Note: this article was updated according the 2013 version of ISO 27001
Peter Drucker (one of the most influential thinkers on the subject of management theory) said “What gets measured gets managed”. The same goes for information security – if you don’t know how well you are doing, you’ll have a very difficult time steering your information security in the desired direction.
And it is exactly this ‘desired direction’ that is an essential part of measurement – setting the objectives. Only if you know exactly what you want to achieve, will you be able to know how far or how close you are to actually achieving it. Equally important – you’ll be able to answer your management’s question: “Did our investment in security pay off?”
Measurement in ISO 27001
Those of you who know the philosophy of ISO 27001 know that the so called PDCA management cycle (Plan-Do-Check-Act) still remains as a foundation of this standard, even though it is no longer shown in the standard (for more information, please read: Has the PDCA Cycle been removed from the new ISO standards?).
The concept of measurement is also best explained through this PDCA cycle:
- In the Plan phase you need to set the objectives (ISO 27001 5.2) and 6.1.3)),
- In the Do phase you must figure out how to measure up to which point your objectives are achieved (ISO 27001 9.1),
- In the Check phase you need to start actual measurement (ISO 27001 9.1), and finally
- In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements (ISO 27001 10.1 and 10.2)
And ISO 27001 requires at least two different levels of objectives to be set:
- Objectives for the whole Information Security Management System (ISMS) – ISO 27001 5.2), and
- Objectives for each security control (safeguard) – ISO 27001 6.1.3)
Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives – e.g. at the level of individual organizational units (departments, etc.).
How to set (measurable) security objectives
My clients always ask me “OK, but how can I measure my backup, or my firewall?”. The secret lies in setting objectives which are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.
So, what would it look like for the firewall? Something like ‘We want our firewall to stop 100% of unwanted network traffic’. Is it measurable? Yes – you will find out, sooner or later, whether some unwanted traffic has passed through the firewall.
Another example – backup. The objective could be ‘We want to achieve our loss of data is maximum 6 hours.’ Measurable? Yes – and you don’t have to wait for data loss to happen, you can test your backup and see how much of the data you can restore.
An example of the objective for the whole ISMS could be ‘We want to decrease the number of information security incidents by 50% in the next year’. Again, pretty specific and therefore measurable.
Objectives should help you manage your security…
Setting the objectives and measuring them is a rather new and unexplored aspect of information security. It is very often considered as an overhead because of the lack of knowledge in the first place, not so much because of practical reasons.
But nowadays there is more and more literature on this topic (ISO 27004 standard being one of the best sources) and an increasing number of information security practitioners with experience in this field, so measurement is slowly making its way into information security mainstream.
To finish this post with another quote – “If you don’t know where you’re going, you’ll probably end up somewhere else.” Don’t let that happen to you.
You can also check out our webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security?