ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27 ...

A substantive presentation describing definition, souring, application, interpretation, testing, cost effectiveness, calibration, and use of security measurement in a risk context. The presentation also provides insights on related concepts, such as st ...

This book provides guidance on the implementation of ISMS control requirements for auditing existing control implementations to help organizations preparing for certification in accordance with ISO/IEC 27001:2005 Information security management systems. R ...

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, an ...

Information security professionals traditionally had difficulty trying to justify their existence. IT security staff agree there should be some security controls in place, but trying to validate a defense in depth approach is difficult. Organizations ha ...

VerIS is a set of metric definitions designed to provide a common language for describing security incidents in a structured and repeatable manner. The framework's goal is to lay a foundation on which security practitioners can constructively and coop ...

Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. NISTIR 7693 provides the necessary constructs to uniquely identify assets based on known identifiers and/or known in ...