Which ISO standard focuses on how to measure success of an ISMS?

The correct answer is ISO 27004. This standard specifically provides guidance on the monitoring and measurement of an Information Security Management System (ISMS). ISO 27004 outlines how to evaluate the effectiveness and efficiency of the ISMS in relation to the organization’s information security objectives. It emphasizes the importance of establishing metrics and indicators to ensure that the ISMS is continually improved and aligned with the organization’s goals.

While ISO 27001 is the primary standard for establishing, implementing, maintaining, and continually improving an ISMS, and ISO 27005 focuses on information security risk management, neither of these standards specifically addresses the metrics and success measurement of an ISMS as directly and comprehensively as ISO 27004 does. ISO 27799 relates to health informatics and data protection in healthcare but does not pertain to the measurement of an ISMS.

Thus, ISO 27004 stands out as the standard uniquely dedicated to guiding organizations in assessing the success and performance of their ISMS through appropriate metrics and evaluation techniques.