标准2025—-ISO / IEC 27004标准解释了如何制定,评价和报告信息安全指标的结果
克莱尔.马钱德报道
在信息安全方面,我们多么谨慎都不为过。保护个人档案及商业敏感信息非常重要。但你又如何证明ISO/IEC 27001信息安全管理体系(ISMS)正在发挥作用?一项新的ISO/IEC国际标准也许能帮到你。
一、关于信息安全
ISO/IEC 27004阐述了如何建立测量过程,以及如何评价并报道信息安全度量的结果。
二、关于ISO/IEC 27004新版本
近日修订的ISO/IEC 27004:2016,信息安全——安全技术——信息安全管理——监测、测量、分析及评价为如何评估ISO/IEC 27001:2013,信息安全——安全技术——信息安全管理系统——需求的效益提供了指南。它阐述了如何建立并运用测量流程,以及如何评价和报道一组信息安全度量的结果。
ISO/IEC JTC 1/SC 27标准制定组的召集人爱德华.汉弗莱(Edward Humphreys)教授说道:“网络攻击是企业面临的最大风险之一,许多企业都采用ISO/IEC 27001标准来保护自己不受当今面临的各种网络攻击之害。这也是为什么ISO/IEC 27001改良版要为这些企业提供基础且实用的支持。
三、ISMS有效性洞见
安全度量可以提供一个ISMS有效性的洞见,它也因此成为人们的关注点。不论你是负责管理安全及报道的工程师或顾问,或是需要更多信息以做决策的管理人员,安全度量都是企业网络风险状况的一个重要交流媒介。
汉弗莱教授说:“企业需要帮助解决企业在信息安全管理上的投资是否有效这一问题,并与以下目标相一致:对网络风险做出反应、提防并应对不断变化的风险环境。这也是ISO/IEC 27004标准能充分发挥其优势的地方。”
四、好处多多
ISO/IEC 27004:2016说明了如何建构一个信息安全测量项目、如何选择测量内容、以及如何运用必要的测量流程。还包括不同测量类型的大量实例、以及如何评价它们的有效性。
五、企业采用ISO/IEC 27004标准的好处有:
加强问责;
提高信息安全效益、优化ISMS流程;
ISO/IEC 27001需求满足凭证及恰当的法律、规定及章程。
ISO/IEC 27004:2016将代替2009版本;ISO/IEC 27004:2016已被更新与扩展,以匹配ISO/IEC 27001:2013修订版,为企业提供更大的附加价值与信心。
ISO/IEC 27004:2016 was developed by Subcommittee 27: IT security techniques, of ISO/IEC Joint Technical Committee (JTC) 1, Information technology.
ISO/IEC 27004:2016由第27分技术委员会制定:第一ISO/IEC联合技术委员会(JTC)信息技术,信息技术制定。
Measuring effectiveness of information security
ISO/IEC 27004 explains how to develop, assess and report results of information security metrics
By Claire Marchand
You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.
information security
ISO/IEC 27004 explains how to develop measurement processes and how to assess and report results of information security metrics
New edition of ISO/IEC 27004
The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.
Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”
Insights into effectiveness of ISMS
Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken centre stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.
In Prof. Humphreys’ own words, “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”
Many benefits
ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.
Among the many benefits to organizations of using ISO/IEC 27004 are:
Increased accountability
Improved information security performance and ISMS processes
Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules and regulations
ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001:2013 to provide organizations with greater added value and confidence.
ISO/IEC 27004:2016 was developed by Subcommittee 27: IT security techniques, of ISO/IEC Joint Technical Committee (JTC) 1, Information technology.