ISO 27002 Security Benchmark

ISO 27002 Security Benchmark

Information security plays an increasingly crucial role in protecting the assets of an organization. As no single formula can ever guarantee 100% security, there is a need for a set of benchmarks or standards to help ensure an adequate level of security is attained, resources are used efficiently, and the best security practices are adopted. This blog illustrates a basic methodology to perform an ISO 27002 Security Benchmark and how to evolve towards compliance and become increasingly secure = integration with a Capability Maturity Model (CMM).


What are the Benefits?

ISO 27002 provides organizations with the assurance of knowing that they are protecting their information assets using criteria in harmonization with an internationally recognized standard. Benefits are applicable to organizations of all sizes and all security maturity levels, not only large enterprises.

Organizations with superior IT governance have more than 25% higher profits than those with poor governance
given the same strategic objectives. These top performers have custom-designed IT governance for their strategies.

ISO 27002 compliance can provide many benefits:

  • Provides a framework for resolving security issues
  • Provides policies & procedures in accordance with internationally recognized criteria, structure and methodology
  • Enhances client confidence & perception of your organization
  • Enhances business partners’ confidence & perception of your organization
  • Provides confidence that you have minimized risk in your own security program
  • Can be a deciding differentiator in contract negotiations
  • Enhances security awareness within an organization
  • Assists in the development of best practice
  • A defined process for implementation, management, maintenance and ISMS evaluation
  • Evaluations conducted by impartial independent and objective assessors using a proven methodology
  • A performance yardstick to harmonized criteria resulting in mutual recognition
  • Optimized security delivers lower costs: fraud, inefficiency and errors should be reduced
  • May reduce insurance premiums
  • Compliance advantages for participation in Global business opportunities

Leveraging internationally renowned security standards not only allows organizations to seek a reasonable goal of due-diligence but also enables them to articulate security posture to external partners and customers.

ISO 27000 Standards Family

ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). An Information Security Management System is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems.

ISO/IEC 27002 is a Code of Practice for Information Security Management standard. It provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). The Code of Practice establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.

ISO 27002 Scope

Within the Code of Practice there are a set of security domains, as follows:

  • Risk assessment – see blog Risk Assessment and Roadmap
  • Security policy – management direction
  • Organization of information security – governance of information security
  • Asset management – inventory and classification of information assets
  • Human resources security – security aspects for employees joining, moving and leaving an organization
  • Physical and environmental security – protection of the computer facilities
  • Communications and operations management – management of technical security controls in systems and networks
  • Access control – restriction of access rights to networks, systems, applications, functions and data
  • Information systems acquisition, development and maintenance – building security into applications
  • Information security incident management – anticipating and responding appropriately to information security breaches
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems
  • Compliance – ensuring conformance with information security policies, standards, laws and regulations

These security domains contain control objectives with hundreds of best-practice information security control measures recommended for organizations to satisfy the control objectives and protect information assets against threats to confidentiality, integrity and availability.

Capability Maturity Model (CMM)

A Capability Maturity Model (CMM) is a model for judging the maturity of the processes of an organization and for identifying the key practices that are required to increase the maturity of these processes. The idea behind a Security CMM is to define areas of a security program that should have policy. procedures, processes and controls associated with them and then to measure the application and effectiveness of the policy. procedures, processes and controls (capability level) in an organization. A more mature organization is defined as one whose processes are better defined, integrated and managed. Such an organization is said to have a higher capability level than a less mature organization.

The Security CMM defines five capability levels:

Security CMM

ISO 27002 Benchmark

There are many tools and templates available that can help an organization to benchmark their current state towards ISO 27002 compliance. In our case we developed an Excel macro-based tool that factors both ISO 27002 controls as well as maps them to CMM. The user simply makes selections based upon drop-down boxes and adds comments on any observations. See the ISO 27002 Benchmark Visualization Tool sample below:

ISO 27002 Tool

The tool is used in interactive sessions with IT to discuss the various domains and controls of ISO 27002 and their current state in terms of development, implementation, integration and, maturity. The results are summarized in the checklist as well as the controls are validated to ensure accuracy. Once the exercise has been completed for all sections within ISO 27002 then the macros can be executed. They operate against a default template report in our case to auto-generate the report and enable an efficient and rapid benchmark. The deliverable report is then further developed with placeholder sections to customize and add expertise, industry trends and best-practices to management. An extract of the raw report is shown below.

ISO 27002 Report

The tool additionally auto-generates ISO 27002 Security Benchmark Executive Summary slides that further enable presentation and visualization to executive management on current state as well as the organization’s objectives, enabling ongoing justification and support for the cost and resources needed for the security management and improvement program. The following is a sample of a high-level graph that maps compliance to organizational objectives and CMM.

ISO 27002 Visualization

“Security is not a product, it is the ever evolving integration of solutions and process based upon
industry standards, proven methodology and, best practices.” Nigel Willson

ISO Scorecard 2

ISO 27002 Compliance Lifecycle

Once the organization has performed an initial Baseline Benchmark then the results can be evolved into an on-going lifecycle benchmark process and ISO 27002 compliance measurement program. Performing benchmarks quickly and efficiently reduces the burden and enables timely reporting on progress, depending upon organization’s size that is quarterly, bi-annually or, annually. It can be used to demonstrate progress and trends in what has been achieved and what is left to do. The following is a high-level example ISO 27002 Compliance Lifecycle.

  • Baseline Benchmark – Assess the status of security management processes and controls
  • Regular Checkpoints – Perform periodic health checks to compare and contrast improvement and compliance progress
  • Identify Gap – Use gap analysis to identify the divergence of current state security against the standard goal
  • Statement of Applicability (SOA) – Describe the relevance of the standard’s controls to your organization
  • Security Improvement Program (SIP) – Develop cyclic process to recommend the measures required to overcome the divergence identified in the gap analysis

Critical Success Factors

Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:

  • Information security policy, objectives, and activities that reflect business objectives
  • An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture
  • Visible support and commitment from all levels of management
  • A good understanding of information security requirements, through the use of risk assessments, and risk management
  • Effective marketing of information security to all managers, employees, and other parties to achieve awareness and ultimately compliance
  • Distribution of guidance on information security policy and standards to all managers, employees and other parties
  • Provision to fund information security management activities
  • Providing appropriate awareness, training, and education
  • Establishing an effective information security incident management process
  • Implementation of a measurement system used to evaluate performance in information security management and feed back data for improvement.



Management support is necessary at all levels. User awareness programs should also be conducted to ensure that all employees understand the benefits and impacts before the deployment of new security policies and guidelines.

A common problem that crops up after implementation of a standards alignment exercise is an increase in the number of complaints received from users of IT services due to the restrictions imposed by new security controls. The successful implementation of any information security standards or controls must be a balance of security requirements, functional requirements and user requirements.

Stop Think

Although there are a number of information security standards available, an organization can only benefit if those standards are implemented properly. Security is something that all parties should be involved in. Senior management, information security practitioners, IT professionals and users all have a role to play in securing the assets of an organization. The success of information security can only be achieved by full cooperation at all levels of an organization, both inside and outside.

Thanks for your interest!

Nige the Security Guy.


About secureadvisor
Security Guy

13 Responses to ISO 27002 Security Benchmark

  1. Pingback: Security Series Master Index | Nige the Security Guy

  2. John DiMaria says:

    Could you provide the source supporting the statement that “Organizations with superior IT governance have more than 25% higher profits than those with poor governance
    given the same strategic objectives”.

    Good article

    • Thanks.

      It is an old quote that I re-used and forgot, thus no attribution but it looks as if it came from my book, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Peter Weill, Jeanne Ross (Authors).

      Having said that, I work a lot in this area and contributed to The Visible Ops Handbook, “Since 2000, Gene Kim and Kevin Behr have met with hundreds of IT organizations and identified eight high-performing IT organizations with the highest service levels, best security, and best efficiencies. For years, they studied these high-performing organizations to figure out the secrets to their success. Visible Ops codifies how these organizations achieved their transformation from good to great …”

      Hope this helps,


  3. Having this kind of benchmarking is very interesting. It is good to be used as a strategic tool based on Gap Analysis, but the restriction is that CMM is not internationally accepted method, since it is in US!!

    • While CMM is not an international standard I propose it more as a best-practice and metric for compliance to the ISO 27002 standard. It is a useful planning and visualization tool to demonstrate to executive leadership where the program is, what the next steps are and, to seek ongoing support and financing. Hope this helps.

  4. Pingback: APT Red Teams – Part 1 | Nige the Security Guy

  5. Pingback: Security Strategy Retrospective | Nige the Security Guy

  6. JRinFL says:

    Is this tool available? I did not find anywhere to get it if it is…


    • Thanks for contacting me.

      The tool is basically an Excel spreadsheet with macros together with an MS Word template. They are useful and can contrast ISO to other compliance needs, such as PCI or HIPAA to take a holistic view. They are fairly easy to create and then you can use it both to track evolution towards compliance year over year as well as various visual summaries to seek budget/support based on next steps. Visualization.

      The following site has many tools and spreadsheets that you can use and/or customize, and there are various other useful sources.

      Hope this helps, Nige.

  7. Phil Agcaoili says:

    What’s happening is that specific criteria through questionnaires are tied to several security controls frameworks. The NIST Cybersecurity Framework alone has three associated questionnaires–(1) DHS CRR, (2) DHS CSET (for Scada), and C2M2.

    The challenge for ISO\IEC 27001:2013 is that assessments are not standard (despite the reviewers guide) and are still fairly arbitrary based on who the accredited certification body is.

    At the Cloud Security Alliance, we worked hard marrying the Cloud Controls Matrix (CCM) to the Consensus Assessment Initiative Questionnaire (CAIQ), so that the grading criteria in the questionnaire aligned with the intention of the controls.

    I doubt this is done for the DHS CRR or CSET and know that this alignment is devoid in the ES-C2M2, ONG-C2M2, and core C2M@.

  8. Phil Agcaoili says:

    By the way, we’re roughly using the same assessment approach. Here’s what I posted for the NIST CSF last October.
    See the Self-Assessment- Security Index tab

    • Thanks for sharing.

      I do tend to use ISO 27001/2 as a practical best-practice goal for many organizations, a minimum baseline on the road to more advanced security. All regulations and standards tend to have grey areas open to interpretation, such as PCI DSS by the QSA. There is also a cost associated so you tend to discover many organizations are ISO certified in only certain domains or systems.

      The blog is already dated and, ideally, needs updating with my Master Compliance Framework. At great expense too many organizations seek regulatory compliance in silos and so the framework maps the various applicable regulations to enable coherent and holistic security requirements and compliance mapping. These frameworks and regulations have various breadth and depth so the organization needs to decide what framework works best and … what does it address, etc.

      It all comes back to … what are you trying to protect and need to protect and … the commitment of the organization to achieve compliance together with continuous improvement lifecycle.


  9. Leslie K. Lambert says:

    How can I find or purchase your spreadsheet/word combo tool? Thanks, Leslie K. Lambert

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: