The proposal of software development and acquisition metrics based on ISO/IEC 27001 standard

The implementation and operation of efficient information security management systems (ISMS) according to the ISO/IEC 27001 standard involves a number of steps, among others implementation and operation of appropriate processes, policies and objectives. The crucial issue is the correct definition of the metrics for measurement of the effectiveness of established processes and established controls. The paper describes some practical metrics for ISMS processes review but primarily deals with the metrics for the security category “Security in development and support processes” from the security control clause “Information systems acquisition, development and maintenance processes” (ISO/IEC 27001, ISO/IEC 27002). Judged by the authors’ research and experience, organizations often concentrate mainly on other security categories (Correct processing in application, Cryptographic controls, Security of system files) from the security control clause “Information systems acquisition, development and maintenance processes” (ISO/IEC 27001, ISO/IEC 27002). The aim of this paper is to refocus on the necessity to define appropriate metrics for all processes (controls) corresponding to the “Information systems acquisition, development and maintenance” security clause.