You’ve studied ISO 27001 and, either internally or through the help of a security partner, you’ve implemented the security controls and practices therein to achieve compliance. Now, per ISO standards, it’s on you to continually monitor your ISMS, measure performance and effectiveness, and determine success. With complex ISMS, however, this can seem like a daunting prospect. Thankfully, ISO provides a framework for monitoring and measurement in the 27000 series–the ISO 27004 publication on monitoring, measurement, analysis and evaluation of information technology.
As part of our series on the ISO 27000 series, we turn to ISO 27004 to highlight the importance of system monitoring and evaluation from the perspective of this particular framework.