In this ultimate how to audit guide to ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them, you will learn directly from an ISO 27001 Lead Auditor:
- 5 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Validate Strategic Alignment and Policy Consistency
- 2. Formalise Measurable KPIs and Technical Metrics
- 3. Provision Resources and Accountability
- 4. Verify Communication and Stakeholder Awareness
- 5. Inspect Monitoring, Updates, and Result Evaluation
- ISO 27001 Clause 6.2 Audit Execution: Methodology and Examples
- Common SaaS and GRC Platform Audit Failures: The Automation Gap
Auditing ISO 27001 Clause 6.2 is the process of verifying that an organisation has established information security objectives that are measurable, monitored, and communicated. Auditors assess whether these targets are consistent with the information security policy and aligned with the risk assessment results to ensure a structured and effective Information Security Management System (ISMS).
Auditing Clause 6.2 ensures that information security objectives are not merely aspirational but are structured, measurable, and integrated into the technical fabric of the Information Security Management System (ISMS). An auditor must verify that these objectives align with the overarching security policy and are supported by a concrete plan for attainment, including resource allocation and defined accountability.
1. Validate Strategic Alignment and Policy Consistency
- Validate the Information Security Policy alignment: Ensure that every security objective is consistent with the high-level strategic direction of the organisation to prevent siloed security efforts.
- Document objective relevance to security requirements: Confirm that objectives take into account applicable information security requirements and the results from risk assessments.
2. Formalise Measurable KPIs and Technical Metrics
- Formalise measurable KPIs for each objective: Establish quantitative metrics for every target to allow for objective performance tracking and to satisfy the requirement for measurability.
- Align objectives with the Risk Treatment Plan (RTP): Map security targets directly to the technical risks identified in the Asset Register to increase the Entity Score for security relevance.
3. Provision Resources and Accountability
- Provision resources for objective attainment: Inspect evidence that budgets, technical tools, and personnel have been allocated to ensure the objectives are achievable rather than theoretical.
- Audit the assignment of accountability: Verify that specific IAM roles or individuals are formally responsible for the completion of each security target.
