Quiz Entry - updated: 2026.03.01
What is ISO 27004 and what does an Information Security Measurement Programme (ISMP) involve?
ISO 27004 provides guidance on measuring the effectiveness of an ISMS and its controls — because you can't improve what you don't measure.
The standard covers recommendations for:
- Developing measurement criteria — What to measure and how
- Implementing an ISMP — Information Security Measurement Programme
- Analyzing results — Interpreting measurements and reporting to stakeholders
- Improving the ISMS — Using results to enhance the ISMS and its controls
- Improving the ISMP itself — Meta-improvement of the measurement process
Why it matters: The "Check" phase of PDCA requires actual evidence that your ISMS is working. ISO 27004 tells you how to produce that evidence. Without measurement, your ISMS is just a collection of documents gathering dust.
Example metrics: Percentage of employees who completed security training, number of security incidents per quarter, time to patch critical vulnerabilities, percentage of systems with up-to-date antivirus.