ISO 27001 builds on BS 7799 with much more guidance on information security measurement and metrics. This paper complements the ISO/IEC standard for information security management systems by exploring: 1) security measurement objectives, 2) what security aspects should be measured, in terms of both process and effectiveness; 3) how controls should be measured; 3) how measurements can and should be used to provide "assurance" on the effectiveness?

The paper presents both a ISO 27001-aligned model for security measurement and concrete illustrations of how the model can be applied to demonstrate the effectiveness of security controls in business processes.