It’s been a while since I’ve last posted about the organizational side of security. My writeup of ISO 27004 has been my most successful blog entry ever (that’s all just because Alex’s link to my site in an article on his RiskAnalys.is Blog; and while you’re at it, check out his risk analysis framework FAIR), so I’ll stick to the topic.
In the meantime I have actually gotten my hands on the BIP 0074 Book “Measuring the effectiveness of your ISMS implementation based on ISO/IEC 27001″ by Ted Humphreys and Angelika Plate. I have to admit that I was surprised at how good it is. If you can afford the 35 GBP (not quite 70 USD), I strongly recommend you get a copy and read it yourself. In this multi-part posting, I’ll write up a short summary, so you know what you’ll get.
First of all, the book makes an important distinction: there is a notable difference between measuring the effectiveness of your ISMS and measuring the effectiveness of the controls you’ve implemented. Both are required by ISO/IEC 27001:2005.
Also note the consistency in the approach of ISO 27001: In the Do phase of the PDCA model you need to create a concept of how you are going to do your measurements (requirement 4.2.2.d), the actual measuring takes place in the Plan phase (requirements 4.3.2.b and 4.3.2.c).
What I really do like about BIP 0074 is that it gives examples for metrics and measures for all kinds of controls. In ISO 27001 – The Good and the Bad (Part III), I wrote that you can’t measure the effectiveness of management controls like the information security policy. Actually, this is the first example in the book. Aspects relevant to metrics and measures of this control are:
- the policy needs to be agreed, approved and communicated to all employees;
- it should be ensured that the employees understand the policy;
- it should be reviewed and updated as and when appropriate to keep up-to-date with business objectives.
Yes, I need to agree that this are in fact things that can be measured. This is an approach you can use for practically all controls: just look which of the requirements in ISO 27002:2005 (formerly ISO 17799:2005) can be backed up with indication figures, and use those to measure the effectiveness.
In part II of this posting, I’ll cite an example for technical controls.
Picture of an old measure tape by aussiegal
Tags: Security, 27001, ISMS, ISO, ISO 27001, Information Security, ISO 27004, 27004, Measuring, Effectiveness, BIP, ISO 17799, 17799, Measure, Measurement, Metrics, Security Metrics, BIP 0074, 0074, Measurment, Information Security Management
February 17, 2008 at 10:25 pm |
I’m actually very interested for that next post. In the meantime, RE:
“Yes, I need to agree that this are in fact things that can be measured. This is an approach you can use for practically all controls: just look which of the requirements in ISO 27002:2005 (formerly ISO 17799:2005) can be backed up with indication figures, and use those to measure the effectiveness.”
Let me suggest that indication figures for the bullets above that paragraph wouldn’t (in my mind, at least) necessarily be effectiveness numbers, but would be prior information for the “confidence” or uncertainty values you might ascribe to effectiveness numbers.
Just a thought.
February 18, 2008 at 9:38 am |
Hi Alex,
Thanks for your comment. Yes, I agree with you. What the indication figures derived from the bullet points measure is in fact the compliance with the requirements of the standard. To a certain degree it still also measures the effectiveness, but I completly agree that an ineffective Security Policy can be
- agreed, approved and communicated to all employees;
- understood by the employees;
- reviewed and updated.
Here is the books definition of Effectiveness in regard to controls:
“Effectiveness is [...] a measure of one or more controls that are implemented in the ISMS, indicating whether they achieve their identified information security objectives and risk reduction.”
I’m not sure I see how this is measured by the indication numbers proposed. What I think that you are supposed to do is define what effective means for the control in /your/ environment. Then you can do a gap analysis and measure the gap. You need to be clear about what you are trying to achieve with a certain control.