Raghavan V
Information Security Administrator at Tavant Technologies, Bengaluru
ISO 27001 Metrics
Can anybody share various metrics that can be captured in ISO 27001?
Answers (3)
Salman K
GM Business Development, AET
Best Answers in: Web Development (3), E-Commerce (2), Software Development (2), Government Policy (1), Ethics (1), Computers and Software (1)
Salman K suggests this expert on this topic:
I was at one point part of an organization that Implemented the ISO 27001. One of my colleagues there was actively involved in this activity. I am recommending him for this question.
Martin D
Chief Technology Officer, CSO and Owner, Above Security
Best Answers in: Information Security (7), Computer Networking (3), Computers and Software (2), Regulation and Compliance (1), Personnel Policies (1), Intellectual Property (1), Manufacturing (1), Quality Management and Standards (1), Telecommunications (1)
Good morning Raghavan !
Metrics.. What a great.. blurry.. and not understood word !!!
I have a bunch of the them, but the essence of the subject is to capture which ones are usefull, what are you trying to measure, who will read about them and what is the message you try to pass them.
Metrics can be oriented toward improvement of security posture as an example or to measure the level of effectivness of the current investment or to determine the level of awareness of the workforce...
Metrics can be used as our own internal performance measuring system or can be used to communicated with top management. In all cases, the metrics are really different and you need to answer the few questions I have asked in the beginning of my answer prior to start establishing which one are needed and within which corporate context.
There is some great books out their but again, I allways suggest my customer to make their mind first to determine what they want before working and how to do it.
I hope this will help :) Don't hesitate to contact me to push the discussion further.
Have a great day !
Martin Dion (CISSP/CISM)
CTO @ Above Security
Links:
Clarification added February 26, 2008:
By the way, ISO is comming with a new standard: ISO 27004 wich will be the Information Security Management Measurement and Metrics. You can track the publication of the standard using the included link. Like many ISO standards, it will help you in building the measurement and metric program but won't tell you exactly which metrics and how... It will be more of a thinking process than a complete receipe.
Rob S
InfoWar Architect
Best Answers in: Information Security (19), Business Insurance (1), Staffing and Recruiting (1), Software Development (1)
My understanding of ISO 27001 is that it does not involve metrics. It's a certification to assure that certain processes and safeguards are in place, not an ongoing security program.
