Bsi bip 0074 2006

wel it is d in in impleme tin informatio security an th eff ectiv en s of it p lcies an proce ures an th co t ols f rom ISO/IEC 17 9 it has impleme te... Met ics al ow th colectio of o j

implement ations based on ISO/IEC 27001

T e Inf ormatio Security Manag me t S s ems (ISMS) series of b o s are d sig e to

prov id user w ith as is ance o es abl shin , impleme tin , maintainin , ch ckin an

au itin th ir ISMS in ord r to pre are for cer ificatio Titles in this Inf ormatio Security

Manag me t S s ems Guidance Series inclu e:

• Guid ln s o re uireme t an pre aration for ISMS cer ificatio base o

ISO/IEC 2 0 1 ( ref BIP 0 71)

• A re yo ready for an ISMS au it base on ISO/IEC 2 0 1? ( ef BIP 0 7 )

• Guid to th impleme tatio an au itin of ISMS co t ols base o ISO/IEC 2 0 1

( ref BIP 0 7 )

• Measurin the effectiv en s of yo r ISMS impleme tatio s base o ISO/IEC 2 0 1

( ref BIP 0 74)

implement at ions based on ISO/IEC 27001

Ted Humphrey s and A ngel k a Plat e

by

BSI

38 Chiswick High Road

Lo do W 4 4AL

© British Stan ards Ins itution 20 6

Al rig t reserv ed Ex ce t as p rmit e u d r the Co yright, Designs and Pate t

Act 19 88, no par of this p blcation ma b re ro uce , s ore in a ret iev al sys em

or t ansmit e in any form or by any means – elect o ic, p otoco yin , recordin

or oth rw ise – with ut prior p rmis io in writin from th p blsh r

W his ev ery care has b e tak n in dev elo ing an compi n this

p blcation, BSI ac e t n labi ty for any los or damag cause , arisin

directly or in irectly in co n ction with relance o it co te t ex ce t to th

ex te t that such l abi ty ma n t b ex clu e in law

Typ set in Frutig r by Mon lth

Printe in Great Britain by Ho bs the Printer Ltd, T t o , Hampshire

British Library Catalog ing in P blc tio Data

A catalo u record for this b o is av aiable f rom th British Library

ISBN 0 58 4 015 0

Int roduction ix

4.1.2 Management cos –benefit, impact and per ormance rev iew s 21

4.1.5 A sset management (Cont ol ISO/IEC 17 9 :2 0 , 7.1.1) 2

4.2.1 Me sures f or the as es ment and re s es ment proces es 3

4.3 Ex amples of operational cont ol met ics and me surement 3

4.4 Ex amples of physical cont ol met ics and me surement 3

4.5 Ex amples of technical cont ol met ics and me surement 3

4.5.1 Firew al s, security gatew ays and int usion detection 40

5.2.2 Generating met ics to me sure ISMS ef ectiv enes 5

5.2.3 Generating met ics for cont ols or groups of cont ols 51

5.2.4 Indicator , perf ormance target , and f requency of rev iews 5

5.2.5 Implement and deploy met ics and me sures 54

5.2.7 Integrating the ISMS eff ectiv enes me surement 5

5.3.3 Identif y cor ectiv e and prev entiv e actions 5

5.4 A CT phase 58

5.4.1 Implementing cor ectiv e and prev entiv e actions 58

5.4.3 Improv ement in the met ics and me surement scheme 58

Informatio is on of yo r organiz tio ’s mos v aluable as et T he o jectiv es of informatio

security are to protect the co fide tial ty, inte rity and av ai abi ty of inf ormatio T hese

basics eleme t of informatio security h lp to e sure that an organiz tio can protect

agains :

• se sitiv e or confid ntial informatio b in giv en awa , leak d or disclose b th

ac id ntaly or in an u auth rize wa ;

• critical informatio b ing ac id ntaly or inte tio aly mo ifie witho t yo r

k owle g ;

• any imp r ant b sines informatio b in los w ith ut t ace or h p of recov ery;

• any imp r ant b sines informatio b in re d re u av ai able w he n e e

It sh uld b the resp nsibi ty of al manag r , information sys em ow ner or

cus odians an user in g neral to e sure that th ir informatio is pro erly manag d

an protecte from a v ariety of risks an threat face by ev ery organiz tio T e two

s an ards ISO/IEC 17 9 :20 5,

1

Code of pra tice for informatio security manageme t

an ISO/IEC 2 0 1:20 5 ( rev ise v er io of BS 7 9 Par 2:20 2

2

) Informatio security

manageme t systems — Req ireme t to ether prov id a basis for organiz tio s to

d v elo an eff ectiv e informatio security manageme t framew ork for managin an

protectin th ir imp r ant b sin s as et w his minimizin th ir risks, max imizing the

inv es me t an b sin s o p r u ities of th organiz tio an e surin th ir inf ormatio

sys ems co tin e to b av aiable and o eratio al

T e s an ard ISO/IEC 17 9 :20 5 prov id s a compre e siv e set of bes practice for

informatio security, w hich organiz tio s can ado t an impleme t to ad res the

risks that th y face usin th risk manag me t ap roach specifie in th s an ard

ISO/IEC 2 0 1:20 5 In additio , ISO/IEC 2 0 1:20 5 is th base re uireme t s an ard

for ac re ite third-par y ISMS ( i formatio security manag me t sys em) cer ificatio

3

base o this risk manag me t ap roach Organiz tions applyin th se s an ards,

esp cialy th se g in thro g the ac re ite cer ificatio route to o tain an ISMS

cer ificate, w il n e mechanisms in place to e able th m to d termin th eff ectiv en s

of th ov eral ISMS as wel as of th co t ols that hav e b e impleme te to re uce th

id ntifie risks

1

T his is th rev ise v erion of ISO/IEC 17 9 :2 0 , w hichw as prev iously BS 7 9 -1:19 9

2

W ith th publc tion of ISO/IEC 2 0 1:2 0 , th cur e t v erion of BS 7 9 Par 2 w il be

w ith raw n an w il no lon er be a v ald s an ard for third-pary a cre ite cer ific tion A ny such

cer ific tion w ork w il be c rie out agains th re uireme t specifie in ISO/IEC 2 0 1:2 0

A ccre itationBodies are resp nsible for is uin (se 4.2.1 of this g id ) a‘Transition Stateme t’ that

prov id s d tais of th period d rin w hich organiz tion’ s an Cer ific tion Bodies (se 4.2.1 of this

g id ) inv olv ed in th ISMS cerific tion proces n e to mak th tansition fom BS 7 9 -2:2 0 to

ISO/IEC 2 0 1:2 0

T is guid an th oth r guid s in th BIP 0 70 series are d sig e to prov ide user

with as is ance in es abl shin , impleme tin an maintainin th ir ISMS to help th m

in pre arin f or ISMS cer ificatio T his guid co ce t ates o d scribin th differe t

metho s an met ics that can be ap le to measure th effectiv en s an suc es of the

ISMS proces es an co t ols in place

Note: A docume t such as this is pro ided with th best ofinte tio s It reflect commo

pra tice, which is deriv d by a co sensus among those with a wide variety of ski s,

kn wledge and e p rie ce in th subject This g ide makes no claim to be e haustiv

or definitiv and user of this guide may n ed to seek fur h r g idance in impleme ting

th req ireme t of ISO/IEC 270 0 1:20 0 5 Fur h rmore, th re wi always be oth r aspect

where ad itio al g idance is req ired rele ant to th organizational, o erational, legal

and e viro me tal co te t of th b sin ss, including specific threats, co t ols, reg latory

complance, go ernance and go d pra tice

It has be n assumed in th dra ting of this BSI g ide that th e ecutio of it advice is

e t usted to ap ro riately q alfied and e p rie ced p o le

1.1 Scope

T is g id prov id s informatio an h lp o measuring th effectiv en s of ISMS

impleme tatio s, as re uire by th ISMS s an ard, ISO/IEC 2 0 1:20 5 T his guid ref er

to two differe t typ s of measureme t: o e for th ISMS proces es that are d scrib d

in clauses 4–8 of ISO/IEC 2 0 1:20 5 an oth r forms of measureme t f or th co t ols

from ISO/IEC 17 9 :20 5 that hav e b e selecte to re uce id ntifie risks T his g ide

int o uces an ap roach to measurin th ISMS proces es an co t ols that is algn d w ith

th cur e tly use metho s an d v elo me t to su p r organiz tio s in id ntifying the

ap ropriate selectio of met ics an measureme t tech iq es T is g id also giv es some

ex amples of met ics an measureme t by leadin organiz tio s an interes gro ps in

th field of inf ormatio security

T is d cume t is o e of a set of f our g id s p blsh d by BSI to su p r th use an

ap lcatio of ISO/IEC 17 9 :20 5 an ISO/IEC 2 0 1:20 5 T he read r ma fin it of

b nefit to hav e co ies of th thre other g ides:

• BIP 0 71 – Guideln s o req ireme t and pre aratio for ISMS cer ific tio based

o ISO/IEC 270 0 1;

• BIP 0 7 – Are y u ready for an ISMS audit based o ISO/IEC 270 0 1?;

• BIP 0 7 – Guide to th impleme tatio and auditing of ISMS co tols based o ISO/

IEC 270 0 1

1.2 Definit ions

For th p rp ses of this g id th d finitio s l s e in ISO/IEC 17 9 :20 5, ISO/IEC 2 0 1:

20 5 an ISO/IEC Guid 7 :20 2 ap ly T he co ce t an terms ap le in th co tex t of

met ics and measureme t are ex plain d in 2.1 below

T is g id mak s ref ere ce to th folowin s an ards and g ideln s:

a) ISO/IEC 17 9 :20 5 ( ev ise v er io of ISO/IEC 17 9 :20 0), Code of pra tice for

informatio security manageme t – th s an ard that id ntifies cont ol o jectiv es

an co t ols an prov id s b s practice adv ice for th impleme tatio of th se

co t ols;

b) ISO/IEC 2 0 1:20 5 ( h ISO rev ise v er ion of BS 7 9 -2:20 2), Informatio security

manageme t systems — Requireme t – this is th re uireme t sp cification f or an

ISMS T is s an ard is use as th basis for ac re ite cer ificatio ;

c) ISO/IEC Guid 7 :20 2, Risk manageme t — Voc b lary — Guideln s for use in

standards

2.1 W hat are met r ics, measures and measurement s?

B fore s ar in to co sid r th met ics, measures an measureme t , it is wor hwhi e

to hav e a closer lo k at th differe t terms that are use in relation to met ics an

measureme t an also in ISO/IEC 2 0 1:20 5 whe sp cifyin th re uireme t for

effectiv enes of ISMS proces es and co t ols T e fol ow in are th commo ly use

Oxford Englsh Dictio ary d finitio s of th se terms an wi b use in this g ide with

th un er tan in d scrib d b low Table 1 giv es some ex amples of th se terms

• A met ric defin s a sys em or s an ard of measureme t, f or ex ample, th met ic

sys em that is use to measure le gth, capacity an weig t or mas Met ics d fine

for informatio security p rposes serv e a simi ar p rp se; th y prov ide s an ard

scales an u it of measureme t agains w hich the effectiv en s an /or p

erform-ance of informatio security ar an eme t can b measure A lth u h th re are

sev eral met ics pu lsh d, e.g o th intern t, it is b s that organiz tio s d fine

th ir ow n met ics, suitable for their re uireme t and n e s T is is discus e fur h r

in Chapter 5

• A me sure is a means of ascer ainin th size, amou t, or d gre of ( somethin ) by

comparison w ith a s an ard u it or with an o ject of k own size; ie to as es the

amo nt, d gre , ex te t or q alty of somethin agains a s an ard scale (which can

b d fin d by th met ic, se ab v e)

• A me sureme t is th actio of measuring to determine an amo nt, size, ex te t,

d gre or q al ty; th scale that is ne d d for this measureme t is d fin d by the

met ic ( e ab v e) Co tin ing th simple ex ample ab v e, the measureme t giv es

th result of th measurin activ ities, e.g a le gth of 2 m or a heig t of 0.5 m

Measureme t for informatio security p rp ses can be use to as es the

p rformance, effectiv en s or w hatev er else an organiz tio mig t w ant to measure

usin the met ics that hav e b e d fin d

Other terms that are use in combination w ith met ics an measureme t are as folow s

• Effectiv enes is a measure of h w wel th ISMS proces es are p rformin an h w

th y achiev e th organiz tion’s o jectiv es an re uireme t , or a measure of o e or

more co t ols that are impleme te in th ISMS, indicatin w heth r they achiev e

th ir id ntifie informatio security o jectiv es and risk re uctio

• In icator are use to in icate th s ate or lev el of somethin b in measure , for

ex ample, h w w el th cur e tly d ploye informatio security proces es or co t ols

me t informatio security p lcy an o jectiv es

T ese interpretatio s are base o , and al g e w ith,sev eral docume t relate to met ics

an measureme t , that also prov id f ur h r inf ormatio ab ut this to ic, suchas th NIST

Special P blcatio 8 0-5 ‘Security Met ics Guid for Informatio T ch olo y S s ems’

ac o nt of th 2n Workin Draft of ISO/IEC 2 0 4, Informatio security manageme t

measureme ts T his d cume t is n t p blcly av aiable, as it is s i u d r d v elo me t,

b t wi become an Internatio al Stan ard in 20 7 or 20 8

Table 1 giv es a f ew ex amples of met ics, measure an measureme t

Table 1 — Ex amples of met ric , measures and measureme t s

Measurin le gth Stan ard met e Obtain th le gth

Ex aminatio grad s Grad s from 1–5,

ran in f rom ‘fai

impleme tin

cor ectiv e action

2.2 W hy are measurement s neces ar y?

2.2.1 Ge eral reas ons and benefit

T ere are v ario s reaso s w hy informatio security met ics an measureme t could be

impor ant For ex ample, ab sin s mig t want to set p rformance targ t , set b nchmarks

an ch ck h w effectiv e it informatio security is T is e ables th b sin s toas es h w

wel it is d in in impleme tin informatio security an th eff ectiv en s of it p lcies

an proce ures an th co t ols f rom ISO/IEC 17 9 it has impleme te If a b sin s is

inv es in in inf ormatio security th n k owin how wel it is d in prov id s an indicator

of wh th r th inv es me t is b n ficial to th busin s , w heth r more inv es me t is

n e e an in which areas, or if the inv es me t is making lt le or n improv eme t to the

organiz tio ’s informatio security ar ang me t

2.2.2 Req u ireme t in IS O/IEC 270 0 1

T e re uireme t d fin d in ISO/IEC 2 0 1:20 5 includ th use of met ics an mea

sure-me t in th PDCA (plan, d , ch ck an act) cycle of es ablshin , impleme tin , mo

itor-in an improv in th ISMS For any organiz tion aimin at d v elopin an ISMS or b in

cer ifie agains ISO/IEC 2 0 1:20 5, a g o u d r tan in of th se re uireme t an of

h w to impleme t them is es e tial T e folow in re uireme t relate to met ics an

measureme t are sp cifie in ISO/IEC 2 0 1:20 5

2.2.3 PLAN, DO, CHECK and ACT(PDCA) Model

T e PDCA mo el is ce t al to al ISO/IEC manag me t sys ems s andards inclu in

ISO/IEC 2 0 1

Figure 1 — PDCA Model

Me sureme t req ireme t in th DO ph se

ISO/IEC 2 0 1:20 5 4.2.2 d) Defin h w to measure th effectiv enes of th selecte

co t ols or gro ps of co t ols an sp cify h w these measureme t are to b use

to as es co t ol effectiv en s to pro uce comparable an re ro ucible result ( e

Me sureme t req ireme t in th CHECK ph se

ISO/IEC 2 0 1:20 5 4.3.2 b) Un er ak re ular rev iews of th effectiv en s of th ISMS

(inclu in me tin ISMS p lcy an o jectiv es, an rev iew of security co t ols) taking into

ac o nt result of security au it , incid nt , effectiv enes measureme t , su ges io s an

fe dback from al interes e par ies

ISO/IEC 2 0 1:20 5 4.3.2 c) Measure th effectiv en s of cont ols to v erify that security

re uireme t hav e b e met

ISO/IEC 2 0 1:20 5 4.3.2 e) Co d ct internal ISMS au it at plan e interv als (e clause 6

of ISO/IEC 2 0 1)

NOT E: Internal au it , sometimes cale fir t-par y audit , are co d cte by, or o

b half of, th organiz tio it elf for internal purp ses

T ese re uireme t ad res tw o diff ere t s ag s in th PDCA cycle In th DO p ase, the

o jectiv e is to d fin h w th co t ol effectiv en s is to b measure – this is wh re an

organiz tio ne ds to be able to d fin met ics that are suitable for th m an prov id

th m w ith th n ces ary result to as es co t ol effectiv en s T he CHECK p ase th n

ad res es th measureme t of co t ol effectiv en s , usin th met ics that hav e b e

d fine in th DO phase.More informatio an ex amples f or co t ol effectiv en s met ics

are giv en in Chapter 3 an 4

In ad itio , th CHECK p ase re uires a rev iew of th effectiv en s of th ISMS as a wh le,

ie th polcies, proces es an proce ures an ev erything else that cons itutes th ISMS In

ord r to d this, the organiz tio n e s to hav e met ics in place that alow this as es me t,

ie th organiz tio sh uld hav e d fin d h w th y measure th effectiv enes of th

ISMS proce ures an h w they ar iv e at a clear picture of th ov eral ISMS effectiv en s

Chapter 4 prov id s informatio and ex amples abo t h w this can b achiev ed, as far as

this area is researche at the mome t

B th met ics re uireme t typ s, th o e for co t ols as w el as th o e for th ISMS

proces es, mak it n ces ary that met ics are d fin d that sup or th se measureme t

Chapter 5 hig l g t the main principles an organiz tio sh uld co sid r wh n d v elo

-in met ics

2.2.4 Other be efit ofu s ing met ics

It is o v io s that th suc es of th ISMS proces es or of indiv id al inf ormatio security

co t ols can o ly b ide tifie if th p rformance is measure agains some pre efin d

criteria A s o e of th main re uireme t in ISO/IEC 2 0 1:20 5 is co tin al improv eme t,

th organiz tio ne ds to b able to id ntify wh re real improv eme t – as o p se to

th use of th lates pro uct jus b cause it lo ks g od – can b impleme te to achiev e

b t er security Met ics al ow th colectio of o jectiv e informatio tomo itor an rev iew

th p rformance an effectiv en s of th ISMS, it proces es, polcies, proce ures an

co t ols T he result of measureme t that use th met ics d v elo e by the organiz tio

can th n aid in decisio makin abo t th wa forw ard, n t o ly in wh re to improv e

(e.g if co t ols are not impleme te cor ectly), b t also in h w v aluable improv eme t

might b , an how to prioritize th m, e.g in case of a lmite b d et

An th r b nefit of usin met ics an measureme t is that this prov ides a picture ov er

time, in as much gran larity as n ces ary (d p n in o th fre u ncy of measureme t

that is ch se ) T his prov id s additio al an differe t informatio from, for ex ample,

au it , wh re o ly a snapsh t in time is consid re T he result of th se measureme t

might also f ee back into th risk as es me t proces , e.g by prov idin informatio ab ut

th lev el of v uln rabi ties or th f re u ncy of threat oc ur e ces

3.1 Introduction

T ere are sev eral clas es of measureme t relate to th effectiv en s an p rformance

of ISMS proces es an co t ols; th se are g n ral y outln d in th chapter that folow,

to eth r with some ex amples T is chapter prov id s co sid ratio s o a hig er lev el to

hig lg t differe t areas relev ant to met ics an measureme t Chapter 4 inclu es more

d taie met ics for some of th ex amples co sid re h re It is recomme d d that any

of the ex amples co sidere in Chapter 3 an 4 are use in co ju ctio with th proces

ap roach d scrib d in Chapter 5

3.2.1 Int oduction

In b th ISO/IEC 17 9 :20 5an ISO/IEC 2 0 1:20 5, th re are v ario s manag me t co t ols

that can b co sid re as can idates for met ics an measures of th ISMS effectiv en s

T is inclu es cont ols relatin to p lcies, proce ures, plans, b sin s o jectiv es, rev iew s

an reso rces

3.2.2 E amples

3.2.2.1 Information security polcy (see Section 5 ofISO/EC 17 9 9 :20 0 5)

Manag me t n e s to set it b sin s p lcy for informatio security Key aspect that are

relev ant to met ics an measures are:

• th polcy ne ds to b agre d, ap rov ed an commu icate to al employe s;

• it sh uld b e sure that th employe s u d r tan th polcy;

• it sh uld b rev iew ed an u date as an wh n ap ro riate to k e u -to-date

w ith b sin s objectiv es

3.2.2.2 As set manageme t (see Section 4 2.1 d) ofISO/EC 270 0 1:20 0 5 and

Section 7 of ISO/EC 17 9 9 :20 0 5)

Manag me t n e s to d cume t it imp r ant and critical as et Key asp ct that are

relev ant to met ics an measures are:

• makin sure that this is a complete an u -to-date inv entory;

• such inv entories n e to b rev iew ed o a re ular basis an up ate ac ordin ly;

• own r hip of as et sh uld b d fin d an mad clear, in par icular, toas ig security

co t ols for as et protectio ;

• a manag me t p l cy ne ds to be d fin d on th ac e table use of cer ain as et ,

such as the use of th organiz tio ’s IT reso rces to ac es intern t serv ices, emai

sys ems f or n n-b sines use or off-site use of such IT reso rces

3.2.2.3 Bus ines s continuity plans (s ee Section 14 of ISO/EC 1779 9 :20 0 5)

Manag me t n e s to e sure that it is protectin it elf f rom disas er , dis u tions and/

or inter u tions that co ld d ny ac es an av ai abi ty of th organiz tio ’s reso rce to

co tin e car yin out it da -to-da b sin s Key asp ct that are relev ant to met ics an

measures are:

• b sin s co tin ity plans ne d to b defin d, agre d, ap rov ed an in place;

• th plans ne d to b impleme te , an al inv olv ed n e to b aware of their roles

an resp nsibi ties in case of b sin s inter u tions or disas er ;

• th plans n e to be rev iewe an tes e o a re ular basis if th organiz tio is to

av oid busin s los es an serious impact from th lack of ac es and av aiabi ty of it

reso rces

3.2.2.4 Manageme t reviews (s ee Section 7 ofISO/EC 270 0 1:20 0 5)

Manag me t n e s to e sure that it is has a re ular rev iew proces in place to consid r,

re-ev aluate an reas es th organiz tion’s p sition o informatio security Key asp ct

that are relev ant to met ics an measures are:

• emergin threat that co ld hav e an impact o the lev el of protectio it has in

place;

• re or s from internal au it an security rev iews;

• fe dback from acros th organiz tio from manag r an employe s, cus omer

an su pler ;

• risk as es me t records and re or s;

• incid nt-han l n re or s;

• recomme datio s an pro osal f or security b d et and fu ding;

• result of b nchmarkin activ ities;

• p rformance lev els;

• cor ectiv e actions;

• compl ance w ith laws and re ulatio s, to d mo s rate th organiz tio is g v ern d

ac ordin to b sin s s an ards base o a risk manag me t ap roach

3.2.2.5 Information security aware ess, t aining and educ tion (se Section 5.2.2

ofISO/EC 270 01:20 05 and Section 8.2 of ISO/EC 17 9 9 :20 05)

Manag me t n e s to e sure it employe s and manag r are aware of th informatio

security is u s that co ld impact th da -to-da o eratio s of the b sines an the

in iv id al’s par icular jo d scriptio Key asp ct that are relev ant to met ics an

measures are:

• typ of t aining or e ucatio (e.g ex ternal t ainin co r es, internal o -th -jo

t aining, academic e ucatio );

• ap lcabi ty to employe s’ da -to-da w ork;

• lev el of u d r tandin an aw are es ;

In ISO/IEC 2 0 1:20 5 there are v arious proces es that can b co sid re as can idates for

met ics an measures of th ISMS effectiv enes T his inclu es proces es inv olv ed in, for

ex ample, risk as es me t, risk t eatme t, an selectio of co t ols

3.3 2 E amples

3.3.2.1 Risk as sess ment proces s

Manag me t n e s to e sure that it has an appro riate risk as es me t programme in

place T e risk as es me t proces d fin d in ISO/IEC 2 0 1:20 5 inv olv es id ntifyin an

ev aluatin the v alu and uti ty of th organiz tio ’s as et , id ntifyin th threat an

v uln rabi ties as ociate w ith these as et , an analysin this informatio to id ntify the

risks th organiz tio faces T he more complete an ac urate th information use in the

as es me t, th more the o jectiv ity of th as es me t proces an it result , th b t er

informe manag me t w il b at makin appro riate decisio s in h w to d al with an

t eat th risks that hav e b e ide tifie Key asp ct of th proces that are relev ant to

met ics and measures are:

• ap roach to risk as es me t cov er a w el d fin d sco e an criteria set in out the

lev el of risk ac e tance;

• ap ropriate lev el of d tai an ac uracy of informatio is use in the as es me t;

• th as es me t result are comparable an re eatable;

• th as es me t sh uld be base o an o jectiv e approach an preferably b a team

effor , inv olv in differe t as et own r ;

• th b sines car ies o t re ular risk as es me t rev iew s an reas es me t to k e

u -to-date w ith chan in threat , b sines d v elo me t , mark t con itio s,

tech-n logy dev elo me t , d ployme t of such techn lo ies an any oth r relev ant

chan es that mig t affect the as es me t of risks

3.3.2.2 Risk t eatme t and manageme t decision-making proces ses

Manag me t n e s to e sure it has ap ro riate risk t eatme t an d cisio -makin

proc-es es in place Key asp ct of th proces that are relev ant to met ics an measures are:

• th risk t eatme t proces d fin d in ISO/IEC 2 0 1:20 5 inv olv es id ntifyin w hich

o tio () to tak re ardin h w to t eat th risks, f or ex ample, by ad ptin risk

ac e tance/ete tio , av oidance, t ansf er and re uctio meth ds an ap roach s;

• th b t er and more informe manag me t is re ardin th result of the risk

as es me t, th b t er the q al ty of th manag me t d cisio -makin proces wi

b in d cidin th b s t eatme t and co r e of action;

• as th risks th organiz tion faces wi chan e ov er time, th risk t eatme t an

d cisio -makin proces n e s to b use o a re ular basis to rev iew an u date

result and to maintain an /or improv e th effectiv en s of it informatio security

3.3.2.3 Selection of cont ols

After completin th risk as es me t an t eatme t proces , manag me t n e s to

d cid w hat co t ols to d ploy to re uce th risks that hav e b e id ntifie b low the

thresh ld of th organiz tio ’s ac e tance ISO/IEC 17 9 :20 5 cov er a ran e of b s

practice co t ols that th organiz tio can d cid to ado t an it mig t also d cid to

ad pt oth r cont ols n t d fin d in ISO/IEC 17 9 :20 5 Key asp ct of th proces that

are relev ant to met ics an measures are:

• typ an ap l cabi ty of co t ols for risk re uctio ;

• re uctio of risk that th se co t ols w il achiev e;

• maintainabi ty of co t ols;

• inte ratio an compatibi ty w ith ex is in co t ols

3.4 Oper at ional cont rols

3.4 1 Int oduction

Op ratio al proce ures, such as those co tain d in clause 10 of ISO/IEC 17 9 :20 5, pla

an impor ant par in su p r in informatio security in th da -to-da work an also

su p r a wel -fu ctionin ISMS T hese proce ures inclu e g n ral o eratin proce ures,

back-up an res oratio , protectio agains malcio s software and me ia manag me t

3.4 2 E amples

3.4 2.1 Operational procedures

Op ratio al proce ures sho ld b d v elo e to giv e g idance an d scriptio s on the

da -to-da o eratin proce ures that are n e e injo ex ecutio Op ratio al proce ures

might v ary a lot, de e din o the par icular jo th y are su p r in , b t th re are some

is u s that are commo to al o eratio al proce ures an can b measure :

• complete es of impleme tatio ;

• employe aware es ;

• k ow le g ab ut h w to ac es th proce ure (e.g o th int an t) an h w to

ap ly th proce ures cor ectly;

• user complance

3.4 2.2 Ba k-up

T e backing u of al impor ant inf ormatio , software an sys em co fig ratio s is

v ery imp r ant to su p r any organiz tio in case of b sin s inter u tio s or disas er

T ere are two main is u s to b co sid re wh n measuring th effectiv en s of th b

ack-u proces :

• q alty of th back-u s – in ord r to e sure the q al ty of back-u s, the fol ow in

is u s can b co sid re for measureme t:

– complete es of back-u s;

– ap ropriate f re u ncy of back-u s;

– user complance with back-u proce ures;

– security of back-u s;

• res oratio of back-ups – res oratio of back-u n e s to work relably an in the

re uire time f rame, an this can b measure by lo kin at:

– tes in of the back-u ;

– ru ning tes res oratio s;

– th time n ces ary to res ore th complete sys em, a par of a sys em, an

ap lcatio or a par icular set of files;

– compl ance w ith b sines contin ity plans

3.4 2.3 Protection agains t malcious s oftware

Protectio agains mal cious softw are is o e of th co t ols that almos al organiz tio s

ap ly; n v er h les , n t al impleme tatio s giv e sufficie t protectio T measure the

impleme te cont ols agains mal cious software, the f olowin k y is u s sh uld be

co sid re :

• ins al atio of a g od pro uct to protect agains malcio s softw are;

• re ular u dates of th softw are (automaticaly, n t left to the user);

• automatic activ ation of th softw are (in e e d nt of th user, to e sure that it is

alw ays ru nin );

• es abl shin a p l cy ad res in :

– use of u auth rize software;

– emai an d wnloadin of file at achme t ;

– intern t;

– informatio colection ab ut n w v iruses, etc

– proce ures to v erify informatio receiv ed, an aw are es of h ax es;

• proce ures to d al w ith inf ectio s an recov ery f rom them,an ln in intobusin s

co tin ity an back-u an recov ery proce ures;

3.4 2.4 Media manageme t

A lot of imp r ant information is s ore o me ia, such as CDs, DV Ds, USB s icks, tapes,

remov able hard driv es, an las b t n t leas pap r T he security of this informatio can

o ly b g arante d if the use, re se, t ansp r an disp sal of me ia are ap ropriately

co t ole Proce ures sh uld b in place to e sure this, an th workin of th se

proce ures can b measure in the folow in wa s:

• complete es of impleme tatio – th is ues to b measure f or complete es of

impleme tatio are ex plain d in 4.3.1 b low ;

• secure re se – ch ck for any incid nt that hav e b e re or e ab ut informatio

o re se me ia that sh uld n t hav e b e there an measure th numb r of

incid nt ;

• e suring av aiabi ty – ch ck that th s orage time of th information is comme surate

w ith th lfetime of the s orag me ia (as giv en by th man facturer) and measure

th numb r of cases w here pro lems can b ex pecte ;

• secure disp sal of me ia – co d ct sp t ch cks o me ia that are ab ut to be

disp se of, to e sure that al informatio o th me ia has b e remov ed, an

measure the numb r of cases where the co te t of the me ia to b disp se of can

s i b ac es e or recov ere

3.5 Technical cont rols

3.5.1 Int oduction

T ch ical co t ols inclu e sev eral co t ols, such as firew als, int usio d tectio , v uln r

-abi ty tes in an p ysical security ch cks – typicaly th se cont ols that are co tain d in

clauses 9, 1 an 12 of ISO/IEC 17 9 :20 5 T he folowin ex amples i us rate some k y

p int for met ics an measureme t for th se co t ols

3.5.2 E amples

3.5.2.1 Firewals , intus ion detection sys tems and content filtering

Commo co t ols to secure ac es to networks, par s of n tworks or PCs, to se re ate

differe t n twork d mains, to id ntify int usio s an to filter th co te t of files or

mes-sag s that are comin into a n twork or PC are firew als, int usio d tectio sys ems an

software that alows conte t filterin T he f olowin met ics giv e afew ex amples of w hat

can b measure for th se co t ols:

• th re are sev eral differe t k y p int that can b co sidere for firewal s cont ols:

– t o ble-fre impleme tatio ;

– p rformance of th firewal

– n mb r of suc es ful an f aie ac es at empt (for the whole n twork, par of

th network or a par icular applcatio );

• for int usio d tectio , it can b useful to ide tify how muchth int usio d tectio

co t ols protect from u w ante ac es an it can h lp to co sider:

– n mb r of suc es f ul an at empte int usio s ov er a par icular time;

– n mb r of at acks f rom par icular sources;

– raisin automatic alarms;

• th re are differe t forms of conte t filterin that can b use , th folow in are

a few ex amples of k y p int to b co sid re wh n measurin co te t filterin

co t ols:

– oc ur e ces of malcio s softw are, spyw are or spam d tecte ;

– suc es an cor ectn s of th spam filter;

• th re are a f ew imp r ant is u s that n e to b co sid re to mak any of the

ab v e co t ol impleme tatio s suc es ful al to d w ith th co figuratio an

impleme tatio of th se co t ols:

– complete es of impleme tatio , i e they are completely impleme te f or al

sys ems;

– u datin of th co t ols o a re ular basis, an wh n v er n w u dates are

av aiable or n ces ary;

– pro uctio an ev aluatio of lo files

3.5.2.2 Vulnerabi ty manageme t

Security v ulnerabi ties are a serio s pro lem for al organiz tio s, as th y mig t b

ex ploite by threat an th rewith cause incid nt to oc ur T herefore, organiz tio s

sh uld manag th ir ex posure an id ntify an re uce or remov e th ir v ulnerabi ties In

th co tex t of tech ical co t ols, this subclause co ce t ates o tech ical v uln rabi ties

T ere are two main is u s to b co sidere h re: o e is v uln rabi ty tes in , ie the

organiz tio ( or some o y o it b half) car ies o t tes s to id ntif y v uln rabi ties in

th ir sys ems Met ics can b use to id ntify th eff ectiv en s of th se tes s Anoth r

is u is patch manageme t, ie th organiz tio id ntifies, tes s an ins al s th patch s

that h lp to remov e wel-k own v uln rabi ties Here, met ics can help to e sure that

patch s are id ntifie , tes e an ins ale in an ap ropriate time frame T he fol owin

met ics giv e a few ex amples of w hat can be measure for th se co t ols:

• v uln rabi ty tes in sh uld rel ably id ntify v uln rabi ties in a timely w ay T he

folowin ex amples i us rate what can b co sid re for measureme t:

– f re u ncy of v uln rabi ty tes in , e.g in relatio to the impleme tation of

n w software w here a co cern ab ut v uln rabi ties ex is s ( i.e dis in uishin

b tw ee ‘within o e w ee after the impleme tatio ’ ‘within o e mo th after

th impleme tatio ’ ‘ ater than a mo th after impleme tatio ’);

– dis u tio s cause by the tes , to e sure that n or v ery few dis u tio s are

cause by th tes s;

– v uln rabi ties id ntifie by th tes ( e.g compare with p bl cly av aiable

informatio ab ut v uln rabi ties of th tes e pro uct);

– e ucatio an ex perie ce of the tes in team, toe sure that ex perie ce p o le

with u -to-date k ow le g re ardin th pro uct to b tes e are inv olv ed in

• patch manag me t is an is u of grow in imp r ance f or al organiz tio s an

organiz tio s sh uld ap ly met ics to e sure that th ir patch manag me t proces

is suc es ful T he folowin actio s n e to come to ether for suc es ful patch

manag me t:

– roles an resp nsibi ties in th patch manageme t proces n e to b d fin d,

an th p o le inv olv ed sh uld b aware of th m;

– timely id ntificatio of v uln rabi ties ap lcable to th pro uct in use – the

time wh n av uln rabi ty is p blsh d o th intern t can b relate toth time

whe this v uln rabi ty has b e id ntifie in th organiz tio ;

– suf ficie t tes in an timely ins al atio of th patch – th time fromide tifyin

th patch to reactin to it, tes ing b in complete an the patch b in ins ale

can b measure ;

– lo gin of th wh le patch manag me t proces to b able to t ace al actio s

that hav e tak n place;

– rolback if th patch w as n t suc es f ul or is causin u f orese n pro lems

– rolbacks sh uld n t cause inter u tio s, data los or u d e d la , and this

can b measure (eith r in tes cases, or if such a case is oc ur in in real ty)

an these measures giv e informatio ab ut th w el-fu ctio in of th rolback

proces

3.5.2.3 Physic l security checks and e aminations

P ysical security, as d scrib d in clause 9 of ISO/IEC 17 9 :20 5, is n ces ary to co t ol the

ac es to, an prev ent damag from, informatio -proces in f aci ties inany organiz tion

T e f olowin giv es a few ex amples of w hat can b measure for th se cont ols:

• th complete es of and complance with e t y an v isitor co t ol is an imp r ant

eleme t of securin th organiz tio ’s premises T here are differe t asp ct relev ant

for th wel -f unctionin of these co t ols:

– e t y cont ols, eith r automate or co t ol e by p r o n l

– w earin an v isibi ty of pas es for employe s;

– v isitor pas es f or v isitor ;

– escor in of v isitor ;

– d or , win ow s, or ro ms that sh uld b close ;

• secure han lng an sitin of e uipme t, an proce ures to su p r this;

• mainte ance of e uipme t, with ut giv in ac es to information o th e uipme t

an within sp cifie mainte ance interv als;

• relable workin of su por in uti ties

3.6 A udit s, rev iews and test ing

3.6.1 Int oduction

In ISO/IEC 2 0 1:20 5 th re is a re uireme t f or ISMS internal au it In ad itio ,

some b sin s es d cide to hav e an ex ternal audit car ie o t o th ISMS base o the

re uireme t set out in ISO/IEC 2 0 1:20 5 T he fol ow ing is u s are relev ant to measure

th wel -functionin of au it in an organiz tio

3.6.2 E amples

3.6.2.1 Internal ISMS audit function as described in Section 6 of

ISO/EC 270 0 1:20 0 5

Manag me t n e s toe sure it has in place an ap ro riate internal ISMS au it programme

an proces Key asp ct that are relev ant to met ics and measures are:

• au it sco e, fre ue cy, lev el of detai an samplng;

• th ro g n s of audit t ials;

• cor ectiv e actions an n n-co f ormities an their closure;

• au it meth ds an ap roach s;

• q alty of ev id nce

3.6.2.2 E ternal third-par y ISMS audits leading to a credited cerific tion

If manageme t d cid s to hav e a third-par y cer ificatio car ie o t,th re are k y asp ct

that are relev ant to met ics an measures:

• selectio an co v er ation w ith th cer ificatio b dy;

• scop , fre u ncy, lev el of d tai an sampl n ;

• th ro g n s of audit t ials;

• cor ectiv e actions an n n-co f ormities an their closure;

• au it meth ds an ap roach s;

• q alty of ev id nce

3.6.2.3 Car ying out indepe de t re iews and testing

Manag me t mig t d cid to inv es in ex ternal rev iews of it security Key asp ct that

are relev ant to met ics an measures are:

• k ow le g an ex per ise of th ex ternal company car yin o t th rev iews;

• th lev el and q alty of ev id nce an ad itio al informatio such rev iews prov id as

to th eff ectiv en s of it informatio security;

• th sco e, fre u ncy, lev el of d tai an sampln , th ro g nes of rev iew ;

Also, manag me t mig t ap rov e v ario s tes s o it sys ems to b car ie o t to check

th ro us n s of th security co t ols Key aspect that are relev ant to met ics an

measures are:

• p net atio tes s d pth and th ro g n s ;

• v uln rabi ty tes s d pth an th ro gh es ;

• re ularity of these

In ad itio to the au it an rev iew p s ibi ties that ex is and sh uld b use by an

organiz tio wishin to comply w ith ISO/IEC 2 0 1:20 5, there are also oth r met ics that

can b use to as es sp cific eleme t of th ISMS proces es in more d tai ( e Chapter 4

for more informatio and ex amples)

4.1 Management controls

4 1.1 Complance with bes t pra tice

Manag me t mig t re uire an ov eral measure an re rese tation of it complance

to a par icular set of co t ols w heth r th organiz tio has impleme te th co t ols,

has par ial y impleme te th co t ols or if th co t ols hav e yet to b impleme te

In ad itio , this informatio sh uld also be ac ompanie by th actio s to b tak n to

pro res th impleme tatio of co t ols or th reaso w hy th sp cific co t ol can ot

b impleme te in th n ar future or if it is n t ap lcable T his typ of gap analysis

as es me t prov id s a ‘snap-sh t’ measure of it cur e t security p s ure: w hat it is

compl ant w ith an what s i n e s to b d n , with target dates Re se of this metho

prov id s an in icatio of pro res an th s atus in dev elo ing it ISMS

4.1.1.1 Gap analys is tables – Complance and impleme tation s tatus

Table 2 prov id s a simple ex ample of a gap analysis ch ckin mat ix

Table 2 — Gap analy sis – Compl ance and impleme t ation st at us

informatio an informatio

-proces in f aci ties from busin s

proces es inv olv in ex ternal par ies

b e id ntifie ?

✓

2 Hav e ap ropriate co t ols b e

impleme te to deal with the

id ntifie risk b f ore grantin

b f ore giv in cus omer ac es to

th organiz tio ’s informatio or

an serv ice lev el agre me t

(S A s) with third par ies

inv olv in ac es in , proces in ,

commu icatin or managin the

organiz tio ’s informatio or

informatio -proces in f aci ties

cov er al relev ant security

5 Are proce ures in place to

e sure that th security co t ols,

serv ice d finitio s an d l v ery

lev els inclu e in th third-par y

serv ice d l v ery agre me t are

impleme te , o erate , and

maintain d by th third par y

✓

6 Are th serv ices, re or s an

records prov id d by th third

par y re ularly mo itore an

rev iewe , an are au it car ie

o t re ularly

✓

7 Are chan es to th prov isio

of serv ices manag d, inclu ing

maintaining an improv in

ex is in informatio security

p lcies, proce ures an co t ols,

an is this takin ac o nt of the

critical ty of busin s sys ems

an proces es inv olv ed an

reas es me t of risks?

✓

A greater n mb r of q es io s p r to ic wi prov id a more d tai e v iew of th lev el

of compl ance T here co ld b as few as 5–10 q es io s p r to ic or ov er 50 q es io s

p r to ic T he more detai e the q es io s, th more informe manag me t wi b as

to th ac uracy of the s atus of complance For ex ample, q es io 3 in Table 2 mig t

b bro e d wn f ur h r into more d taie q es io s relatin to sp cific re uireme t

of the organiz tio A lso, in q es io 2, sp cific security p lcies an proce ures of the

organiz tio mig t b the su ject of oth r q es io s

Fur h r q es io s co ld b inclu e relate tothe types of ex ternal serv ice b in prov id d,

cus omize to the organiz tio an to each of it serv ice prov id r T he n mb r of

ch ckin columns mig t b 3, 5,6 or more prov idin a greater granularity of th de th of

compl ance – f or ex ample 10 %, 7 %, 50%, 2 % or 0 w ith ap ro riate words as ociate

with q al ty, p rformance or effectiv en s of serv ices lev els th se p rce tag s re rese t

4 1.2 Manag eme t cos t–be efit, impa t and performance reviews

Manag me t ne ds to b in a p sition to mak d cisions base o an analysis of the

b nefit an cos s of impleme tin inf ormatio security cov erin what it already has in

place an what additio al co t ols it n e s T here are v ario s measures manag me t can

co sid r as par of it b sin s impact an cos –be efit analysis

T is re uires a measureme t ap roach that is base on financial o jectiv e an o serv able

measures to d termin the b nefit an effectiv en s of inf ormatio security T he v ario s

los es that they are l k ly to b co cern d with are:

• p s ible max imum los – the larg s los that could oc ur if a security incide t

happ n d;

• pro able max imum los – th b s es imate of th los that w ould oc ur if a security

incid nt hap e e in th p rio u d r co sid ratio ;

• p te tial los – th es imate los at the mome t of re or in or d tectio of the

security incid nt;

• effectiv e or real los – the los resulting after ex aminin ,inv es igatin an recov erin

from th security incide t;

• prev ente los – th p te tial los min s th effectiv e los as th p sitiv e o tcome of

th inv es igatin an recov erin from th security incid nt

From such an analysis, manag me t can t y to gaug from a b sin s impact an

financial los p r p ctiv e th eff ectiv en s of th informatio security co t ols or security

manag me t activ ities in place:

effectiv en s of th informatio security co t ols =

p te tial los es – effectiv e los es = prev ente los es

4.1.2.1 Bus ines s impa t analysis s corec rds

Table 3 — Busines impact analy sis s orecards

an n gativ e resp nse

from cur e t an future

Impac clas Id nt ifie impac ty pe Me sure of busin s

impac

Los of tan ible as et Frau and th ft Financial impact of Y %

Le al pe alties, l abi ties,

fin s or f ees

Inv olv eme t in co r cases Financial impact of Z

Operation l

Dela e d v elo me t of

software pro uct

Mis e mark t lau ch

Manag me t co t ol F iure to maintain

lev els of b sin s proces

cus omer data, sys em

faiures, n re ular

Table 4 — Benefits records

P rce tag of effectiv e

op ratio al serv ice time

Be efit id nt ifie Me sure T rg t

4 1.3 Manag eme t reviews

Manag me t sh uld rev iew it ISMS at plan e interv als to e sure it co tin ing

suit-abi ty, ad q acy an effectiv en s T his rev iew sh uld includ as es ing o p r u ities for

improv eme t an th n e for chan es to the ISMS, inclu in p l cies, proce ures,

tech-nical an no -tech ical co t ols an alocatio of reso rces

4.1.3.1 Re iew check and a tion lst

Table 5 — Re iew check and act ion l st