tracker

TQMC

TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Friday, February 27, 2009

[ISO 27001 security] Can any one throw some light on metrics

       


Hi team

Great work you guys are doing !!!! Even though am a silent listener, i use to enjoy the entire series of mail exchanges. Thank you all who contribute towards this group.

I have recently finished the ISMS implementation for one of our client. Now that the time for measurement of the maturity of ISMS. So can any one throw some light in the area of metrics. How can start, which are the components do i need to take, any templates, etc.

Hope that you can help me in this.


--
Sandeep Erat
Bangalore




A set of ISMS metrics aligned with ISO27k vaguely approach the templates you
requested.  It is published at
www.iso27001security.com/ISO27k_security_metrics_examples.pdf  This paper
documents the output of interactive ISMS metrics workshop involving a clever
bunch of IT auditors and other information security pros, under the auspices
of ISACA in Wellington NZ.  I'm quite sure others on this email reflector
would be able to suggest additional metrics that work for them.

I published a white paper on ISMS metrics at
www.noticebored.com/html/metrics.html, originally in the ISSA Journal in
July 2006.  It goes into the rationale for designing/selecting information
security metrics, along the way referencing a all-time classic
though-provoking academic paper "Metrics: you are what you measure" at
http://web.mit.edu/hauser/www/Papers/Hauser-Katz%20Measure%2004-98.pdf

Last but definitely not least is the excellent book by Andrew Jaquith
"Security metrics: replacing fear, uncertainty and doubt" - search the Web
or spend your US$31.50 at
http://astore.amazon.com/wwwnoticeborc-20/detail/0321349989   Andrew runs a
wiki/blog/mailing list/conference on information security metrics in
conjunction with Dan Geer and a bunch of fellow professionals, through
www.securitymetrics.org, thoroughly recommended.  One of their projects is a
catalog of potential information security metrics at
www.securitymetrics.org/content/Wiki.jsp?page=MetricsCatalogProject

Do let us know how you get on, Sandeep.

Best wishes,
Gary

Gary Hinson
Passionately curious, curiously passionate
www.NoticeBored.com  Creative awareness materials
www.ISO27001security.com  ISO/IEC 27000 standards
www.isect.com/html/environmental_policy.html  Going green

No comments:

Post a Comment