High Table ISO 27001 Logo

ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

Home / ISO 27001 Clauses / ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them
ISO 27001 Clause 6.2 Information Security Objectives And Planning To Achieve Them Certification Guide

In this ultimate guide to ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them you will learn

  • What is ISO 27001 Clause 6.2?
  • How to implement ISO 27001 Clause 6.2
  • Example Objectives
  • How to write information security objectives

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

Table of contents

What is ISO 27001 Clause 6.2?

ISO 27001 Clause 6.2 is an ISO 27001 control that requires you to establish information security objectives.

Those objectives should be established at relevant functions and levels in the organisation.

This ISO 27001 clause is all about information security objectives and planning to meet those objectives.

ISO 27001 Clause 6.2 Purpose

The purpose of ISO 27001 Clause 6.2 is to make sure that you know what you want your information security management system (ISMS) to achieve and how you will go about doing it.

The purpose here is to have an effective information security management system (ISMS) that meets the needs of the organisation.

ISO 27001 Clause 6.2 Definition

The ISO 27001 standard defines clause 6.2 as:

The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented information
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine;
h ) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.

ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them

What are the ISO 27001:2022 Changes to Clause 6.2?

ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity.

It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit.

As a result the numbering of the sub parts shifted but this is not material.

ISO 27001 Clause 6.2 Implementation Guide

Write Objectives Consistent with the Information Security Policy

Objectives that you write for the information security management system have to be consistent with the information security policy. Making sure that they are documented in the information security policy so that everyone knows what they are. We do not want a conflict between what the information security policy sets out and what the objectives actually are. They must align.

Write Measurable Objectives

Information Security Objectives have to be measurable. A great way to think about how to measure an objective is to write it in a way that follows the SMART structure. Objectives should be

  • Specific
  • Measurable
  • Achievable
  • Realistic
  • Timely

There is no point in having an objective if you cannot measure it.

Implement Risk Based Information Security Objectives

ISO 27001 is a risk based information security management system. We take into account he the applicable information security requirements, and risk assessment and risk treatment results.

We covered ISO 27001 Clause 6.1.2 Information Security Risk Assessment and ISO 27001 Clause 6.1.3 Information Security Risk Treatment.

The risks that form part of this will inform our information security objectives.

Communicate the Information Security Objectives

We communicate our information security objectives in a number of ways. We include them in our information security policy. We include them and track them in our Management Review Team Meeting. We may send out additional communications as part of our ISO 27001 Communication Plan.

Review and Update Information Security Objectives

The information security objectives are not static. Objectives change over time. We continually assess ourselves and our information security management system for relevance. If things change then we update our objectives. At least annually we will take a look at our objectives and review if they are still relevant and make the appropriate changes.

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

These individual templates help meet the specific requirements of ISO 27001 clause 6.2

ISO 27001 Information Security Policy Template
ISO 27001 Management Review Team Meeting Agenda Template
ISO 27001 Risk Register Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

The Ultimate ISO 27001 Toolkit
ISO 27001 Toolkit Business Edition

ISO 27001 Clause 6.2 Youtube Tutorial

Watch the ISO 27001 Clause 6.2 – How to implement ISO 27001 Clause 6.2 Information Security Objectives

How to pass an audit of ISO 27001 Clause 6.2

To pass an audit of ISO 27001 Clause 6.2 you are going to:

  • Understand the requirements of your information security management system (ISMS)
  • Write objectives that meet those requirements
  • Write a plan that shows how you meet and assess those objectives
  • Document your objectives
  • Communicate the objectives
  • Monitor your progress against the objectives
  • Review and update objectives as required

What the auditor will check

The auditor is going to check a number of areas for compliance with Clause 6.2. Lets go through them

1. That you have documented objectives

The main evidence the auditor will look at is that the objectives are documented. This documentation will include not only what the objectives are but how they will be achieved, by who, by when and how you will measure the success and effectiveness of those objectives.

2. That your objectives are aligned with the business objectives

Here they are looking to see that the objectives were agreed and signed off by senior leadership. Are the objectives created in isolation by the information security manager or are they part of a wholistic approach to managing the organisation.

3. That you monitor, measure and reactive to objectives

This about showing that objectives are tracked and communicated. Are they part of the operation of the business or something dusted off for audit? They want to see that they are tracked and discussed and that if change is required that the continual improvement process is implemented to react to required changes.

They want to see what you do and did if you are not meeting your objectives.

ISO 27001 Clause 6.2 FAQ

What is ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them?

The ISO 27001 standard requires an organisation to establish and maintain information objectives that are based on risk and the needs of the business. It expects a plan on how to achieve the objectives as well as appropriate measures.

Why is ISO 27001 Clause 6.2 important?

ISO 27001 Clause 6.2 is important because we need to understand why we have an information security management system (ISMS) and what we want it to achieve. The ISMS does not exist in a vacuum. It is designed to make the organisation more secure but not at the expense of the success of the organisation. It has to be aligned with the organisation’s commercial objectives. If we do not set goals and objectives for the ISMS it is unlikely to be successful or add value or be effective.

How do you measure information security objectives?

Information security objectives should be Specific, Measurable, Achievable, Realistic and Timely (SMART). You define the objective and then define the measures that are the characteristics of the objective.

Are ISO 27001 information security objectives based on risk?

Yes, ISO 27001 information security objectives are based on risk. ISO 27001 is a risk based management system.

Where can I download ISO 27001 Clause 6.2 templates?

You can download ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them templates in the ISO 27001 Toolkit.

ISO 27001 Clause 6.2 example

An example of ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them template can be found in the ISO 27001 Toolkit.

Who is responsible for ISO 27001 Clause 6.2?

Senior management are responsible for ensuring that ISO 27001 Clause 6.2 is implemented and maintained.

What are the benefits of ISO 27001 Clause 6.2?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Clause A 6.2:
Improved security: You will have an effective information security management system that address people’s needs
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people, their needs and addressing them
Improved compliance: Standards and regulations require you to understand the objectives and goals of your management system
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event