ISO / IEC 27004 - An Introduction.

We are aware that ISO/IEC 27001 is an international standard on how to manage information security. Most organizations implement multiple processes and technologies to secure their information systems which can range from deploying a network firewall, implementing an antivirus solution to employee background checks and termination of employee access upon resignation. All these are referred to as security controls. If these security controls are implemented in a disorganized and disjoint fashion then the security of an organization has a high probability of compromise rather than protection. In order to have all the security controls organized it is important to follow an Information Security Management System (ISMS). In summary, an ISMS can be defined as a system of organizing security controls in an organization to ensure that the information assets of an organization are protected from threats. In ISMS terms we deploy controls to protect the confidentiality (C), integrity (I), and availability (A) of information and information assets. This is simply called the CIA.?

In terms of execution ISMS simply involves "Information Risk Management" which is a process to access the risks to an organization's information assets and take steps to treat those risks via implementation of security controls.?

The International Organization for Standardization develops several standards for technical, commercial, and industrial practices and processes.

ISO 27001 is an international standard from International Organization for Standardization (ISO) on how to manage information security. ISO 27001 requires that an organization

1. Systematically identifies all the information assets in an organization.?
2. Evaluate the risks to these assets taking account of vulnerabilities and how threats can exploit them to compromise the confidentiality (C), integrity (I), and availability (A) of information and information assets
3. Evaluate the impact of these risks.
4. Design a form of risk treatment to address these risks by identifying necessary controls and implementing those controls.
5. Ensure that the controls are effective by following a continuous Plan-Do-Check-Act (PDCA) cycle.
6. Create and implement a continuous assessment and improvement plan.

An important process of any ISO standard is to measure the effectiveness of the business processes in terms of metrics and KPIs. Accordingly in ISO 27001, it is important to measure the effectiveness of the implemented controls. "If you can’t measure it you can’t manage it" that is how we complete the "C" of the PDCA Cycle."Improvement" is the last aspect of the ISO 27001 system and we can improve unless we measure what we are doing currently. PDCA cycle refers to continuous improvement and we need to measure the effectiveness of our policies and controls in order to continuously improve them. The controls must be monitored, measured, and evaluated to ensure that they are implemented as per ISO27001 requirements and are performing to mitigate risk and improvement.?

Here comes ISO 27004

ISO 27004 offers guidelines on how to determine the performance of ISO 27001. It describes how to create and operate evaluation systems and how to analyze and disclose the effects of a set of information security metrics. It provides guidelines to develop security metrics and these security metrics can provide insight into the effectiveness of how ISMS has been implemented (using ISO 27001). Without appropriate metrics, an organization will unable to define the posture of its information security and posture of how risks are being managed using ISO 27001. Without metrics, we will be unable to communicate the benefits of ISO 27001 to management. Metrics are the only mechanism that will act as a vehicle to drive the PDCA and continuous improvement cycle.?

ISO 27004 is defined as -?Monitoring, measurement, assessment, and evaluation, offers guidelines on how to determine the performance of the ISO / IEC 27001:2013 information security management framework.

So ISO 27004 provides guidelines on how to establish these metrics (choose what to measure), how to access controls using these metrics and how to record and communicate these metrics. It describes in detail how the efficiency of ISO 27002 controls can be measured. Recording and communicating the effectiveness of ISO 27001 is not only important for continuous improvement but for increased transparency as well.

ISO 27004 consists of 8 clauses and 3 Annex. The first 4 clauses are introductory and clause 5 -8 are key clauses.

• 5. Rationale - Defines the need for measurement and how it fulfills the requirements of ISO 27001.
• 6. Characteristics - Defines 'what to' measure, monitor, analyse and evaluate and 'when to' and 'who will'
• 7. Types of measures - Performance & Effectiveness
• 8. Processes -?
• Annex Clauses describe measurement construct examples.

Monitoring and measurement is the first step in a process to evaluate information security performance and ISMS effectiveness.

Monitor - Monitoring determines the status of a system, a process, or an activity in order to meet a specified information need.

Some activities that can be monitored are?

• Risk Assessment?
• Risk Treatment
• Vulnerability Management
• Incident Management
• Business Continuity

Measure - Measurement is an activity undertaken to determine a value, status or trend in performance or effectiveness to help identify potential improvement needs.

Some activities that can be measured are

• communication
• management review
• audit

First ISO 27004 guides on "What to Monitor" - Which controls and processes should be monitored. It may not be possible to monitor all controls hence our business requirements, regulatory and compliance requirements may define what to measure. Also, it may differ from organization to organization as the management deems.

Second ISO 27004 guides on "What to Measure" - Which controls and processes should be measured. Monitor differs from the measure. In measurement, we have to assign a tangible value whose progress or trend can be established.

Third ISO 27004 guides on "When to monitor, measure, analyze and evaluate" - The "when" term is dependent on the organization's requirement. Some controls may require ad-hoc monitoring while other controls may require continuous monitoring. Generally a periodic approach is followed which is weekly, monthly or quarterly. Accordingly reporting of these metrics is followed.

Fourth ISO 27004 guides on "Who will monitor, measure, analyze and evaluate" - The roles and responsibilities regarding the management of monitoring and reporting have to be defined.

The two approaches defined by ISO 27004 for monitoring and measurement are?

1. Performance:- The ISO 27004 defines 'performance measures' as expressing the results in terms of the level of accomplishment i.e. degree to which the ISO 27002 controls have been implemented.?

An example of performance measurement is the percentage of Laptops with EDR agents. When the control is tracked it can start with 50% and slowly as IT teams work the metric will slowly increase to 100%. When it reaches 100% we can say that control is successfully implemented.?

2. Effectiveness:- The ISO 27004 defines 'effectiveness measures' as expressing the results in terms of realization of a control activity has on the information security objectives.?

An example of effectiveness measurement is no of vulnerabilities on systems. The greater the no of vulnerabilities and greater their severity the greater is the probability of exploitation and the greater the risk.?

Monitoring, measurement, analysis, and evaluation consists of the following processes:

1. identify information needs;
2. create and maintain measures;
3. establish procedures;
4. monitor and measure;
5. analyze results; and
6. evaluate information security performance and ISMS effectiveness.

Example of a metric