Design and Use of Information Security Metrics: Application of the ISO/IEC 27004 standard


  • Kristoffer Lundholm
  • Jonas Hallberg
  • Helena Granlund

Publish date: 2011-07-01

Report number: FOI-R--3189--SE

Pages: 57

Written in: English


  • Information security
  • ISO/IEC 27001
  • ISO/IEC 27004
  • metric


The international standard for the implementation of an information security management system (ISMS), ISO/IEC 27001, has been available since 2005. This standard mandates that measurements should be performed in order to demonstrate how well an ISMS is working. A method for how to develop these measurements was published 2009 in the standard ISO/IEC 27004. This report presents a case study performed at a Swedish government agency. The aim of the study was to evaluate a method for the design and implementation of information security metrics. The used method is based on the method outlined in the standard ISO/IEC 27004 augmented with a participatory design approach. The standard provides a template for the specification of metrics, whereas the augmentation is essential in order to extract the information needed from the agency in order to be able to design the metrics. The first step, selection of controls (from ISO/IEC 27001) for which to design metrics, resulted in five controls. The next step was to design metrics for these controls. The design was performed through a participatory design process consisting of two sets of interviews with security personnel, whose responsibilities correspond to the security areas of the controls. The final step was measurement using the metrics. The measurements were performed by the security personnel involved in the design of the metrics, whereas the actual results presentations were prepared by one of the participating researchers. From the study it was concluded that the design of metrics programs for organizations with immature information security programs should probably be initiated by identifying areas of interest for measurement. Next, the metrics program should be designed to gather data that is readily available and gradually expanded to measurements requiring data that is more difficult to collect. A vital point is that the presence of metrics programs supports the efforts to make the ISMS more mature and, thereby, improves the availability of data to be measured.