How to measure the effectiveness of information security
You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.
The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis, and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.
Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much-improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”
Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken center stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.
In Prof. Humphreys’ own words: “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber- risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”
ISO/IEC 27004:2016 shows how to construct an information security measurement program, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.
Among the many benefits to organizations of using ISO/IEC 27004 are:
- Increased accountability
- Improved information security performance
- Superior ISMS processes
- Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules, and regulations
In addition to consumers and partners, Sarbanes Oxley compliance requires that organizations establish safeguards to prevent data tampering, safeguards to establish timelines, and verifiable controls to track data access, which are the framework of an ISO 27001 standard certification.
ISO 27001 Data Security is the international standard for a company to manage its information security. It sets out how a company should address the requirements of confidentiality, integrity, and availability of its information assets and incorporate this into an information security management system (ISMS).
Certification to ISO 27001 is a powerful demonstration of an organization’s commitment to managing information security.
IMSM has assisted more than 1,000 businesses around the world to achieve ISO 2700 Certification. IMSM is a full-service ISO consultancy that has grown to become an international market leader in quality, environmental, health & safety, information security, and business continuity management systems. Our IMSM certified consultants will guide you and your organization from initial analysis through to full certification.
If you want more information please visit https://www.imsm.com/us or email us at [email protected] and we will help you determine what yo need to protect your inforamtion assets.