ISO/IEC 27004

ISO/IEC 27004 is an international standard that provides guidelines intended to assist organizations in evaluating the performance and the effectiveness of an Information Security Management System (ISMS) that is implemented based on ISO/IEC 27001. It offers guidance on measurement and evaluation of information security within the organization.

Definition and purpose

The standard defines metrics and a structured approach to measuring information security performance, specifying how to develop and use metrics and measurements to assess the effectiveness of the ISMS and the controls or groups of controls, as specified in ISO/IEC 27001. The purpose is to support organizations in enhancing their information security and performance through effective measurement and assessment.

Governing Body

ISO/IEC 27004 is maintained by the International Organization for Standardization (ISO) in conjunction with the International Electrotechnical Commission (IEC).

Last updated

ISO/IEC 27004 was initially published in 2009. The standard is reviewed every 5 years and was revised in 2016. It is currently under review.

Applies to

ISO/IEC 27004 applies to all types and sizes of organizations, including public and private sector companies, government entities, and not-for-profit organizations, which have implemented an ISMS in accordance with ISO/IEC 27001 and wish to measure its performance effectively.

Controls and requirements

The main components outlined in ISO/IEC 27004 include:

  • Context of Measurements: Understanding what to measure and why.
  • Development of Metrics: Defining metrics that are relevant and useful for information security performance.
  • Measurement Processes: Implementing processes to collect, analyze, and report data.
  • Evaluation and Improvement: Using the measurements to evaluate the effectiveness of the ISMS, identify areas for improvement, and make informed decisions.

Please refer to the official ISO/IEC 27004:2016 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits related to ISO/IEC 27004 typically involve the assessment of measurement strategies and practices to ensure they are aligned with the standard and effectively assess the performance of the ISMS. The standard does not specify a required frequency for performance measurement, but it is recommended to conduct these assessments regularly as part of a continuous improvement process.

The duration of assessments for ISO/IEC 27004 compliance can vary widely depending on the scope of the ISMS, the size of the organization, and the depth of the measurement and evaluation processes in place.

Get compliant using Secureframe Custom Frameworks