标准2025对于信息安全越小心越好。保护个人记录和商业敏感信息是很关键的。但是你怎么知道ISO/IEC 27001信息安全管理系统(ISMS)能够发挥重要作用?一个新的ISO/IEC 国际标准可以帮你。
最近修订的ISO/IEC 27004:2016,信息技术——安全技术——信息安全管理——模拟、测量、分析和评估给评价ISO/IEC 27001绩效提供指导。这一标准解释了如何完善和运用评价体系;还解释了如何评价和报告一系列信息安全衡量标准。
爱德华.汉弗莱斯教授是制定标准的ISO/IEC JTC 1/SC 27工作组召集人,他说:“网络攻击是公司面临的最大风险之一。”这就是为什么更加完善的ISO/IEC 27004版本可以向很多公司提供基本的和实用的支持。这些公司实施了ISO/IEC 27001,来保护自己免受当今多样化的安全攻击。
安全指标针对ISMS的有效性提供见解,因此,吸引了公众的注意。不论你是工程师还是对安全或管理负责的咨询师,抑或是需要更好信息决策的执行者,安全指标是一个展现公司网络风险状态的重要沟通工具。
用汉弗莱斯教授的话来说:“公司需要帮助解决以下问题,公司在信息安全管理的投资是否有效,是否符合针对不断改变的网络风险环境而做出反应,防卫和相应改变的目的。ISO/IEC 27004 在这方面有诸多优势。”
ISO/IEC 27004:2016 展现了如何成立信息安全评估项目;如何选择测量的要素;如何操作必要的测量程序;如何评估测量的有效性。该标准包含了大量不同测量类型的实例。
利用ISO/IEC 27004对于公司的好处如下:
.增强责任制
.提高信息安全,优化信息安全管理体系的进程
.满足了ISO/IEC 27001的要求,同时还满足适用的法律法规和条例的要求
ISO/IEC 27004:2016取代了之前2009的版本,它是根据ISO/IEC 27001修订版更新和扩展的,目的是给公司提供更多附加值和信心。
ISO/IEC 27004:2016是由ISO/IEC JTC 1/SC 27,信息技术分技术委员会负责制定,其秘书处由德国工业标准协会(DIN)承担。
How to measure the effectiveness of information security
You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.
The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security .
Prof. Edward Humphreys, Convenor of the working group that developed the standard (ISO/IEC JTC 1/SC 27), says: “Cyber-attacks are among the greatest risks an organization can face. This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today.”
Security metrics can provide insights regarding the effectiveness of an ISMS and, as such, have taken centre stage. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision making, security metrics have become an important vehicle for communicating the state of an organization’s cyber-risk posture.
In Prof. Humphreys’ own words: “Organizations need help to address the question of whether the organization’s investment in information security management is effective, fit for purpose to react, defend and respond to the continually changing cyber-risk environment. This is where ISO/IEC 27004 can provide numerous advantages.”
ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.
Among the many benefits to organizations of using ISO/IEC 27004 are:
. Increased accountability
. Improved information security performance and ISMS processes
. Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules and regulations
ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations with greater added value and confidence.
ISO/IEC 27004:2016 was developed by joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, whose secretariat is held by DIN, the ISO member for Germany. It is available from your national ISO member or through the ISO Store.