You’ve studied ISO 27001 and, either internally or through the help of a security partner, you’ve implemented the security controls and practices therein to achieve compliance. Now, per ISO standards, it’s on you to continually monitor your ISMS, measure performance and effectiveness, and determine success. With complex ISMS, however, this can seem like a daunting prospect. Thankfully, ISO provides a framework for monitoring and measurement in the 27000 series–the ISO 27004 publication on monitoring, measurement, analysis and evaluation of information technology.
As part of our series on the ISO 27000 series, we turn to ISO 27004 to highlight the importance of system monitoring and evaluation from the perspective of this particular framework.
What Is the ISO 27000 Series?
The International Organization for Standardization develops several standards for technical, commercial and industrial practices and processes. One of the significant areas where ISO standards impact is cybersecurity, where standards in practices and technologies can help organizations meet basic security requirements without having to reinvent the wheel.
Generally, the ISO will release publications covering specific standards for anything ranging from risk management, security controls or hardware standards and, over time, revise those publications to address new updates and challenges in the field. Sometimes, ISO will release a numbered series of publications to address complex industries or practices.
One of the more well-known of these document series is the ISO 27000 series. At its heart, this series covers best practices for information system security. It does this by defining what is known as “Information Security Management Systems” (ISMSs), or collections of technologies and procedures that help define the security controls your organization must implement to address data confidentiality, availability and integrity.
While there are several documents within the 27000 series, the foundation of the entire sequence is ISO 27001. This document defines the fundamentals of implementing an ISMS that covers critical security and privacy issues. Some of the categories that are addressed by ISO 27001 include:
- Addressing risk and managing risk across your organization
- Implementing practical continuing training and education efforts as well as regular audits
- Creating and implementing a continuous assessment and improvement plan
- Define roles and responsibilities within your organization to manage IT resources and the ISMS
- Developing and using a robust security policy for your organization
The actual list of categories and controls in ISO 27001 is immense, and as such, ISO has broken up different aspects of managing and implementing ISO 27001 guidelines across several publications. ISO 27002, for example, catalogs the extensive security controls referred to more broadly in ISO 27001, while 27007 covers how to audit systems complying with ISO 27001 while 27014 covers information security governance.
What is ISO 27004?
One task that is integral for the success of an ISMS is assessment. Business and technical leaders in your organization must monitor, evaluate and improve security systems against standards to ensure that they are properly implemented and performing as they should.
ISO 27004 contributes to the entirety of the 27000 series, but specifically 27001, by providing a framework for monitoring and assessing security systems, particularly ISMS, to ensure that they are working as they should protect data processed and stored by your organization. This document defines several characteristics of successful monitoring, approaches to assessment and a general process for measuring ISMS effectiveness.
Because an ISMS can become so large and complex, it can seem complicated, if not impossible, to monitor for issues and to measure for success. Therefore, ISO 27004 defines some general questions to consider when evaluating their systems:
- What to Monitor: The first question is the most fundamental. What controls, systems and characteristics should you monitor? There are several processes, practices and technologies in place with an ISMS, and as such you may not need to monitor all systems at the same time. Conversely, compliance regulations may dictate that you monitor specific systems at all times. Therefore, determine what systems to monitor (including everything from risk management practices and IAM to vulnerability management, vendor relationships or configuration management).
- What to Measure: Unlike monitoring, where you determine what to look at, determining measurement is a practice of ascertaining value, progress, trends and effectiveness in a system. Since ISO 27001 requires that, for some security controls, that your organization determine and review the effectiveness of certain practices and procedures, it’s imperative that you make this part of your ISMS review.
- When to Monitor, Measure, Analyze and Evaluate: Depending on your needs and obligations, the “when” of measuring and monitoring will change. Come controls will call for continuous monitoring, while others may only require annual monitoring. Furthermore, it will most likely be the case that ISMS components will call for evaluation based on certain circumstances, under certain conditions or after certain events.
- Who will Monitor, Measure, Analyze and Evaluate: You should be able to determine compliance and security leadership, including IT teams or security vendors, who will manage monitoring and assessment. This can include automated and guided monitoring or manual processes.
Additionally, ISO 27004 defines two umbrella approaches to measures for assessment:
- Performance: According to the ISO 27004 document, performance measures can be used to “demonstrate progress in implementing the ISMS process.” As such, measuring a system’s performance refers to how controls have been implemented and if these implementations match requirements specified in policies, governance procedures, and regulations.
- Effectiveness: This same document defines effectiveness measures as ways to ‘determine whether ISMS processes and information security controls are operating as intended and achieving their desired outcomes.” That is, are they doing what they should in terms of organizational impact (cost savings, customer data security and customer trust).
Finally, ISO 27004 Defines a general process for monitoring and measuring performance and effectiveness in your ISMS:
- Identify Information Needs, including identifying stakeholders, risk, security policies and objectives and other criteria.
- Create and Maintain Measures, or the actual development of security measures that include compliance and legal requirements, ISMS scale and scope, intended outcomes and goals, and plans for updates.
- Develop or Update Measures, including any and all plans to implement measures, to utilize analytics and other metrics to determine upgrades and updates to any controls or the monitoring of those controls. This stage also includes requirements for documenting security measures and prioritizing implementation.
- Establish Procedures, including the establishment of reporting standards, vendor and partner participation, data collection and analytics and leadership responsibilities.
ISO 27000 Compliance Audit Automation with Continuum GRC
The ISO 27000 series is a rigorous framework for security that many SMBs and large businesses undergo to demonstrate their security. Because of the complexity of this framework, many organizations are turning to automated auditing to help them streamline compliance without adding extra time or effort to their already busy teams.
Continuum GRC offers comprehensive, automated auditing and consulting services for ISO 27001 and the rest of the series. This includes support for control implementation evaluation, monitoring and continuing updates. Our SaaS platform can take audits that would normally require weeks, and even months, of work and reduce your investment to days.
Get Ready for ISO 27004 Monitoring and Assessment
Call Continuum GRC at 1-888-896-6207 or complete the form below.