ISO/IEC 27004:2009, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is Information technology -- Security techniques -- Information security management -- Measurement.
The purpose of ISO/IEC 27004 is to help organizations measure, report and hence systematically improve the effectiveness of their Information Security Management System (ISMS).
The standard includes the following main sections:
- Information security measurement overview;
- Management responsibilities;
- Measures and measurement development;
- Measurement operation;
- Data analysis and measurement results reporting;
- Information Security Measurement Program evaluation and improvement.
Annex A provides a template with which to describe a measure, while Annex B offers some worked examples.
The standard was published on December 7, 2009.1
It is currently being revised.