iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
SIST

SIST ISO/IEC 27004:2011

(Main)

Information technology - Security techniques - Information security management - Measurement

Information technology - Security techniques - Information security management - Measurement

ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
ISO/IEC 27004:2009 is applicable to all types and sizes of organization.

Technologies de l'information - Techniques de sécurité - Management de la sécurité de l'information - Mesurage

Informacijska tehnologija - Varnostne tehnike - Upravljanje informacijske varnosti - Merjenje

Ta mednarodni standard podaja navodilo za razvoj in uporabo mer in merjenj za ocenitev učinkovitosti uvedenega sistema upravljanja informacijske varnosti (ISMS) in kontrol oziroma skupin kontrol, kot je določeno v ISO/IEC 27001. Ta mednarodni standard velja za vse vrste in velikosti organizacij.

General Information

Status
Withdrawn
Public Enquiry End Date
02-Jan-2011
Publication Date
09-Feb-2011
Withdrawal Date
03-Oct-2018
ICS
03.100.70 - Management systems
35.030 - IT Security
Technical Committee
ITC - Information technology
Current Stage
9900 - Withdrawal (Adopted Project)
Start Date
04-Oct-2018
Due Date
27-Oct-2018
Completion Date
04-Oct-2018
Ref Project
ISO/IEC 27004:2009 - Information technology — Security techniques — Information security management — Measurement

Relations

Replaced By
SIST ISO/IEC 27004:2018 - Information technology -- Security techniques -- Information security management -- Monitoring, measurement, analysis and evaluation
Effective Date
01-Nov-2018

Buy Standard

ISO/IEC 27004:2009 - Information technology -- Security techniques -- Information security management -- MeasurementISO/IEC 27004:2009 - Information technology -- Security techniques -- Information security management -- Measurement
PreviousNext
Standard
ISO/IEC 27004:2009 - Information technology -- Security techniques -- Information security management -- Measurement
English language
55 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC 27004:2011ISO/IEC 27004:2011
PreviousNext
Standard
ISO/IEC 27004:2011
English language
62 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
ISO/IEC 27004:2011ISO/IEC 27004:2011
PreviousNext
Standard – translation
ISO/IEC 27004:2011
Slovenian language
64 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 27004
First edition
2009-12-15
Information technology — Security
techniques — Information security
management — Measurement
Technologies de l'information — Techniques de sécurité —
Management de la sécurité de l'information — Mesurage

Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

Contents Page
Foreword .v
0 Introduction.vi
0.1 General .vi
0.2 Management overview .vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .3
5 Information security measurement overview.4
5.1 Objectives of information security measurement.4
5.2 Information Security Measurement Programme .5
5.3 Success factors .6
5.4 Information security measurement model.6
5.4.1 Overview.6
5.4.2 Base measure and measurement method .7
5.4.3 Derived measure and measurement function .9
5.4.4 Indicators and analytical model.10
5.4.5 Measurement results and decision criteria .11
6 Management responsibilities .12
6.1 Overview.12
6.2 Resource management.13
6.3 Measurement training, awareness, and competence.13
7 Measures and measurement development.13
7.1 Overview.13
7.2 Definition of measurement scope.13
7.3 Identification of information need .14
7.4 Object and attribute selection.14
7.5 Measurement construct development.15
7.5.1 Overview.15
7.5.2 Measure selection .15
7.5.3 Measurement method .15
7.5.4 Measurement function .16
7.5.5 Analytical model .16
7.5.6 Indicators .16
7.5.7 Decision criteria.16
7.5.8 Stakeholders .17
7.6 Measurement construct.17
7.7 Data collection, analysis and reporting .17
7.8 Measurement implementation and documentation .18
8 Measurement operation.18
8.1 Overview.18
8.2 Procedure integration .18
8.3 Data collection, storage and verification .19
9 Data analysis and measurement results reporting.19
9.1 Overview.19
9.2 Analyse data and develop measurement results.19
9.3 Communicate measurement results .20
© ISO/IEC 2009 – All rights reserved iii

10 Information Security Measurement Programme Evaluation and Improvement.20
10.1 Overview.20
10.2 Evaluation criteria identification for the Information Security Measurement Programme .21
10.3 Monitor, review, and evaluate the Information Security Measurement Programme .21
10.4 Implement improvements .21
Annex A (informative) Template for an information security measurement construct.22
Annex B (informative) Measurement construct examples .24
Bibliography .55

iv © ISO/IEC 2009 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2009 – All rights reserved v

0 Introduction
0.1 General
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.

This would include policy, information security risk management, control objectives, controls, processes and
procedures, and support the process of its revision, helping to determine whether any of the ISMS processes
or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can
guarantee complete security.
The implementation of this approach constitutes an Information Security Measurement Programme. The
Information Security Measurement Programme will assist management in identifying and evaluating non-
compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement
or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security
risk management processes.
This International Standard assumes that the starting point for the development of measures and
measurement is a sound understanding of the information security risks that an organization faces, and that
an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as
required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an
organization to provide reliable information to relevant stakeholders concerning its information security risks
and the status of the implemented ISMS to manage these risks.

Effectively implemented, the Information Security Measurement Programme would improve stakeholder
confidence in measurement results, and enable the stakeholders to use these measures to effect continual
improvement of information security and the ISMS.

The accumulated measurement results will allow comparison of progress in achieving information security
objectives over a period of time as part of an organization’s ISMS continual improvement process.

0.2 Management overview
ISO/IEC 27001 requires the organization to “undertake regular reviews of the effectiveness of the ISMS taking
into account results from effectiveness measurement” and to “measure the effectiveness of controls to verify
that security requirements have been met”. ISO/IEC 27001 also requires the organization to “define how to
measure the effectiveness of the selected controls or groups of controls and specify how these measures are
to be used to assess control effectiveness to produce comparable and reproducible results”.

The approach adopted by an organization to fulfil the measurement requirements specified in ISO/IEC 27001
will vary based on a number of significant factors, including the information security risks that the organization
faces, its organizational size, resources available, and applicable legal, regulatory and contractual
requirements. Careful selection and justif
...


SLOVENSKI STANDARD
01-marec-2011
Informacijska tehnologija - Varnostne tehnike - Upravljanje informacijske varnosti -
Merjenje
Information technology - Security techniques - Information security management -
Measurement
Technologies de l'information - Techniques de sécurité - Management de la sécurité de
l'information - Mesurage
Ta slovenski standard je istoveten z: ISO/IEC 27004:2009
ICS:
35.040 Nabori znakov in kodiranje Character sets and
informacij information coding
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO/IEC
STANDARD 27004
First edition
2009-12-15
Information technology — Security
techniques — Information security
management — Measurement
Technologies de l'information — Techniques de sécurité —
Management de la sécurité de l'information — Mesurage

Reference number
©
ISO/IEC 2009
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

Contents Page
Foreword .v
0 Introduction.vi
0.1 General .vi
0.2 Management overview .vi
1 Scope.1
2 Normative references.1
3 Terms and definitions .1
4 Structure of this International Standard .3
5 Information security measurement overview.4
5.1 Objectives of information security measurement.4
5.2 Information Security Measurement Programme .5
5.3 Success factors .6
5.4 Information security measurement model.6
5.4.1 Overview.6
5.4.2 Base measure and measurement method .7
5.4.3 Derived measure and measurement function .9
5.4.4 Indicators and analytical model.10
5.4.5 Measurement results and decision criteria .11
6 Management responsibilities .12
6.1 Overview.12
6.2 Resource management.13
6.3 Measurement training, awareness, and competence.13
7 Measures and measurement development.13
7.1 Overview.13
7.2 Definition of measurement scope.13
7.3 Identification of information need .14
7.4 Object and attribute selection.14
7.5 Measurement construct development.15
7.5.1 Overview.15
7.5.2 Measure selection .15
7.5.3 Measurement method .15
7.5.4 Measurement function .16
7.5.5 Analytical model .16
7.5.6 Indicators .16
7.5.7 Decision criteria.16
7.5.8 Stakeholders .17
7.6 Measurement construct.17
7.7 Data collection, analysis and reporting .17
7.8 Measurement implementation and documentation .18
8 Measurement operation.18
8.1 Overview.18
8.2 Procedure integration .18
8.3 Data collection, storage and verification .19
9 Data analysis and measurement results reporting.19
9.1 Overview.19
9.2 Analyse data and develop measurement results.19
9.3 Communicate measurement results .20
© ISO/IEC 2009 – All rights reserved iii

10 Information Security Measurement Programme Evaluation and Improvement.20
10.1 Overview.20
10.2 Evaluation criteria identification for the Information Security Measurement Programme .21
10.3 Monitor, review, and evaluate the Information Security Measurement Programme .21
10.4 Implement improvements .21
Annex A (informative) Template for an information security measurement construct.22
Annex B (informative) Measurement construct examples .24
Bibliography .55

iv © ISO/IEC 2009 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27004 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2009 – All rights reserved v

0 Introduction
0.1 General
This International Standard provides guidance on the development and use of measures and measurement in
order to assess the effectiveness of an implemented information security management system (ISMS) and
controls or groups of controls, as specified in ISO/IEC 27001.

This would include policy, information security risk management, control objectives, controls, processes and
procedures, and support the process of its revision, helping to determine whether any of the ISMS processes
or controls need to be changed or improved. It needs to be kept in mind that no measurement of controls can
guarantee complete security.
The implementation of this approach constitutes an Information Security Measurement Programme. The
Information Security Measurement Programme will assist management in identifying and evaluating non-
compliant and ineffective ISMS processes and controls and prioritizing actions associated with improvement
or changing these processes and/or controls. It may also assist the organization in demonstrating
ISO/IEC 27001 compliance and provide additional evidence for management review and information security
risk management processes.
This International Standard assumes that the starting point for the development of measures and
measurement is a sound understanding of the information security risks that an organization faces, and that
an organization’s risk assessment activities have been performed correctly (i.e. based on ISO/IEC 27005), as
required by ISO/IEC 27001. The Information Security Measurement Programme will encourage an
organization to provide reliable information to relevant stakeholders concerning its information security risks
and the status of the implemented ISMS to manage these risks.

Effectively implemented, the Information Security Measurement Programme would improve stakeholder
confidence in measurement results, and enable the stakeholders to use these measures to effect continual
improvement of information security and the ISMS.

The accumulated measurement results will allow comparison of progress in achieving information security
objectives over a period of time as part of an organization’s ISMS continual improvement
...


SLOVENSKI SIST ISO/IEC 27004
STANDARD
marec 2011
Informacijska tehnologija – Varnostne tehnike – Upravljanje informacijske
varnosti – Merjenje
Information technology – Security techniques – Information security management
– Measurement
Technologies de l'information – Techniques de sécurité – Management de la
sécurité de l'information – Mesurge

Referenčna oznaka
ICS 35.040 SIST ISO/IEC 27004:2011 (sl)

Nadaljevanje na straneh 2 do 65

© 2014-07. Slovenski inštitut za standardizacijo. Razmnoževanje ali kopiranje celote ali delov tega standarda ni dovoljeno.

SIST ISO/IEC 27004 : 2011
NACIONALNI UVOD
Standard SIST ISO/IEC 27004 (sl), Informacijska tehnologija – Varnostne tehnike – Upravljanje
informacijske varnosti – Merjenje, 2011, ima status slovenskega standarda in je istoveten
mednarodnemu standardu ISO/IEC 27004 (en), Information technology – Security techniques –
Information security management – Measurement, 2009.

NACIONALNI PREDGOVOR
Mednarodni standard ISO/IEC 27004:2009 je pripravil pododbor združenega tehničnega odbora
Mednarodne organizacije za standardizacijo in Mednarodne elektrotehniške komisije ISO/IEC JTC
1/SC 27 Varnostne tehnike v informacijski tehnologiji.

Slovenski standard SIST ISO/IEC 27004:2011 je prevod mednarodnega standarda ISO/IEC
27004:2009. Slovenski standard SIST ISO/IEC 27004:2011 je pripravil tehnični odbor SIST/TC ITC
Informacijska tehnologija. V primeru spora glede besedila slovenskega prevoda je odločilen izvirni
mednarodni standard v angleškem jeziku.

Odločitev za izdajo tega standarda je dne 25. novembra 2010 sprejel SIST/TC ITC Informacijska
tehnologija.
ZVEZA Z NACIONALNIMI STANDARDI

SIST ISO/IEC 27000:2011 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Pregled in izrazoslovje

SIST ISO/IEC 27001:2010 Informacijska tehnologija – Varnostne tehnike – Sistemi upravljanja
informacijske varnosti – Zahteve (nadomeščen s SIST ISO/IEC
27001:2013)
OSNOVA ZA IZDAJO STANDARDA
– privzem standarda ISO/IEC 27004:2009

OPOMBE
– Povsod, kjer se v besedilu standarda uporablja izraz “mednarodni standard”, v SIST ISO/IEC
27004:2011 to pomeni “slovenski standard”.

– Nacionalni uvod in nacionalni predgovor nista sestavni del standarda.
SIST ISO/IEC 27004 : 2011
Vsebina Stran
Predgovor .5
0 Uvod .6
0.1 Splošno.6
0.2 Vodstveni pregled.6
1 Področje uporabe .8
2 Zveze s standardi .8
3 Izrazi in definicije .8
4 Struktura tega mednarodnega standarda.10
5 Pregled merjenja informacijske varnosti.10
5.1 Cilji merjenja informacijske varnosti .10
5.2 Program merjenja informacijske varnosti .11
5.3 Dejavniki uspeha .12
5.4 Model merjenja informacijske varnosti .12
5.4.1 Pregled .13
5.4.2 Osnovno merilo in metoda merjenja.13
5.4.3 Izpeljano merilo in funkcija merjenja .15
5.4.4 Kazalci in analitični model .16
5.4.5 Rezultati merjenja in odločitveni kriteriji .17
6 Odgovornosti vodstva.17
6.1 Pregled .17
6.2 Upravljanje virov.18
6.3 Merjenje usposabljanja, ozaveščenosti in usposobljenosti.18
7 Merila in razvoj merjenja.18
7.1 Pregled .18
7.2 Določitev obsega merjenja .19
7.3 Prepoznavanje informacijske potrebe .19
7.4 Izbor predmetov in lastnosti .19
7.5 Razvoj konstruktov merjenja .20
7.5.1 Pregled .20
7.5.2 Izbor merila.21
7.5.3 Metoda merjenja.21
7.5.4 Funkcija merjenja .21
7.5.5 Analitični model .22
7.5.6 Kazalci .22
7.5.7 Odločitveni kriteriji .22
7.5.8 Deležniki .23
7.6 Konstrukt merjenja.23
7.7 Zbiranje podatkov, analize in poročanje.23
7.8 Izvajanje in dokumentiranje merjenja.24
SIST ISO/IEC 27004 : 2011
8 Postopek merjenja.24
8.1 Pregled .24
8.2 Integracija postopkov.24
8.3 Zbiranje, shranjevanje in preverjanje podatkov.25
9 Analize podatkov in poročanje o rezultatih merjenja.25
9.1 Pregled .25
9.2 Analiza podatkov in rezultati razvitih merjenj .25
9.3 Sporočanje rezultatov merjenja.26
10 Ocenjevanje in izboljšanje programa merjenja informacijske varnosti.26
10.1 Pregled .26
10.2 Prepoznavanje kriterijev za vrednotenje programa merjenja informacijske varnosti .27
10.3 Spremljanje, pregledovanje in vrednotenje programa merjenja informacijske varnosti.28
10.4 Izvajanje izboljšav.28
Dodatek A (informativni): Predloga za konstrukt merjenja informacijske varnosti .29
Dodatek B (informativni): Primeri konstrukta merjenja.32
Literatura.65
SIST ISO/IEC 27004 : 2011
Predgovor
ISO (Mednarodna organizacija za standardizacijo) in IEC (Mednarodna elektrotehniška komisija)
tvorita specializiran sistem za svetovno standardizacijo. Nacionalni organi, ki so člani ISO ali IEC,
sodelujejo pri pripravi mednarodnih standardov prek tehničnih odborov, ki jih za obravnavanje
določenih strokovnih področij ustanovi ustrezna organizacija. Tehnični odbori ISO in IEC sodelujejo na
področjih skupnega interesa. Pri delu sodelujejo tudi druge mednarodne, vladne in nevladne
organizacije, povezane z ISO in IEC. Na področju informacijske tehnologije sta ISO in IEC vzpostavila
združeni tehnični odbor ISO/IEC JTC 1.
Mednarodni standardi so pripravljeni v skladu s pravili iz 2. dela Direktiv ISO/IEC.
Glavna naloga združenega tehničnega odbora je priprava mednarodnih standardov. Osnutki
mednarodnih standardov, ki jih sprejme združeni tehnični odbor, se pošljejo nacionalnim organom v
glasovanje. Za objavo kot mednarodni standard je treba pridobiti soglasje najmanj 75 % glasov
glasujočih nacionalnih organov.
Opozoriti je treba na možnost, da je lahko nekaj elementov tega dokumenta predmet patentnih pravic.
ISO in IEC ne prevzemata odgovornosti za prepoznavanje katerih koli ali vseh takih patentnih pravic.
ISO/IEC 27004 je pripravil združeni tehnični odbor JTC ISO/IEC 1 Informacijska tehnologija, pododbor
SC 27 Varnostne tehnike IT.
SIST ISO/IEC 27004 : 2011
0 Uvod
0.1 Splošno
Ta mednarodni standard daje napotke za razvoj in uporabo meril in merjenja, da se oceni uspešnost
izvajanega sistema upravljanja informacijske varnosti (SUIV) ter kontrol ali skupine kontrol, kot jih
določa ISO/IEC 27001.
To naj vključuje politiko, obvladovanje tveganj informacijske varnosti, cilje kontrol, kontrole, procese in
postopke ter podpira procese njihovih revizij, kar naj bi pomagalo ugotoviti, ali je katerega od procesov
ali kontrol SUIV treba spremeniti ali izboljšati. Pri tem je treba upoštevati, da nobeno merjenje kontrol
ne more jamčiti za popolno varnost.
Izvajanje tega pristopa predstavlja program merjenja informacijske varnosti. Program merjenja
informacijske varnosti bo vodstvu pomagal pri prepoznavanju in vrednotenju neskladnih in neuspešnih
postopkov in kontrol SUIV ter pri določanju prednostnih ukrepov za izboljšanje ali spreminjanje teh
procesov in/ali kontrol. Prav tako lahko pomaga organizaciji pri dokazovanju skladnosti z ISO/IEC
27001 in poda dodatna dokazila za vodstveni pregled procesov obvladovanja tveganj informacijske
varnosti.
Ta mednarodni standard predpostavlja, da je izhodišče za razvoj meril in merjenja dobro razumevanje
tveganj informacijske varnosti, s katerimi se organizacija sooča, in da so bile aktivnosti ocenjevanja
tveganj organizacije pravilno izvedene (tj. temeljijo na ISO/IEC 27005), kot zahteva ISO/IEC 27001.
Program merjenja informacijske varnosti bo spodbudil organizacijo, da bo deležnikom dala zanesljive
informacije v zvezi z njenimi informacijskimi varnostnimi tveganji in statusom izvajanega SUIV pri
obvladovanju teh tveganj.
Uspešno izveden program merjenja informacijske varnosti bi izboljšal zaupanje deležnikov v rezultate
merjenja in jim omogočil, da uporabljajo ta merila za nenehno izboljševanje informacijske varnosti in
SUIV.
Zbrani rezultati merjenja bodo omogočili primerjavo napredka pri doseganju ciljev informacijske
varnosti v nekem časovnem obdobju kot dela procesa nenehnega izboljševanja SUIV v organizaciji.
0.2 Vodstveni pregled
ISO/IEC 27001 zahteva od organizacije, da "izvaja redne preglede uspešnosti SUIV z upoštevanjem
rezultatov merjenja uspešnosti" in da "meri uspešnost kontrol, da preveri, ali so izpolnjene varnostne
zahteve". ISO/IEC 27001 tudi zahteva, da organizacija "določi, kako meriti uspešnost izbranih kontrol
ali skupin kontrol, in opredeli, kako te meritve uporabiti za oceno uspešnosti kontrol, da proizvede
primerljive in ponovljive rezultate".
Pristop, ki ga organizacija sprejme za izpolnitev zahtev po merjenju, določenih v ISO/IEC 27001, se bo
razlikoval glede na število pomembnih dejavnikov, vključno z informacijskimi varnostnimi tveganji, s
katerimi se organizacija sooča, njeno velikos
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

SIST
SIST EN ISO/IEC 27001:2023/A1:2025(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
EN ISO/IEC 27001:2023/A1:2024
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks
ISO/IEC 27005:2022

This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    68 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    62 pages
    English language
    sale 15% off
  • Standard
    66 pages
    French language
    sale 15% off
SIST
SIST EN ISO/IEC 27001:2023(Main)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements (ISO/IEC 27001:2022)
EN ISO/IEC 27001:2023

This document specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This document also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this document are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this document.

  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    27 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    26 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27002:2022(Main)
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
EN ISO/IEC 27002:2022

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

  • Standard
    164 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27007:2022(Main)
Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing (ISO/IEC 27007:2020)
EN ISO/IEC 27007:2022

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27017:2021(Main)
Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015)
EN ISO/IEC 27017:2021

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

  • Standard
    44 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27011:2020(Main)
Information technology - Security techniques - Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations (ISO/IEC 27011:2016)
EN ISO/IEC 27011:2020

The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

  • Standard
    41 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27019:2020(Main)
Information technology - Security techniques - Information security controls for the energy utility industry (ISO/IEC 27019:2017, Corrected version 2019-08)
EN ISO/IEC 27019:2020

ISO/IEC 27019:2017 provides guidance based on ISO/IEC 27002:2013 applied to process control systems used by the energy utility industry for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes. This includes in particular the following:
-      central and distributed process control, monitoring and automation technology as well as information systems used for their operation, such as programming and parameterization devices;
-      digital controllers and automation components such as control and field devices or Programmable Logic Controllers (PLCs), including digital sensor and actuator elements;
-      all further supporting information systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving, historian logging, reporting and documentation purposes;
-      communication technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
-      Advanced Metering Infrastructure (AMI) components, e.g. smart meters;
-      measurement devices, e.g. for emission values;
-      digital protection and safety systems, e.g. protection relays, safety PLCs, emergency governor mechanisms;
-      energy management systems, e.g. of Distributed Energy Resources (DER), electric charging infrastructures, in private households, residential buildings or industrial customer installations;
-      distributed components of smart grid environments, e.g. in energy grids, in private households, residential buildings or industrial customer installations;
-      all software, firmware and applications installed on above-mentioned systems, e.g. DMS (Distribution Management System) applications or OMS (Outage Management System);
-      any premises housing the above-mentioned equipment and systems;
-      remote maintenance systems for above-mentioned systems.
ISO/IEC 27019:2017 does not apply to the process control domain of nuclear facilities. This domain is covered by IEC 62645.
ISO/IEC 27019:2017 also includes a requirement to adapt the risk assessment and treatment processes described in ISO/IEC 27001:2013 to the energy utility industry-sector?specific guidance provided in this document.

  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27000:2020(Main)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
EN ISO/IEC 27000:2020

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    36 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day