If you look at standard BS7799-2:2005 Monitor and Review the ISMS 4.2.3.d.5
mentions effectiveness of the implemented controls, which means we have to
develop an approach to measure effectiveness as part of our methodology.
For me, auditing and incident management plays a key role in measuring
effectiveness.
Regards
Aaron
-----Original Message-----
From: ljknews [mailto:ljknews (at) mac (dot) com [email concealed]]
Sent: Tuesday, July 18, 2006 8:00 PM
To: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Metrics in ISO 27001
At 7:48 PM +0530 7/18/06, stanley perreira wrote:
> Hello,
>
> I am trying to develop metrics for the ISO 27001. There doesnot seem
> to be much of consensus on how to go about it ?
>
> What are we supposed to measure here - is it the effectiveness of the
> controls or how many controls are being followed ?
If you cannot show your use of the control is effective, they you cannot
really be said to be following it.
--
Larry Kilgallen
mentions effectiveness of the implemented controls, which means we have to
develop an approach to measure effectiveness as part of our methodology.
For me, auditing and incident management plays a key role in measuring
effectiveness.
Regards
Aaron
-----Original Message-----
From: ljknews [mailto:ljknews (at) mac (dot) com [email concealed]]
Sent: Tuesday, July 18, 2006 8:00 PM
To: bs7799 (at) securityfocus (dot) com [email concealed]
Subject: Re: Metrics in ISO 27001
At 7:48 PM +0530 7/18/06, stanley perreira wrote:
> Hello,
>
> I am trying to develop metrics for the ISO 27001. There doesnot seem
> to be much of consensus on how to go about it ?
>
> What are we supposed to measure here - is it the effectiveness of the
> controls or how many controls are being followed ?
If you cannot show your use of the control is effective, they you cannot
really be said to be following it.
--
Larry Kilgallen
[ reply ]