What is an ISO 27001 Base Measure?

Base Measure is a fundamental security value obtained directly by measuring a specific process or information asset attribute. The Primary Implementation Requirement involves the formal identification and quantification of foundational raw data, which provides the Business Benefit of objective performance monitoring, informed risk prioritisation, and ISO 27001 compliance.

What is a Base Measure?

A Base Measure is a fundamental security control or action implemented to protect an organisation’s information assets. Think of it as a foundational or essential building block of a security system. These are not just best practices, but rather the initial steps taken to create a secure environment, often addressing the most critical risks first. They form the bedrock of a strong Information Security Management System (ISMS) and are crucial for ensuring the confidentiality, integrity, and availability of information.

Examples

Data Classification: Categorising data based on its sensitivity (e.g., public, internal, confidential) to ensure appropriate controls are applied.
Incident Response Plan: A documented procedure for handling security breaches to minimise their impact and ensure a swift recovery.
Regular Security Awareness Training: Ensuring all employees understand security risks and their responsibilities in protecting information.
Access Control Policies: Defining who can access which assets and under what conditions.

Context

Base measures are a key element in aligning with the requirements of ISO 27001. By identifying and implementing these measures, an organisation can effectively mitigate risks, improve its overall security posture, and prioritise its security efforts.

How to implement Base Measure

Implementing base measures is a fundamental requirement for complying with the monitoring and measurement aspects of ISO 27001 Clause 9.1. As a Lead Auditor, I look for raw, verifiable data points that provide the objective evidence necessary to calculate more complex performance metrics. Following this technical roadmap will ensure your Information Security Management System (ISMS) captures high-quality data that results in actionable security insights and a robust audit trail.

1. Identification and Attribute Categorisation

1. Identify Security Attributes: Select specific properties of a security process or information asset to quantify, resulting in clear, objective data points for Clause 9.1 monitoring.
2. Formalise Measurement Methods: Define the exact procedures and units of measure for data extraction, ensuring consistency and repeatability across all subsequent audit cycles.

2. Asset Alignment and Measurement Frequency

3. Update the Asset Register: Align every base measure with a specific asset or service, providing a direct link between security controls and their operational performance.
4. Establish Data Collection Frequency: Determine the capture intervals for raw data, resulting in a trend analysis that identifies security risks before they impact the organisation.

3. Governance, IAM Roles, and Documentation

5. Define IAM Roles for Reporting: Restrict access to sensitive measurement data using specific Identity and Access Management roles, ensuring the integrity and confidentiality of your security reporting.
6. Document Rules of Engagement for Metrics: Create a formal Rules of Engagement (ROE) document for staff, standardising how events or incidents are counted to prevent skewed results.

4. Technical Execution and Automation

7. Provision Automated Counting Tools: Use technical scripts or system monitoring software to capture raw counts, resulting in high-precision data that eliminates the risk of human error.

5. Data Integrity and Security Verification

8. Audit Raw Data Integrity: Perform regular verification checks on your raw numbers, ensuring that the source data matches the figures presented in management reviews.
9. Implement Secure Storage for Logs: Protect raw measurement logs from unauthorised modification, resulting in a tamper-proof audit trail for Stage 1 and Stage 2 assessments.

6. ISMS Review and Continuous Improvement

10. Review and Refine Measures: Evaluate the relevance of your data points annually, ensuring your ISMS continues to provide meaningful insights for continuous improvement.

Base Measure FAQ

What is a base measure in the context of ISO 27001?

A base measure is a single, fundamental value obtained directly by measuring a specific attribute of an information security process or asset. It requires no other measures for its definition and serves as the raw data input for 100% of the more complex derived measures and performance indicators used within an ISMS.

How does a base measure differ from a derived measure?

A base measure is a raw count or observation, whereas a derived measure is a functional relationship between two or more values. For example, the count of failed login attempts is a base measure; the percentage of failed logins relative to total attempts is the derived measure. Auditors report that 85% of ISMS measurement failures stem from poorly defined base measures.

What are common examples of base measures in information security?

Common examples of base measures include raw tallies or status checks such as:

The total number of servers in the Asset Register.
The count of security incidents reported in a 30-day period.
The number of employees who have completed 100% of their mandatory security training.
The number of critical vulnerabilities identified in a single scan.

Why are base measures critical for ISO 27001 compliance?

Base measures provide the objective evidence required by Clause 9.1 for monitoring, measurement, and evaluation. Without accurate base measures, an organisation cannot calculate the Return on Investment (ROI) for security controls, which averages a 25% improvement in resilience when measured correctly. They ensure that the effectiveness of the ISMS is based on factual data rather than subjective estimates.

What is the best way to collect base measures accurately?

Base measures should be collected through automated, repeatable processes to minimise human error. Organisations that automate their data collection see a 40% reduction in audit findings related to data integrity. Ensure that the measurement method is documented in the ISMS measurement framework to provide a consistent audit trail for the Lead Auditor.

The Tools We Use.

100% Audit Success. Zero AI Guesswork.

Get the Auditor-Proven Toolkit.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.