Document Library

No documents found.

How to Measure the Effectiveness of Information Security

In this day and age, the need for effective information security and data protection cannot be overemphasised. In fact, protecting personal records and commercially sensitive information is crucial to your business survival. The challenge, however, is how to tell if your ISO/IEC 27001 information security management system (ISMS) is equal to the task. If this has been a concern for you, the new ISO/IEC International Standard could be useful for you.

The latest ISO/IEC 27004:2016Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, offers you guidance on how to measure the performance of ISO/IEC 27001. The guidance involves ways to develop and operate measurement processes. Also included are measures on how to assess and report the outcomes of a set of information security metrics.

According to the convener of the working group that developed the standard (ISO/IEC JTC 1/SC 27), Prof. Edward Humphreys, “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today,” he says.

Security metrics have now taken the center stage by providing insights into the effectiveness of ISMS. Hence, security metrics have become a valuable tool for helping organisations who look to understand their cyber-risks. Engineers, security consultants and business executives now rely on security metrics for making important management decisions.

Prof. Humphreys also adds that: “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”

ISO/IEC 27004:2016 provides you guidance on how to build an information security measurement programme, ways to select & what to measure and guidance on operating the essential measurement processes. This includes a wide range of measures and ways on how to assess the effectiveness of these measures.

Some of the many benefits of using ISO/IEC 27004 to organisations include:

  • Better accountability
  • Improved ISMS processes and information security performance
  • Guaranteed evidences of meeting applicable laws, rules and regulations as well as the requirements of ISO/IEC 27001

ISO/IEC 27004:2016 is an update on the 2009 edition. It was updated and extended to work with the revised version of ISO/IEC 27001, which helps to create added value for organizations.

ISO QA Isle of Man can help your business transition to new standards. Contact us today for a free consultation.


Call 0330 043 5101

Head office
ISO QA Isle of Man Limited
Design House (18B)
Carrs Lane
Isle of Man

"*" indicates required fields

Which certifications are you interested in:
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.