska tehnologija – Varnostne tehnike – Upravljanje
informacijske varnosti – Merjenje, 2011, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27004 (en), Information technology – Security techniques –
Information security management – Measurement, 2009.

NACIONALNI PREDGOVOR

Mednarodni standard ISO/IEC 27004:2009 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27004:2011 je prevod mednarodnega standarda ISO/IEC
27004:2009. Slovenski standard SIST ISO/IEC 27004:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.

Odločitev za izdajo tega standarda je dne 25. novembra 2010 sprejel SIST/TC ITC Informacijska
tehnologija.

ZVEZA Z NACIONALNIMI STANDARDI

SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje

SIST ISO/IEC 27001:2010 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)

OSNOVA ZA IZDAJO STANDARDA

– privzem standarda ISO/IEC 27004:2009

OPOMBE

– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27004:2011 to pomeni “slovenski standard”.

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
2

---------------------- Page: 2 ----------------------

SIST ISO/IEC 27004 : 2011
Vsebina Stran

Predgovor .5
0 Uvod .6
0.1 Splošno.6
0.2 Vodstveni pregled.6
1 Področje uporabe .8
2 Zveze s standardi .8
3 Izrazi in definicije .8
4 Struktura tega mednarodnega standarda.10
5 Pregled merjenja informacijske varnosti.10
5.1 Cilji merjenja informacijske varnosti .10
5.2 Program merjenja informacijske varnosti .11
5.3 Dejavniki uspeha .12
5.4 Model merjenja informacijske varnosti .12
5.4.1 Pregled .13
5.4.2 Osnovno merilo in metoda merjenja.13
5.4.3 Izpeljano merilo in funkcija merjenja .15
5.4.4 Kazalci in analitični model .16
5.4.5 Rezultati merjenja in odločitveni kriteriji .17
6 Odgovornosti vodstva.17
6.1 Pregled .17
6.2 Upravljanje virov.18
6.3 Merjenje usposabljanja, ozaveščenosti in usposobljenosti.18
7 Merila in razvoj merjenja.18
7.1 Pregled .18
7.2 Določitev obsega merjenja .19
7.3 Prepoznavanje informacijske potrebe .19
7.4 Izbor predmetov in lastnosti .19
7.5 Razvoj konstruktov merjenja .20
7.5.1 Pregled .20
7.5.2 Izbor merila.21
7.5.3 Metoda merjenja.21
7.5.4 Funkcija merjenja .21
7.5.5 Analitični model .22
7.5.6 Kazalci .22
7.5.7 Odločitveni kriteriji .22
7.5.8 Deležniki .23
7.6 Konstrukt merjenja.23
7.7 Zbiranje podatkov, analize in poročanje.23
7.8 Izvajanje in dokumentiranje merjenja.24
3

---------------------- Page: 3 ----------------------

SIST ISO/IEC 27004 : 2011
8 Postopek merjenja.24
8.1 Pregled .24
8.2 Integracija postopkov.24
8.3 Zbiranje, shranjevanje in preverjanje podatkov.25
9 Analize podatkov in poročanje o rezultatih merjenja.25
9.1 Pregled .25
9.2 Analiza podatkov in rezultati razvitih merjenj .25
9.3 Sporočanje rezultatov merjenja.26
10 Ocenjevanje in izboljšanje programa merjenja informacijske varnosti.26
10.1 Pregled .26
10.2 Prepoznavanje kriterijev za vrednotenje programa merjenja informacijske varnosti .27
10.3 Spremljanje, pregledovanje in vrednotenje programa merjenja informacijske varnosti.28
10.4 Izvajanje izboljšav.28
Dodatek A (informativni): Predloga za konstrukt merjenja informacijske varnosti .29
Dodatek B (informativni): Primeri konstrukta merjenja.32
Literatura.65
4

---------------------- Page: 4 ----------------------

SIST ISO/IEC 27004 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27004 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
5

---------------------- Page: 5 ----------------------

SIST ISO/IEC 27004 : 2011
0 Uvod
0.1 Splošno
Ta mednarodni standard daje napotke za razvoj in uporabo meril in merjenja, da se oceni uspešnost
izvajanega sistema upravljanja informacijske varnosti (SUIV) ter kontrol ali skupine kontrol, kot jih
določa ISO/IEC 27001.
To naj vključuje politiko, obvladovanje tveganj informacijske varnosti, cilje kontrol, kontrole, procese in
postopke ter podpira procese njihovih revizij, kar naj bi pomagalo ugotoviti, ali je katerega od procesov
ali kontrol SUIV treba spremeniti ali izboljšati. Pri tem je treba upoštevati, da nobeno merjenje kontrol
ne more jamčiti za popolno varnost.
Izvajanje tega pristopa predstavlja program merjenja informacijske varnosti. Program merjenja
informacijske varnosti bo vodstvu pomagal pri prepoznavanju in vrednotenju neskladnih in neuspešnih
postopkov in kontrol SUIV ter pri določanju prednostnih ukrepov za izboljšanje ali spreminjanje teh
procesov in/ali kontrol. Prav tako lahko pomaga organizaciji pri dokazovanju skladnosti z ISO/IEC
27001 in poda dodatna dokazila za vodstveni pregled procesov obvladovanja tveganj informacijske
varnosti.
Ta mednarodni standard predpostavlja, da je izhodišče za razvoj meril in merjenja dobro razumevanje
tveganj informacijske varnosti, s katerimi se organizacija sooča, in da so bile aktivnosti ocenjevanja
tveganj organizacije pravilno izvedene (tj. temeljijo na ISO/IEC 27005), kot zahteva ISO/IEC 27001.
Program merjenja informacijske varnosti bo spodbudil organizacijo, da bo deležnikom dala zanesljive
informacije v zvezi z njenimi informacijskimi varnostnimi tveganji in statusom izvajanega SUIV pri
obvladovanju teh tveganj.
Uspešno izveden program merjenja informacijske varnosti bi izboljšal zaupanje deležnikov v rezultate
merjenja in jim omogočil, da uporabljajo ta merila za nenehno izboljševanje informacijske varnosti in
SUIV.
Zbrani rezultati merjenja bodo omogočili primerjavo napredka pri doseganju ciljev informacijske
varnosti v nekem časovnem obdobju kot dela procesa nenehnega izboljševanja SUIV v organizaciji.
0.2 Vodstveni pregled
ISO/IEC 27001 zahteva od organizacije, da "izvaja redne preglede uspešnosti SUIV z upoštevanjem
rezultatov merjenja uspešnosti" in da "meri uspešnost kontrol, da preveri, ali so izpolnjene varnostne
zahteve". ISO/IEC 27001 tudi zahteva, da organizacija "določi, kako meriti uspešnost izbranih kontrol
ali skupin kontrol, in opredeli, kako te meritve uporabiti za oceno uspešnosti kontrol, da proizvede
primerljive in ponovljive rezultate".
Pristop, ki ga organizacija sprejme za izpolnitev zahtev po merjenju, določenih v ISO/IEC 27001, se bo
razlikoval glede na število pomembnih dejavnikov, vključno z informacijskimi varnostnimi tveganji, s
katerimi se organizacija sooča, njeno velikostjo, razpoložljivimi viri ter relevantnimi zakonskimi,
pravnimi in pogodbenimi zahtevami. Skrbna izbira in utemeljitev metode, uporabljene za izpolnjevanje
zahtev po merjenju, sta pomembni za zagotovitev, da aktivnostim SUIV niso namenjeni prekomerni viri
v škodo drugim aktivnostim. Idealno bi bilo, da so tekoča merjenja vključena v redne dejavnosti
organizacije z minimalnimi dodatnimi potrebami po virih.
Kot podlago za izpolnitev zahtev po merjenju, določenih v ISO/IEC 27001, daje ta mednarodni
standard organizaciji ustrezna priporočila za naslednje aktivnosti:
a) razvoj meril (npr. osnovnih meril, izpeljanih meril in kazalcev),
b) uvajanje in izvajanje programa merjenja informacijske varnosti,
c) zbiranje in analiziranje podatkov,
6

---------------------- Page: 6 ----------------------

SIST ISO/IEC 27004 : 2011
d) pridobivanje rezultatov merjenja,
e) sporočanje rezultatov razvitih merjenj deležnikom,
f) uporaba rezultatov merjenja kot prispevek k odločitvam v zvezi s SUIV,
g) uporaba rezultatov merjenja za prepoznavanje potreb po izboljšanju uporabljenega SUIV,
vključno z njegovim obsegom, politikami, cilji, kontrolami, procesi in postopki, ter
h) spodbujanje nenehnega izboljševanja programa merjenja informacijske varnosti.
Eden od dejavnikov, ki vplivajo na sposobnost organizacije pri doseganju merjenja, je njena velikost.
Na splošno velikost in kompleksnost poslovanja v kombinaciji s pomenom informacijske varnosti
vplivata na obseg zahtevanega merjenja, in sicer tako glede števila meril, ki jih je treba izbrati, kot
glede pogostosti zbiranja in analiziranja podatkov. Za MSP (majhna in srednje velika podjetja) bo
zadostoval program merjenja informacijske varnosti z manj obsežnimi informacijami, medtem ko bodo
večja podjetja hkrati uvedla in uporabila več programov merjenja informacijske varnosti.
V majhnih organizacijah lahko zadostuje enojni program merjenja informacijske varnosti, medtem ko
lahko v velikih podjetjih obstaja potreba po večkratnem programu merjenja informacijske varnosti.
Napotki, ki jih zagotavlja ta mednarodni standard, bodo imeli za posledico izdelavo dokumentacije, ki
bo prispevala k dokazovanju, da se uspešnost kontrol meri in ocenjuje.
7

---------------------- Page: 7 ----------------------

SIST ISO/IEC 27004 : 2011
Informacijska tehnologija – Varnostne tehnike – Upravljanje informacijske
varnosti – Merjenje
1 Področje uporabe
Ta mednarodni standard daje napotke za razvoj in uporabo meril in meritev, namenjenih oceni
uspešnosti izvajanega sistema upravljanja informacijske varnosti (SUIV) in kontrol ali skupin kontrol,
določenih v ISO/IEC 27001.
Ta mednarodni standard se uporablja za vse vrste in velikosti organizacij.
OPOMBA: Ta dokument uporablja glagolske oblike za izražanje določb (npr. "morati, je treba", "se ne sme", "naj bi", "naj
ne bi", "lahko", "ni treba", " je mogoče" in "ni mogoče"), ki so določene v Direktivah ISO/IEC, 2. del, 2004,
Dodatek H. Glej tudi ISO/IEC 27000:2009, Dodatek A.
2 Zveze s standardi
Naslednja dokumenta sta nujna za uporabo tega dokumenta. Pri datiranem sklicevanju velja samo
navedena izdaja. Pri nedatiranem sklicevanju velja zadnja izdaja dokumenta, na katerega se nanaša
sklic (vključno z morebitnimi dopolnitvami).
ISO/IEC 27000:2009 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje
ISO/IEC 27001:2005 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve
3 Izrazi in definicije
V tem dokumentu se uporabljajo izrazi in definicije iz ISO/IEC 27000 ter naslednje:
3.1 analitični model
algoritem ali izračun, ki združuje eno ali več osnovnih in/ali izpeljanih meril, povezanih z odločitvenimi
kriteriji
[ISO/IEC 15939:2007]
3.2 lastnost
lastnost ali značilnost predmeta, ki jo je na podlagi človeške ali avtomatske ocene mogoče količinsko
ali kakovostno razlikovati
[ISO/IEC 15939:2007]
3.3 osnovno merilo
merilo, opredeljeno z lastnostjo in metodo za določitev njene količine
[ISO/IEC 15939:2007]
OPOMBA: Osnovno merilo je funkcionalno neodvisno od drugih meril.
3.4 podatki
zbirka vrednosti, dodeljenih osnovnim merilom, izpeljanim merilom in/ali kazalcem
[ISO/IEC 15939:2007]
3.5 odločitveni kriteriji
pragovi, cilji ali vzorci, uporabljeni za določanje potrebe po nadaljnjem ukrepu ali preiskavi ali za opis
stopnje zaupanja v dani rezultat
[ISO/IEC 15939:2007]
8

---------------------- Page: 8 ----------------------

SIST ISO/IEC 27004 : 2011
3.6 izpeljano merilo
merilo, ki je opredeljeno kot funkcija vrednosti dveh ali več osnovnih meril
[ISO/IEC 15939:2007]
3.7 kazalec
merilo, ki zagotovi oceno ali vrednotenje določenih lastnosti, izpeljanih iz analitičnega modela, glede
na opredeljene informacijske potrebe
3.8 informacijska potreba
vpogled, ki je potreben za upravljanje ciljev, nalog, tveganj in problemov
[ISO/IEC 15939:2007]
3.9 merilo
spremenljivka, katere vrednost je določena kot rezultat merjenja
[ISO/IEC 15939:2007]
OPOMBA: Izraz "merilo" se uporablja kot skupno poimenovanje osnovnih meril, izpeljanih meril in kazalcev.
PRIMER: Primerjava izmerjene stopnje napake z načrtovano stopnjo napake skupaj z oceno ali razliko nakazuje na problem.
3.10 merjenje
proces pridobivanja informacij o uspešnosti SUIV in kontrol z uporabo metode merjenja, merilne
funkcije merjenja, analitičnega modela in odločitvenega kriterija
3.11 funkcija merjenja
algoritem ali izračun, izpeljan z združitvijo dveh ali več osnovnih meril
[ISO/IEC 15939:2007]
3.12 metoda merjenja
logično zaporedje generično opisanih postopkov, uporabljenih pri določanju velikosti lastnosti z
upoštevanjem določene lestvice
[ISO/IEC 15939:2007]
OPOMBA: Vrsta metode merjenja je odvisna od narave postopkov, uporabljenih za določanje velikosti lastnosti. Razlikovati
je mogoče dve vrsti metod:
– subjektivne metode: določanje velikosti, ki vključuje človeško presojo;
– objektivne metode: določanje velikosti, ki temelji na numeričnih pravilih.
3.13 rezultati merjenja
eden ali več kazalcev in z njimi povezane razlage, ki se nanašajo na neko informacijsko potrebo
3.14 predmet
stvar, opredeljena z merjenjem njenih lastnosti
3.15 lestvica
urejen niz vrednosti, zvezni in diskretni, ali niz kategorij, na katere so vezane lastnosti
[ISO/IEC 15939:2007]
OPOMBA: Vrsta lestvice je odvisna od narave razmerja med vrednostmi na lestvici. Splošno so opredeljene štiri vrste lestvic:
– nominalna: vrednosti merjenja so kategorične;
– vrstilna: vrednosti merjenja so razvrstitvene;
– intervalna: vrednosti merjenja so enakih razdalj, ki ustrezajo enakim velikostim lastnosti;
– razmernostna: vrednosti merjenja so enakih razdalj, ki ustrezajo enakim velikostim lastnosti, kjer vrednost nič
ne ustreza nobeni lastnosti.
To so le primeri vrste lestvic.
9

---------------------- Page: 9 ----------------------

SIST ISO/IEC 27004 : 2011
3.16 merska enota
specifična velikost, določena in sprejeta s konvencijo, s katero se druge velikosti iste vrste primerjajo z
namenom, da se izrazijo njihove velikosti glede na to količino
[ISO/IEC 15939:2007]
3.17 potrjevanje
potrdilo z zagotavljanjem stvarnih dokazov, da so izpolnjene zahteve za posebej predvideno uporabo
ali aplikacijo
3.18 preverjanje (preveritev)
potrdilo z zagotavljanjem stvarnih dokazov, da so določene zahteve izpolnjene
[ISO 9000:2005]
OPOMBA: To se lahko imenuje tudi preskušanje skladnosti.
4 Struktura tega mednarodnega standarda
Ta mednarodni standard pojasnjuje merila in aktivnosti merjenja, potrebne za oceno uspešnosti
zahtev SUIV za upravljanje ustreznih in sorazmernih varnostnih kontrol, kot je zahtevano v ISO/IEC
27001:2005, 4.2.
Ta mednarodni standard je strukturiran na naslednji način:
– pregled programa merjenja informacijske varnosti in modela merjenja informacijske varnosti
(točka 5),
– odgovornosti vodstva za merjenja informacijske varnosti (točka 6) ter
– konstrukti merjenja in procesi (tj. načrtovanje in razvoj, izvajanje in delovanje ter izboljševanje
merjenj: sporočanje rezultatov merjenja), ki se izvajajo v okviru programa merjenja informacijske
varnosti (točke 7–10).
Poleg tega dodatek A navaja vzorčno predlogo konstrukta merjenja, katerega sestavine so elementi
modela merjenja informacijske varnosti (glej točko 7). Dodatek B določa vzorce konstrukta merjenja za
posebne kontrole ali procese SUIV z uporabo vzorca iz dodatka A.
Namen teh primerov je pomagati organizaciji pri načinu, kako izvajati merjenje informacijske varnosti
ter kako merjenja in njihove rezultate dokumentirati.
5 Pregled merjenja informacijske varnosti
5.1 Cilji merjenja informacijske varnosti
Cilji merjenja informacijske varnosti v okviru SUIV vključujejo:
a) vrednotenje uspešnosti izvajanih kontrol ali skupin kontrol (glej "4.2.2.d)" na sliki 1);
b) vrednotenje uspešnosti izvajanega SUIV (glej "4.2.3.b)" na sliki 1);
c) preverjanje obsega, do katerega so bile izpolnjene prepoznane varnostne zahteve (glej "4.2.3.c)"
na sliki 1);
d) pospeševanje izboljšanja uspešnosti informacijske varnosti glede na celotna poslovna tveganja
organizacije;
e) zagotavljanje vstopnih podatkov za vodstveni pregled, namenjen pospeševanju sprejemanja
odločitev v zvezi s SUIV in utemeljitvi potrebnih izboljšav pri izvedbi SUIV.
Slika 1 prikazuje ciklično vhodno-izhodno razmerje meritev v razmerju do cikla Načrtuj–Izvedi–
Preveri–Ukrepaj (PDCA), opredeljenega v standardu ISO/IEC 27001. Številke v vsaki sliki
predstavljajo ustrezne podtočke ISO/IEC 27001:2005.
10

---------------------- Page: 10 ----------------------

SIST ISO/IEC 27004 : 2011

Načrtuj Ukrepaj

4.2.1.g) Izberi cilje kontrol 4.2.1.e)2) Oceni realno
in kontrole za obravnavo verjetnost pojava varnostnih
tveganj. Cilji kontrol in odpovedi v luči prevladujočih

4.2.4.a) Uvedi prepoznane izboljšave
kontrole morajo biti izbrani groženj in ranljivosti ter vplivov,
v SUIV
in izvajani tako, da izpolnju- povezanih s temi dobrinami, ter

jejo zahteve, prepoznane v uspešnost trenutno izvedenih
procesih ocenjevanja in kontrol

obravnavanja tveganj


Izvedi Preveri

Izhodni podatki vodstvenega
4.2.2.c) Izvedi kontrole, ki so 4.2.3.b) Redno pregleduj
pregleda morajo vključevati

bile izbrane za doseganje uspešnost SUIV
vsako odločitev in merilo,
ciljev kontrol
povezano s:

7.3.b) posodobitvijo tveganj
in načrtom obravnave tveganj,
4.2.3.d) Preglej ocenjevanja tveganj v
7.3 e) izboljšavo merjenja
načrtovanih časovnih presledkih ter
4.2.2.d) Določi, kako meriti
uspešnosti kontrol
preglej preostala tveganja in prepoznane
uspešnost izbranih kontrol ali
sprejemljive ravni tveganj z

skupin kontrol
upoštevanjem sprememb uspešnosti
izvedenih kontrol

4.2.3.f) Zaveži se k rednim
vodstvenim pregledom

SUIV, da zagotoviš, da obseg
4.2.3.c) Meri uspešnost 7.2)a), f) Vstopni podatki za
ostaja ustrezen in da so
kontrol, da preveriš, ali so vodstveni pregled morajo
prepoznane izboljšave v
izpolnjene varnostne zahteve vključevati rezultate merjenja
procesih SUIV
uspešnosti in pregleda SUIV


Slika 1: Merjenje vhodnih in izhodnih podatkov v ciklusu PDCA SUIV upravljanja informacijske
varnosti

Organizacija naj vzpostavi cilje merjenja, ki temeljijo na številnih dejavnikih, vključno z:
a) vlogo informacijske varnosti pri podpori celotne poslovne dejavnosti organizacije in tveganjih, s
katerimi se sooča,
b) veljavnimi zakonodajnimi, regulatornimi in pogodbenimi zahtevami,
c) organizacijsko strukturo,
d) stroški in koristmi merjenja izvedenih ukrepov informacijske varnosti,
e) kriteriji sprejemljivosti tveganj za organizacijo in
f) potrebo po primerjanju več SUIV znotraj iste organizacije.
5.2 Program merjenja informacijske varnosti
Organizacija naj vzpostavi in upravlja program merjenja informacijske varnosti, da doseže zastavljene
cilje merjenja in sprejme model PDCA v okviru celotnih dejavnosti merjenja organizacije. Organizacija
naj tudi razvije in izvaja konstrukte merjenja za doseganje ponovljivih, objektivnih in koristnih
rezultatov merjenja, ki temeljijo na modelu merjenja informacijske varnosti (glej 5.4).
Program merjenja informacijske varnosti in razviti konstrukt merjenja naj zagotovi, da organizacija
uspešno doseže objektivne in ponovljive meritve ter deležnikom zagotovi rezultate merjenja za
prepoznavanje potreb po izboljšanju izvajanja SUIV, vključno z njegovim obsegom, politikami, cilji,
kontrolami, procesi in postopki.
11

---------------------- Page: 11 ----------------------

SIST ISO/IEC 27004 : 2011
Program merjenja informacijske varnosti naj vsebuje naslednje postopke:
a) razvoj meril in merjenja (glej točko 7),
b) postopek merjenja (glej točko 8),
c) analizo podatkov in poročanje o rezultatih merjenja (glej točko 9) ter
d) vrednotenje in izboljševanje programa merjenja informacijske varnosti (glej točko 10).
Organizacijska in izvedbena struktura programa merjenja informacijske varnosti naj se določita ob
upoštevanju obsega in zahtevnosti SUIV, katerega del sta. V vseh primerih naj se vloge in
odgovornosti za program merjenja informacijske varnosti izrecno dodelijo kompetentnemu
strokovnemu osebju (glej 7.5.8).
Merila, izbrana in izvedena s programom merjenja informacijske varnosti, naj bodo neposredno
povezana s postopkom SUIV, z drugimi merili in tudi s poslovnimi procesi organizacije. Merjenje je
mogoče vključiti v običajne operativne dejavnosti ali ga izvajati v točnih časovnih razmikih, ki jih določi
vodstvo SUIV.
5.3 Dejavniki uspeha
V nadaljevanju so podani nekateri dejavniki, ki prispevajo k uspehu programa merjenja informacijske
varnosti pri spodbujanju nenehnega izboljševanja SUIV:
a) zavezanost vodstva, podprta z ustreznimi viri,
b) obstoj procesov in postopkov SUIV,
c) ponovljivi procesi, sposobni zajemanja in poročanja o pomembnih podatkih za zagotovitev
ustreznih trendov v določenem časovnem obdobju,
d) merljivi ukrepi na podlagi ciljev SUIV,
e) preprosto dosegljivi podatki, ki jih je mogoče uporabiti za merjenje,
f) vrednotenje uspešnosti programa merjenja informacijske varnosti in izvajanje prepoznanih
izboljšav,
g) dosledno periodično zbiranje in analiziranje podatkov merjenja ter poročanje o njih na smiseln
način,
h) uporaba rezultatov merjenja pri deležnikih za prepoznavanje potreb po izboljšanju izvajanja SUIV,
vključno z njegovim obsegom, politikami, cilji, kontrolami, procesi in postopki,
i) sprejem povratnih informacij o rezultatih merjenja od ustreznih deležnikov in
j) vrednotenje uporabnosti rezultatov merjenja in izvajanja prepoznanih izboljšav.
Ko je program merjenja informacijske varnosti uspešno izveden, je z njim mogoče:
1) prikazati skladnost organizacije z veljavnimi zakonskimi ali regulatornimi zahtevami in
pogodbenimi obveznostmi;
...