ISO 27001 – The Good and the Bad (Part III)

I have no idea why, but my posts about ISMS are those that get by far the most hits. So I’ll continue the series ISO 27001 – The Good and the Bad (here are the links to Part I and Part II) with the topic I already mentioned yesterday: Measuring the effectiveness of controls.

The corresponding requirement can be found in clause ISO 27001:2005 4.2.2d. In the words of the standard, it sounds like this:

Define how to measure the effectiveness of the [...] controls [...] and specify how these measurements are to be used to assess control effectiveness to produce comparable and reproducible results [...].

Ted Humphreys himself said that the requirement is not very clear. First off, it is important to note that this is one of three control mechanisms. The first is the internal auditing and management reviewing that is required by the standard. The second is the incident management that must be implemented and used to identify potential vulnerabilities and close them via corrective and preventive actions.

We’re talking about the third one: Measuring the effectiveness of controls. Let’s go through the clause word by word. The first thing that sicks out is that there is no limiting element in there. In theory you’d need to measure the effectiveness of each and every control you implemented in your ISMS. While measuring the performance of technical measures is not easy but at least doable by specifying key figures, measuring the performance of organizational controls is outright impossible. How are you supposed to find out how effective your security policy is? In a way that is reproducible? Forget it! What about screening? The only thing you can find out is when it was not effective. But by then it will be too late.

While I think the requirement itself does make sense, I would expect some guideline for which controls the measurement must be implemented. Doing all controls is definitely impossible.

The second thing which in my humble opinion is unclear is how to measure the effectiveness. Using key figures is just a guess from my side. The auditor I accompanied a couple of months ago seemed to have the same opinion. It would definitely help to if they included just a sentence with some guidance.

This guidance is going to be provided by a standard of its own, ISO 27004. The only problem is that it is still not available. Some people expect it to become available this year, but I personally think it won’t be released until 2009 (though I hope I’m wrong). However what is available today is the BIP 0074:2006 standard. It’s called “Measuring the effectiveness of your ISMS implementations based on ISO/IEC 27001″. ISO 27004 can be expected to be based on the BIP book. Unfortunately I did not yet have the chance to read it. If I can get hold of a copy, I’ll post an article about it here.

Alright, it’s become quite a long article. I’ll call it a day. If I forgot anything, please drop me a line in the comments section. Thanks!

Picture of an object of which I have no idea what it is, but which must have something to do with measuring by spacesuitcatalyst

Tags: 27001, 27004, Audit, BIP, BS, Compliance, Control, Controls, Effectiveness, Efficiency, Information Security, ISMS, ISO 27001, ISO 27004, ISO27001, ISO27004, Key Figures, Management, Management System, Management Systems, Measures, Measuring, Mesurement, Performance, Rant, Security, Standard, Standards