A substantially improved version of the security metrics standard ISO/IEC 27004 has just been published.
The standard covers "Information security management ― Monitoring, measurement, analysis and evaluation", a direct reference to clause 9.1. of ISO/IEC 27001 ... in other words, it is primarily about the metrics needed to make management decisions about, and systematically improve, an ISO27k-style Information Security Management System.
These are the main sections:
- Rationale - explains the value of measuring stuff e.g. to increase accountability and performance;
- Characteristics - what to measure, monitor, analyze and evaluate, when to do it, and who to do it;
- Types of measures - performance (efficiency) and effectiveness measures;
- Processes - how to develop, implement and use metrics.
Annex B catalogs 35 metrics examples using a typical metrics definition form. These are not exactly shining demonstrations of the art, in fact some of the examples are of poor quality. I'm sure we can come up with a better set of example metrics, and in fact I plan to do so over the coming months, free time permitting. I have in mind documenting a suite of metrics relating to the whole of 27001, including both the management system aspects in the main body of the standard and the information security controls listed in Annex A. Watch this space.
I am pleased, relieved in fact, that the 2009 version of this standard is now consigned to history. It was an academic piece, full of theory and an obsessive focus on the calculation part of measurement - strange, really, given that it is such a simple and inconsequential part of metrics (essentially just 'collect data, run statistical analysis, generate result') compared to the far more important issues of what to measure and why. I honestly feel that its publication retarded rather than advanced the field of security metrics. The new release is much more pragmatic and helpful for those designing, implementing, using and improving ISO27k ISMSs. I commend it to the house.
The new standard is available to purchase from ISO, from ANSI, and no doubt from other official sales outlets too. It costs about $200 (don't shoot the messenger: I wish all the ISO27k standards were available free of charge in order to encourage widespread global adoption and improve the general state of information security but it's ISO that sets the price, not me).