Normenverzeichnis » Norm: ISO/IEC 27004

Änderungsvermerk

Dieses Dokument ersetzt ISO/IEC 27004:2009-12 .

Beschreibung

Contents

Foreword
Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Structure and overview

5 Rationale

  • The need for measurement
  • Fulfilling the requirements
  • Validity of results
  • Benefits

6 Characteristics

  • General
  • What to monitor
  • What to measure
  • When to monitor, measure, analyse and evaluate
  • Who will monitor, measure, analyse and evaluate

7 Types of measures

  • General
  • Performance measures
  • Effectiveness measures

8 Processes

  • General
  • Identify information needs
  • Create and maintain measures
    • General
    • Identify current security practices that can support information needs
    • Develop or update measures
    • Document measures and prioritize for implementation
    • Keep management informed and engaged
  • Establish procedures
  • Monitor and measure
  • Analyse results
  • Evaluate information security performance and ISMS effectiveness
  • Review and improve monitoring, measurement, analysis and evaluation processes
  • Retain and communicate documented information

A - An information security measurement model (informative)

B - Measurement construct examples (informative)

  • General
  • Resource allocation
  • Policy review
  • Management commitment
  • Risk exposure
  • Audit programme
  • Improvement actions
  • Security incident cost
  • Learning from information security incidents
  • Corrective action implementation
  • ISMS training or ISMS awareness
  • Information security training
  • Information security awareness compliance
  • ISMS awareness campaigns effectiveness
  • Social engineering preparedness
  • Password quality – manual
  • Password quality – automated
  • Review of user access rights
  • Physical entry controls system evaluation
  • Physical entry controls effectiveness
  • Management of periodic maintenance
  • Change management
  • Protection against malicious code
  • Anti-malware
  • Total availability
  • Firewall rules
  • Log files review
  • Device configuration
  • Pentest and vulnerability assessment
  • Vulnerability landscape
  • Security in third party agreements – A
  • Security in third party agreements – B
  • Information security incident management effectiveness
  • Security incidents trend
  • Security event reporting
  • ISMS review process
  • Vulnerability coverage

C - An example of free-text form measurement construction (informative)

  • ‘Training effectiveness’ – effectiveness measurement construct

Bibliography