In December 2016, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) updated information technology standard 27004, which is intended to assist organizations in the evaluation of information security performance and the effectiveness of information security management systems (ISO/IEC 27004:2016).  ISO/IEC 27004:2016 replaces ISO/IEC 27004:2009, and includes updates to bring the standard into alignment with the current version of ISO/IEC 27001 (ISO/IEC 27001:2013).

ISO/IEC 27001 is applicable to organizations of all sizes and sets out requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).  ISO/IEC 27004 is designed to assist organizations in evaluating the performance and the effectiveness of an ISMS that has been implemented in accordance with ISO/IEC 27001.  ISO/IEC 27004 provides guidance on how to select indicators for monitoring and measurement of ISMS performance, and includes examples of different types of measures and explanations of how to assess their effectiveness.

In addition to assisting organizations in measuring the effectiveness of their own ISMS, ISO/IEC 27004 is also useful for organizations seeking to purchase services from service providers who claim compliance of their ISMS with ISO/IEC 27001.  Organizations might inquire as to whether the service provider’s ISMS has been evaluated under ISO/IEC 27004, and if so, request for a copy of the compliance report for review.

For more information please see:

Summary by: Thomas Wong


17 01 25