How to Implement ISO 27001 Clause 6.2

Navigating the landscape of ISO 27001 can often feel like a complex compliance exercise. However, at its core, the standard is a framework for building a robust and effective security program. Clause 6.2, which deals with “Information security objectives and planning to achieve them,” is a perfect example of this.

In simple terms, this clause is about setting clear, meaningful goals for your organisation’s information security. It’s not just about ‘ticking a box’ for an audit; it’s about defining what success looks like for protecting your valuable information assets and aligning your security efforts with the strategic direction of your business.

What is ISO 27001 Clause 6.2? A Plain English Breakdown
- ISO 27001 Clause 6.2: Information Security Objectives and Planning to Achieve Them
The Strategic Importance of Well-Defined Security Objectives
A Step-by-Step Guide to Implementing Clause 6.2
Preparing for Your Audit: What the Auditor Will Check
Conclusion: Moving Beyond Compliance to Effective Security

What is ISO 27001 Clause 6.2? A Plain English Breakdown

Before you can effectively implement Clause 6.2, it’s crucial to understand exactly what it requires, cutting through the jargon of the standard. This section provides a clear breakdown of the clause’s mandate and purpose.

The ISO 27001 standard formally defines the requirements for Clause 6.2. The mandate is best understood in two parts. The first part outlines the mandatory qualities of the objectives themselves:

ISO 27001 Clause 6.2: Information Security Objectives and Planning to Achieve Them

The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:

a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored;
e) be communicated;
f) be updated as appropriate;
g) be available as documented information.

The second part of the clause details what must be included in the plan to achieve them:

The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine:

h) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.

The primary purpose of this clause is to ensure your Information Security Management System (ISMS) has a clear direction. It forces an organisation to articulate the ‘why’ you have an information security management system—what you want it to achieve and how you will get there. This ensures the ISMS is aligned with business needs and that its effectiveness can be tracked over time.

The ISO 27001:2022 update introduced minor changes to this clause, mostly focused on clarity. The update explicitly requires that objectives must be “monitored” and made “available as documented information,” formalising practices that were previously implied.

Ultimately, these objectives serve as the strategic compass for your entire security program, guiding decisions and resource allocation.

The Strategic Importance of Well-Defined Security Objectives

Setting information security objectives should not be viewed as a mere compliance task. It is a fundamental business activity that aligns security efforts with organisational success, helps manage risk effectively, and provides a clear benchmark for performance. By defining what you want to achieve, you transform your ISMS from a passive set of controls into an active driver of business value.

The core benefits of properly implementing Clause 6.2 include:

Strategic Alignment: Objectives ensure the ISMS supports broader business goals rather than operating in a silo. They answer critical questions like, “Why are customers buying from us, and what would they worry about going wrong?” This connects security directly to customer confidence and organisational strategy.
Improved Security Posture: By linking objectives to the results of your risk assessment, you focus finite resources on mitigating the most relevant threats and vulnerabilities, leading to a more efficient and effective security posture.
Effective Performance Measurement: Without defined objectives, it is impossible to know if your ISMS is actually working or adding value. Clear, measurable goals provide the basis for evaluating performance, demonstrating progress, and driving continual improvement.
Demonstrable Compliance: Documented objectives and the plans to achieve them are critical evidence for an ISO 27001 audit. They show an auditor that your ISMS is a well-managed, living system with clear intent and direction.
Enhanced Reputation: Successfully achieving security objectives helps prevent incidents and breaches. This protects your business reputation and safeguards the people, customers, and partners who entrust you with their information, reinforcing why they chose to do business with you in the first place.

Understanding these benefits is the first step; the next is to translate this strategic ‘why’ into a practical ‘how’.

A Step-by-Step Guide to Implementing Clause 6.2

Implementing Clause 6.2 is a logical and manageable process. It moves from high-level strategic goals to detailed operational plans and ongoing monitoring. This four-step guide breaks down the process into actionable stages, infused with practical, in-the-trenches advice.

Step 1: Establish Your Objectives

The first step is to define what you want to achieve. A common approach, and one I strongly recommend for most organisations, is to start with a single, high-level objective for information security.

A practical example of a powerful, high-level objective is:

“To help prevent or minimise the impact of information security incidents or breaches to protect our business, reputation and to safeguard our people.“

Here’s a practical tip to save you time: While you can create more detailed, operational objectives for specific controls or departments, in my experience this often isn’t necessary and doesn’t add sufficient value for the effort involved. For most organisations, a single high-level objective is enough to provide clear direction. A best practice is to place this high-level objective directly within your Information Security Policy document for maximum visibility and authority.

Step 2: Make Your Objectives Measurable (If Practicable)

The standard requires objectives to be “measurable (if practicable).” The SMART (Specific, Measurable, Achievable, Relevant, Time-bound) framework is a popular guide for this. However, a common pitfall is letting the framework dictate your strategy. From my experience, people often end up choosing objectives that they can easily make SMART, rather than objectives that are genuinely important.

The primary goal is to choose meaningful objectives first. SMART is a tool, not a straitjacket. For instance, a personal objective like “Keep my wife happy” is critically important, but it doesn’t fit neatly into the SMART framework. Don’t discard an important goal just because it’s hard to quantify perfectly.

That said, where possible, measurement provides clarity. A practical example for a cloud service provider could be:

Objective: Ensure the reliability and availability of our cloud service.
Measure: Achieve a minimum of 99.5% service availability.
Evaluation: Measured monthly against system uptime logs.

Step 3: Create a Plan to Achieve Your Objectives

Once your objectives are set, ISO 27001 requires a documented plan that details how you will achieve them. For each objective, you must determine the specifics outlined in points h-l of the clause. This is easily captured in a simple document or spreadsheet.

Planning Requirement	Practical Explanation
What will be done?	A sentence or two describing the specific actions or tasks. For a high-level objective, this might reference the implementation of the entire ISMS control set.
What resources will be required?	Brief, high-level notes are sufficient. Focus on key categories like people (e.g., specific team roles), budget, and time commitment.
Who will be responsible?	The name of the specific person accountable for the objective (e.g., the Chief Information Security Officer).
When it will be completed?	A target completion date. Crucially, as many objectives are ongoing, ‘Ongoing’ is a valid entry. Do not feel pressured by auditors to assign an arbitrary end-date to a continuous process.
How the results will be evaluated?	A brief description of how you will check if the objective is being met. This could be through internal audits, management reviews, and monitoring of specific KPIs.

Step 4: Document, Communicate, and Monitor

The final step involves formalising and managing the objectives over their lifecycle.

Document: Your objectives and plans should be formally recorded in a dedicated document, such as an “Information Security Objectives” register.
Communicate: The objectives must be communicated to relevant staff and interested parties. This can be done through your Information Security Policy, as part of regular management review meetings, or via a formal communication plan.
Monitor: Objectives are not static. They follow a lifecycle: Establish -> Plan -> Monitor -> Evaluate -> Update. They should be reviewed regularly (at least annually) to ensure they remain relevant and appropriate, and updated as business needs or the risk landscape changes.

DO IT YOURSELF

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Preparing for Your Audit: What the Auditor Will Check

Having well-defined objectives is one thing; proving their effectiveness during an audit is another. This section provides a crucial checklist of what an ISO 27001 auditor will look for to ensure your hard work translates into a successful audit outcome.

An auditor will verify that your objectives are not just theoretical but are embedded in the operation of your ISMS. Be prepared to provide evidence for the following:

Documented Objectives and Plans: The first thing an auditor will ask for is the documented objectives and the corresponding plans to achieve them. This is the primary evidence that you have fulfilled the core requirement of the clause.
Alignment with Business & Policy: Auditors will verify that your objectives are consistent with your main Information Security Policy and aligned with broader business goals. They want to see that objectives are relevant and supported by senior leadership, not created in an information security silo.
Measurability and Evaluation: The auditor will check if your objectives are measurable (where practicable) and if you have a defined process for evaluating the results. Be ready to show the metrics or KPIs you use and the data you collect to track them.
Evidence of Monitoring and Response: Auditors will look for more than just tracking; they will scrutinize your response when objectives are not met. Be prepared to show meeting minutes, action plans, or corrective actions that demonstrate your commitment to continual improvement. This is key evidence that your ISMS is a learning, adapting system.
Awareness: An auditor may interview various staff and managers to confirm that they are aware of the information security objectives relevant to their roles and responsibilities. This ensures the objectives have been effectively communicated and are part of the organisational culture.

Conclusion: Moving Beyond Compliance to Effective Security

Ultimately, ISO 27001 Clause 6.2 is far more than a procedural hurdle. It is a powerful tool for driving tangible security improvements and demonstrating business value. By setting meaningful, business-focused objectives, creating practical plans to achieve them, and consistently monitoring your progress, your organisation can build an Information Security Management System that is not only compliant with the standard but is truly effective at protecting what matters most.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

A Practical Guide: How to Implement ISO 27001 Clause 6.2 for Information Security Objectives

Table of contents