USING "ISO-IEC 27001" STANDARD FOR SECURITY CONTROLS EFFECTIVENESS MEASUREMENT IN INFORMATION SECURITY MANAGEMENT SYSTEMS

Abstract

This paper deals with applying „ISO/IEC 27001“ standard in security effectiveness measurement process. The main objective of this paper is to give the brief description to organizations, that have already implemented „ISO/IEC 27001“ standard, on how to treat information security as a measurable part of its business line. This paper first introduces „ISO/IEC 27001“ standard, its historical development and its structure. Afterwards, this paper deals with needs for security effectiveness measurement and methods that can be applied. Several appendixes are given regarding objectives and measurement effectiveness mechanisms for certain „ISO/IEC 27001“ security controls. Additional information is also given regarding utilization of these measurements for controls effectiveness determination in order to establish comparable and reproducible results.