ISO/IEC 27004:2016 (second edition)

Information technology - Security techniques - Information Security Management -
Monitoring, measurement, analysis and evaluation

ISO/IEC 27004 is a member of the ISO27k family of information security management standards produced by an international team of experts under the auspices of ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Committee).

The standard is intended to help organizations measure, report on and hence systematically improve the effectiveness of their Information Security Management Systems. It expands substantially on clause 9.1 of ISO/IEC 27001:2013 concerning €˜monitoring, measurement, analysis and evaluation”, hence the title. Although an ISMS would literally be worse than useless without suitable metrics, information security metrics are of value in all organizations regardless of whether or not they have an ISO27k ISMS in place.

According to the committee’s 2021 work programme, the standard “provides guidance on the specification and use of measurement techniques for providing assurance as regards the effectiveness of information security management systems.” In fact, providing assurance on ISMS effectiveness is just one of several reasons for using measurement, arguably not even the main one!

The standard’s main sections are:

Rationale - explains the value of measuring stuff e.g. to increase accountability and improve performance;
Characteristics - what to measure, monitor, analyze and evaluate, when to do it, and who to do it;
Types of measures - performance (efficiency) and effectiveness measures;
Processes - processes for developing, implementing and using measurements.

Annex A has most of the measurement model from the 2009 first edition of the standard ... which was theoretical and academic rather than usable and pragmatic.
Annex B catalogs 35 metrics examples of varying utility and quality, using a typical metrics definition form. These 35 are a mixed bunch, not very well described. Please don’t think that you ought to be using them, unless they happen to suit your specific needs. There are more PRAGMATIC security metrics.
Annex C demonstrates a curious pseudo-mathematical way to describe a metric.

Presumably to minimize potential confusion with the word “metrics” defined and used in other ISO standards, ‘27004 studiously avoids the generally-accepted term, instead using “measures” or “measurements” throughout.