LOGBOOK

HELP

Quiz Entry - updated: 2026.03.01

What is ISO 27004 and what does an Information Security Measurement Programme (ISMP) involve?

ISO 27004 provides guidance on measuring the effectiveness of an ISMS and its controls — because you can't improve what you don't measure.

The standard covers recommendations for:

  1. Developing measurement criteria — What to measure and how
  2. Implementing an ISMP — Information Security Measurement Programme
  3. Analyzing results — Interpreting measurements and reporting to stakeholders
  4. Improving the ISMS — Using results to enhance the ISMS and its controls
  5. Improving the ISMP itself — Meta-improvement of the measurement process

Why it matters: The "Check" phase of PDCA requires actual evidence that your ISMS is working. ISO 27004 tells you how to produce that evidence. Without measurement, your ISMS is just a collection of documents gathering dust.

Example metrics: Percentage of employees who completed security training, number of security incidents per quarter, time to patch critical vulnerabilities, percentage of systems with up-to-date antivirus.

From Quiz: ISM / Standards & Frameworks I (ISO, BSI) | Updated: Mar 01, 2026