ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

Home / ISO 27001 Clauses / ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them

Information security needs to have objectives that set out what the information security management system hopes to achieve. This is the ‘why’ you have an information security management system.

In this ultimate guide to ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them you will learn

  • What ISO 27001 Clause 6.2 is
  • How to implement it
  • How to write information security objectives
  • Example Objectives

What is ISO 27001 Clause 6.2?

ISO 27001 Clause 6.2 is an ISO 27001 control that requires you to establish information security objectives.

Those objectives should be established at relevant functions and levels in the organisation.

This ISO 27001 clause is all about information security objectives and planning to meet those objectives.

Purpose

The purpose of ISO 27001 Clause 6.2 is to make sure that you know what you want your information security management system (ISMS) to achieve and how you will go about doing it.

The purpose here is to have an effective information security management system (ISMS) that meets the needs of the organisation.

Definition

The ISO 27001 Standard defines ISO 27001:2022 clause 6.2 as:

The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented information
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine;
h ) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.

ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them

What are the ISO 27001:2022 Changes to Clause 6.2?

ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity.

It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit.

As a result the numbering of the sub parts shifted but this is not material.

Implementation Guide

Write Objectives Consistent with the Information Security Policy

Objectives that you write for the information security management system have to be consistent with the information security policy. Making sure that they are documented in the information security policy so that everyone knows what they are. We do not want a conflict between what the information security policy sets out and what the objectives actually are. They must align.

Write Measurable Objectives

Information Security Objectives have to be measurable. A great way to think about how to measure an objective is to write it in a way that follows the SMART structure. Objectives should be

  • Specific
  • Measurable
  • Achievable
  • Realistic
  • Timely

There is no point in having an objective if you cannot measure it.

Implement Risk Based Information Security Objectives

ISO 27001 is a risk based information security management system. We take into account he the applicable information security requirements, and risk assessment and risk treatment results.

We covered ISO 27001 Clause 6.1.2 Information Security Risk Assessment and ISO 27001 Clause 6.1.3 Information Security Risk Treatment.

The risks that form part of this will inform our information security objectives.

Communicate the Information Security Objectives

We communicate our information security objectives in a number of ways. We include them in our information security policy. We include them and track them in our Management Review Team Meeting. We may send out additional communications as part of our ISO 27001 Communication Plan.

Review and Update Information Security Objectives

The information security objectives are not static. Objectives change over time. We continually assess ourselves and our information security management system for relevance. If things change then we update our objectives. At least annually we will take a look at our objectives and review if they are still relevant and make the appropriate changes.

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

These individual templates help meet the specific requirements of ISO 27001 clause 6.2

ISO 27001 Toolkit

ISO 27001 Clause 6.2 Training Video

Watch the ISO 27001 Clause 6.2 – How to implement ISO 27001 Clause 6.2 Information Security Objectives

How to pass an audit

To pass an audit of ISO 27001 Clause 6.2 you are going to:

  • Understand the requirements of your information security management system (ISMS)
  • Write objectives that meet those requirements
  • Write a plan that shows how you meet and assess those objectives
  • Document your objectives
  • Communicate the objectives
  • Monitor your progress against the objectives
  • Review and update objectives as required

What the auditor will check

The auditor is going to check a number of areas for compliance with Clause 6.2. Lets go through them

1. That you have documented objectives

The main evidence the auditor will look at is that the objectives are documented. This documentation will include not only what the objectives are but how they will be achieved, by who, by when and how you will measure the success and effectiveness of those objectives.

2. That your objectives are aligned with the business objectives

Here they are looking to see that the objectives were agreed and signed off by senior leadership. Are the objectives created in isolation by the information security manager or are they part of a wholistic approach to managing the organisation.

3. That you monitor, measure and reactive to objectives

This about showing that objectives are tracked and communicated. Are they part of the operation of the business or something dusted off for audit? They want to see that they are tracked and discussed and that if change is required that the continual improvement process is implemented to react to required changes.

They want to see what you do and did if you are not meeting your objectives.

FAQ

What is ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them?

The ISO 27001 standard requires an organisation to establish and maintain information objectives that are based on risk and the needs of the business. It expects a plan on how to achieve the objectives as well as appropriate measures.

Why is ISO 27001 Clause 6.2 important?

ISO 27001 Clause 6.2 is important because we need to understand why we have an information security management system (ISMS) and what we want it to achieve. The ISMS does not exist in a vacuum. It is designed to make the organisation more secure but not at the expense of the success of the organisation. It has to be aligned with the organisation’s commercial objectives. If we do not set goals and objectives for the ISMS it is unlikely to be successful or add value or be effective.

How do you measure information security objectives?

Information security objectives should be Specific, Measurable, Achievable, Realistic and Timely (SMART). You define the objective and then define the measures that are the characteristics of the objective.

Are ISO 27001 information security objectives based on risk?

Yes, ISO 27001 information security objectives are based on risk. ISO 27001 is a risk based management system.

Where can I download ISO 27001 Clause 6.2 templates?

You can download ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them templates in the ISO 27001 Toolkit.

ISO 27001 Clause 6.2 example

An example of ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them template can be found in the ISO 27001 Toolkit.

Who is responsible for ISO 27001 Clause 6.2?

Senior management are responsible for ensuring that ISO 27001 Clause 6.2 is implemented and maintained.

What are the benefits of ISO 27001 Clause 6.2?

Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Clause A 6.2:
Improved security: You will have an effective information security management system that address people’s needs
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people, their needs and addressing them
Improved compliance: Standards and regulations require you to understand the objectives and goals of your management system
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event

ISO 27001 Toolkit Business Edition
Do it Yourself ISO 27001 with LIVE EXPERT SUPPORT

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing