Security governance is a framework that allows for the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization.

Metrics

ISO/IEC 27004:2009 is used to assess the effectiveness of an ISMS and the controls that make up the security program as outlined in ISO/IEC 27001.

The NIST SP 800-55, Revision 1 also covers performance measuring for information security, but has a U.S. government slant.

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：1.18 安全治理