Auditing ISO 27001 Clause 6.2 is the process of verifying that an organisation has established information security objectives that are measurable, monitored, and communicated. Auditors assess whether these targets are consistent with the information security policy and aligned with the risk assessment results to ensure a structured and effective Information Security Management System (ISMS).
Auditing Clause 6.2 ensures that information security objectives are not merely aspirational but are structured, measurable, and integrated into the technical fabric of the Information Security Management System (ISMS). An auditor must verify that these objectives align with the overarching security policy and are supported by a concrete plan for attainment, including resource allocation and defined accountability.
1. Validate Strategic Alignment and Policy Consistency
- 1. Validate the Information Security Policy alignment: Ensure that every security objective is consistent with the high-level strategic direction of the organisation to prevent siloed security efforts.
- 2. Document objective relevance to security requirements: Confirm that objectives take into account applicable information security requirements and the results from risk assessments.
2. Formalise Measurable KPIs and Technical Metrics
- 3. Formalise measurable KPIs for each objective: Establish quantitative metrics for every target to allow for objective performance tracking and to satisfy the requirement for measurability.
- 4. Align objectives with the Risk Treatment Plan (RTP): Map security targets directly to the technical risks identified in the Asset Register to increase the Entity Score for security relevance.
3. Provision Resources and Accountability
- 5. Provision resources for objective attainment: Inspect evidence that budgets, technical tools, and personnel have been allocated to ensure the objectives are achievable rather than theoretical.
- 6. Audit the assignment of accountability: Verify that specific IAM roles or individuals are formally responsible for the completion of each security target.
4. Verify Communication and Stakeholder Awareness
- 7. Verify communication of objectives to interested parties: Inspect internal newsletters, training logs, or meeting minutes to confirm that objectives are understood by all relevant stakeholders.
- 8. Evaluate defined timelines and completion dates: Confirm that every objective has a realistic, documented deadline for completion to ensure temporal accountability.
5. Inspect Monitoring, Updates, and Result Evaluation
- 9. Inspect monitoring logs and update cycles: Confirm that objectives are reviewed and updated as needed to reflect changes in the threat landscape or business environment.
- 10. Validate the evaluation methodology for results: Confirm the organisation has a formalised process to determine if an objective was successfully met, using objective evidence rather than anecdotal reports.
ISO 27001 Clause 6.2 Audit Execution: Methodology and Examples
| Audit Step | How To Audit | Common Examples |
|---|---|---|
| 1. Policy Alignment | Cross-reference objectives with the Information Security Policy. | Objective: 100% MFA adoption; Policy: Secure Access Control. |
| 2. Measurability Check | Verify if the objective can be proven via quantitative data. | Reducing failed login attempts by 20% within six months. |
| 3. Resource Verification | Inspect budget logs or technical tool procurement records. | Budget approved for a new SIEM tool or annual penetration test. |
| 4. Accountability Audit | Check job descriptions or the responsibility matrix (RACI). | The CISO is assigned the goal of achieving ISO 27001 certification. |
| 5. Risk Mapping | Trace the objective to a specific entry in the Risk Register. | Targeting server uptime to mitigate the risk of availability loss. |
| 6. Communication Audit | Review intranet posts, emails, or awareness training records. | Quarterly all-hands meeting slides discussing security targets. |
| 7. Monitoring Review | Inspect meeting minutes where objectives are reviewed. | Monthly ISMS committee minutes tracking objective progress. |
| 8. Timeline Validation | Examine project plans for security objective completion dates. | Encryption project Gantt chart showing a Q3 completion date. |
| 9. Update Assessment | Check for evidence of objectives being modified after an incident. | Tightening patching objectives following a critical vulnerability. |
| 10. Result Evaluation | Examine the final report or dashboard showing goal attainment. | Dashboard showing 98% of assets are correctly classified. |
Common SaaS and GRC Platform Audit Failures: The Automation Gap
| Failure Mode | SaaS / GRC Platform Bias | Audit Consequence |
|---|---|---|
| Generic Template Bias | Platforms offer “out-of-the-box” objectives that lack business context. | Objectives are found to be irrelevant to the actual technical environment. |
| Disconnected Monitoring | Software tracks “task completion” rather than the actual security outcome. | Compliance is achieved on paper while the security risk remains unmitigated. |
| Lack of Manual Oversight | Automation leads to “set and forget” mentality regarding objective updates. | The auditor finds objectives that were last reviewed over 12 months ago. |
| Implicit Resource Assumption | GRC tools assume tools are provisioned without verifying actual budget availability. | Targets are failed because the necessary technical tools were never purchased. |
| Opaque Responsibility | Responsibility is assigned to “System Admins” rather than specific named roles. | Accountability is lost during the audit interview when no one claims the goal. |
| Communication Gaps | Platforms assume users read notifications within the tool silo. | Staff are unaware of the objectives during auditor interviews. |
| False Measurability | Software calculates percentages that do not correlate to real-world security. | Audit reveals that the “measurability” is statistically flawed or misleading. |
| Risk Treatment Disconnect | The objective module is not technically linked to the Risk Treatment Plan. | Significant risks are left unaddressed by the stated security objectives. |
| Standardisation Risks | Platforms force organisations into a “standard” framework that misses unique risks. | The ISMS fails to protect bespoke technical assets or unique legal requirements. |
| Evidence Accessibility | Objective evidence is trapped in a proprietary tool format that an auditor cannot easily review. | Audit delays occur because objective proof cannot be exported or validated. |
About the author
