ISO/IEC 27004

ISO/IEC 27004

ISO/IEC 27004:2009, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is Information technology -- Security techniques -- Information security management -- Measurement.

The purpose of ISO/IEC 27004 is to help organizations measure, report and hence systematically improve the effectiveness of their Information Security Management System (ISMS).

The standard includes the following main sections:

  • Information security measurement overview;
  • Management responsibilities;
  • Measures and measurement development;
  • Measurement operation;
  • Data analysis and measurement results reporting;
  • Information Security Measurement Program evaluation and improvement.

Annex A provides a template with which to describe a measure, while Annex B offers some worked examples.

The standard was published on December 7, 2009.[1]

It is currently being revised.

See also


External links

  • ISO Website
  • Opensource software to support ISO 27004 measurement program