Information security needs to have objectives that set out what the information security management system hopes to achieve. This is the ‘why’ you have an information security management system.
In this ultimate guide to ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them you will learn
- What ISO 27001 Clause 6.2 is
- How to implement it
- How to write information security objectives
- Example Objectives
Table of contents
What is ISO 27001 Clause 6.2?
ISO 27001 Clause 6.2 is an ISO 27001 control that requires you to establish information security objectives.
Those objectives should be established at relevant functions and levels in the organisation.
This ISO 27001 clause is all about information security objectives and planning to meet those objectives.
Purpose
The purpose of ISO 27001 Clause 6.2 is to make sure that you know what you want your information security management system (ISMS) to achieve and how you will go about doing it.
The purpose here is to have an effective information security management system (ISMS) that meets the needs of the organisation.
Definition
The ISO 27001 Standard defines ISO 27001:2022 clause 6.2 as:
The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:
ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented information
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine;
h ) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.
What are the ISO 27001:2022 Changes to Clause 6.2?
ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity.
It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit.
As a result the numbering of the sub parts shifted but this is not material.
Implementation Guide
Write Objectives Consistent with the Information Security Policy
Objectives that you write for the information security management system have to be consistent with the information security policy. Making sure that they are documented in the information security policy so that everyone knows what they are. We do not want a conflict between what the information security policy sets out and what the objectives actually are. They must align.
Write Measurable Objectives
Information Security Objectives have to be measurable. A great way to think about how to measure an objective is to write it in a way that follows the SMART structure. Objectives should be
- Specific
- Measurable
- Achievable
- Realistic
- Timely
There is no point in having an objective if you cannot measure it.
Implement Risk Based Information Security Objectives
ISO 27001 is a risk based information security management system. We take into account he the applicable information security requirements, and risk assessment and risk treatment results.
We covered ISO 27001 Clause 6.1.2 Information Security Risk Assessment and ISO 27001 Clause 6.1.3 Information Security Risk Treatment.
The risks that form part of this will inform our information security objectives.
Communicate the Information Security Objectives
We communicate our information security objectives in a number of ways. We include them in our information security policy. We include them and track them in our Management Review Team Meeting. We may send out additional communications as part of our ISO 27001 Communication Plan.
Review and Update Information Security Objectives
The information security objectives are not static. Objectives change over time. We continually assess ourselves and our information security management system for relevance. If things change then we update our objectives. At least annually we will take a look at our objectives and review if they are still relevant and make the appropriate changes.
ISO 27001 Templates
ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.
These individual templates help meet the specific requirements of ISO 27001 clause 6.2
ISO 27001 Clause 6.2 Training Video
Watch the ISO 27001 Clause 6.2 – How to implement ISO 27001 Clause 6.2 Information Security Objectives
How to pass an audit
To pass an audit of ISO 27001 Clause 6.2 you are going to:
- Understand the requirements of your information security management system (ISMS)
- Write objectives that meet those requirements
- Write a plan that shows how you meet and assess those objectives
- Document your objectives
- Communicate the objectives
- Monitor your progress against the objectives
- Review and update objectives as required
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 6.2. Lets go through them
1. That you have documented objectives
The main evidence the auditor will look at is that the objectives are documented. This documentation will include not only what the objectives are but how they will be achieved, by who, by when and how you will measure the success and effectiveness of those objectives.
2. That your objectives are aligned with the business objectives
Here they are looking to see that the objectives were agreed and signed off by senior leadership. Are the objectives created in isolation by the information security manager or are they part of a wholistic approach to managing the organisation.
3. That you monitor, measure and reactive to objectives
This about showing that objectives are tracked and communicated. Are they part of the operation of the business or something dusted off for audit? They want to see that they are tracked and discussed and that if change is required that the continual improvement process is implemented to react to required changes.
They want to see what you do and did if you are not meeting your objectives.
FAQ
The ISO 27001 standard requires an organisation to establish and maintain information objectives that are based on risk and the needs of the business. It expects a plan on how to achieve the objectives as well as appropriate measures.
ISO 27001 Clause 6.2 is important because we need to understand why we have an information security management system (ISMS) and what we want it to achieve. The ISMS does not exist in a vacuum. It is designed to make the organisation more secure but not at the expense of the success of the organisation. It has to be aligned with the organisation’s commercial objectives. If we do not set goals and objectives for the ISMS it is unlikely to be successful or add value or be effective.
Information security objectives should be Specific, Measurable, Achievable, Realistic and Timely (SMART). You define the objective and then define the measures that are the characteristics of the objective.
Yes, ISO 27001 information security objectives are based on risk. ISO 27001 is a risk based management system.
You can download ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them template can be found in the ISO 27001 Toolkit.
Senior management are responsible for ensuring that ISO 27001 Clause 6.2 is implemented and maintained.
Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Clause A 6.2:
Improved security: You will have an effective information security management system that address people’s needs
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people, their needs and addressing them
Improved compliance: Standards and regulations require you to understand the objectives and goals of your management system
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event