Table of contents
ISO 27001 Information Security Objectives
Information security needs to have objectives that set out what the information security management system hopes to achieve. This is the ‘why’ you have an information security management system.
What is ISO 27001 Clause 6.2?
ISO 27001 Clause 6.2 is an ISO 27001 control that requires you to establish information security objectives.
Those objectives should be established at relevant functions and levels in the organisation.
This ISO 27001 clause is all about information security objectives and planning to meet those objectives.
Purpose
The purpose of ISO 27001 Clause 6.2 is to make sure that you know what you want your information security management system (ISMS) to achieve and how you will go about doing it.
The purpose here is to have an effective information security management system (ISMS) that meets the needs of the organisation.
Definition
ISO 27001 defines ISO 27001 clause 6.2 as:
The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:
ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented information
The organization shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine;
h ) what will be done;
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.
What are the ISO 27001:2022 Changes to Clause 6.2?
ISO 27001 clause 6.2 had minor changes in the 2022 update with the changes being focussed on clarity.
It introduced that information security objectives should be monitored and be available as documented information. This was always implied but is made explicit.
As a result the numbering of the sub parts shifted but this is not material.
Implementation Guide
Write Objectives Consistent with the Information Security Policy
Objectives that you write for the information security management system have to be consistent with the ISO 27001 Information Security Policy. Making sure that they are documented in the ISO 27001 Information Security Policy so that everyone knows what they are. We do not want a conflict between what the information security policy sets out and what the objectives actually are. They must align.
Write Measurable Objectives
Information Security Objectives have to be measurable. A great way to think about how to measure an objective is to write it in a way that follows the SMART structure. Objectives should be
- Specific
- Measurable
- Achievable
- Realistic
- Timely
There is no point in having an objective if you cannot measure it.
Implement Risk Based Information Security Objectives
ISO 27001 is a risk based information security management system. We take into account he the applicable information security requirements, and risk assessment and risk treatment results.
We covered ISO 27001 Clause 6.1.2 Information Security Risk Assessment and ISO 27001 Clause 6.1.3 Information Security Risk Treatment.
The risks that form part of this will inform our information security objectives.
Communicate the Information Security Objectives
We communicate our information security objectives in a number of ways. We include them in our ISO 27001 Information Security Policy. We include them and track them in our Management Review Team Meeting. We may send out additional communications as part of our ISO 27001 Communication Plan.
Review and Update Information Security Objectives
The information security objectives are not static. Objectives change over time. We continually assess ourselves and our information security management system for relevance. If things change then we update our objectives. At least annually we will take a look at our objectives and review if they are still relevant and make the appropriate changes.
Implementation Checklist
Information Security Objectives and Planning to Achieve Them ISO 27001 Clause 6.2 Implementation Checklist
Establish Information Security Objectives
Define specific, measurable, achievable, relevant, and time-bound (SMART) objectives for the ISMS.
Challenge:
Setting unrealistic or unmeasurable objectives. Difficulty aligning objectives with business goals.
Solution:
Involve key interested parties in defining objectives. Ensure objectives are aligned with the organisation’s strategic direction. Use measurable metrics and targets.
Align Objectives with the Information Security Policy
Ensure that information security objectives are consistent with the overall ISO 27001 Information Security Policy.
Challenge:
Objectives that contradict or are not supported by the policy.
Solution:
Review the ISO 27001 Information Security Policy before defining objectives. Ensure objectives contribute to the overall intent and principles of the policy.
Consider Information Security Risks
Objectives should address identified information security risks and opportunities.
Challenge:
Overlooking key risks when setting objectives.
Solution:
Review the risk assessment results when defining objectives. Prioritise objectives that address high-level risks.
Consider Applicable Requirements
Objectives should take into account legal, regulatory, contractual, and other applicable requirements.
Challenge:
Difficulty in identifying all applicable requirements.
Solution:
Conduct a thorough review of legal, regulatory, and contractual requirements. Consult with legal experts.
Consider Resources
Objectives should be realistic in terms of available resources (financial, human, technical).
Challenge:
Setting objectives that cannot be achieved due to resource constraints.
Solution:
Conduct a resource assessment before finalising objectives. Allocate necessary resources to achieve objectives.
Define Responsibilities
Clearly define who is responsible for achieving each objective.
Challenge: Lack of clear ownership and accountability.
Solution: Assign specific roles and responsibilities for each objective. Ensure that responsible parties have the necessary authority and resources.
Establish Timeframes
Set realistic timeframes for achieving each objective.
Challenge:
Setting unrealistic deadlines.
Solution:
Break down objectives into smaller, manageable tasks with clear timelines. Consider dependencies between tasks.
Determine How Results Will Be Evaluated
Define how progress towards objectives will be measured and evaluated.
Challenge:
Difficulty in measuring the effectiveness of some objectives.
Solution:
Define clear metrics and key performance indicators (KPIs) for each objective. Establish a process for collecting and analysing data.
Communicate Objectives
Communicate information security objectives to relevant interested parties.
Challenge:
Difficulty in communicating complex technical information to non-technical audiences.
Solution:
Tailor communication to the audience. Use visual aids and plain language. Ensure interested parties understand the importance of the objectives.
Regularly Monitor and Review Objectives
Regularly monitor progress towards objectives and review them to ensure they remain relevant and appropriate.
Challenge:
Difficulty in keeping objectives up-to-date.
Solution:
Establish a schedule for regular objective reviews. Integrate objective reviews with other ISMS processes, such as management review.
Audit Checklist
The following is a summary of ISO 27001 Clause 6.2 Audit Checklist and covers the Information Security Objectives and Planning to Achieve Them ISO 27001 Clause 6.2 Audit Checklist
Review Information Security Objectives
Verify that the organization has established documented information security objectives.
Audit Techniques: Document review (ISMS objectives document, strategic plans), interviews with top management and information security management, comparison of objectives against the ISMS policy.
Assess SMART Objectives
Ensure that the objectives are Specific, Measurable, Achievable, Relevant, and Time-bound (SMART).
Audit Techniques: Document review (objectives documentation), interviews with those responsible for achieving the objectives, analysis of objective statements for clarity and measurability, review of metrics and KPIs associated with objectives.
Evaluate Alignment with ISMS Policy
Verify that the information security objectives are consistent with the ISMS policy.
Audit Techniques: Document review (ISMS policy and objectives documentation), interviews with top management, analysis of the relationship between policy statements and objectives.
Assess Consideration of Risks and Requirements
Ensure that the objectives consider identified information security risks and applicable legal, regulatory, and contractual requirements.
Audit Techniques: Document review (risk assessment reports, legal and regulatory compliance documentation, contractual agreements), interviews with risk owners and legal/compliance personnel, analysis of how risks and requirements are addressed in the objectives.
Evaluate Resource Consideration
Verify that the objectives are realistic in terms of available resources (financial, human, technical).
Audit Techniques: Interviews with resource owners and budget holders, review of resource allocation plans and budgets, analysis of the feasibility of achieving objectives with available resources.
Examine Defined Responsibilities
Ensure that clear responsibilities are defined for achieving each objective.
Audit Techniques: Interviews with those responsible for achieving objectives, review of roles and responsibilities documentation, analysis of accountability for objective achievement.
Assess Established Timeframes
Verify that realistic timeframes are established for achieving each objective.
Audit Techniques: Review of objective implementation plans and schedules, interviews with project managers and those responsible for achieving objectives, analysis of timelines for feasibility.
Evaluate Measurement and Evaluation Methods
Ensure that methods for measuring and evaluating progress towards objectives are defined.
Audit Techniques: Review of performance metrics and KPIs, interviews with those responsible for monitoring progress, examination of reporting mechanisms and dashboards, analysis of data collection and analysis procedures.
Assess Communication of Objectives
Verify that the information security objectives are communicated to relevant interested parties.
Audit Techniques: Interviews with interested parties at different levels, review of communication plans and records, analysis of communication effectiveness, examination of awareness training materials.
Evaluate Monitoring and Review of Objectives
Ensure that the objectives are regularly monitored and reviewed to ensure they remain relevant and appropriate.
Audit Techniques: Review of management review outputs, interviews with top management and information security management, examination of objective review records, analysis of the frequency and effectiveness of objective reviews.
ISO 27001 Templates
ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.
These individual templates help meet the specific requirements of ISO 27001 clause 6.2
DO IT YOURSELF ISO 27001
All the templates, tools, support and knowledge you need to do it yourself.
ISO 27001 Clause 6.2 Training Video
Watch the ISO 27001 Clause 6.2 – How to implement ISO 27001 Clause 6.2 Information Security Objectives
How to pass an audit
To pass an audit of ISO 27001 Clause 6.2 you are going to:
- Understand the requirements of your information security management system (ISMS)
- Write objectives that meet those requirements
- Write a plan that shows how you meet and assess those objectives
- Document your objectives
- Communicate the objectives
- Monitor your progress against the objectives
- Review and update objectives as required
What the auditor will check
The auditor is going to check a number of areas for compliance with Clause 6.2. Lets go through them
That you have documented objectives
The main evidence the auditor will look at is that the objectives are documented. This documentation will include not only what the objectives are but how they will be achieved, by who, by when and how you will measure the success and effectiveness of those objectives.
That your objectives are aligned with the business objectives
Here they are looking to see that the objectives were agreed and signed off by senior leadership. Are the objectives created in isolation by the information security manager or are they part of a wholistic approach to managing the organisation.
That you monitor, measure and reactive to objectives
This about showing that objectives are tracked and communicated. Are they part of the operation of the business or something dusted off for audit? They want to see that they are tracked and discussed and that if change is required that the continual improvement process is implemented to react to required changes.
They want to see what you do and did if you are not meeting your objectives.
FAQ
The ISO 27001 standard requires an organisation to establish and maintain information objectives that are based on risk and the needs of the business. It expects a plan on how to achieve the objectives as well as appropriate measures.
ISO 27001 Clause 6.2 is important because we need to understand why we have an information security management system (ISMS) and what we want it to achieve. The ISMS does not exist in a vacuum. It is designed to make the organisation more secure but not at the expense of the success of the organisation. It has to be aligned with the organisation’s commercial objectives. If we do not set goals and objectives for the ISMS it is unlikely to be successful or add value or be effective.
Information security objectives should be Specific, Measurable, Achievable, Realistic and Timely (SMART). You define the objective and then define the measures that are the characteristics of the objective.
Yes, ISO 27001 information security objectives are based on risk. ISO 27001 is a risk based management system.
You can download ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them templates in the ISO 27001 Toolkit.
An example of ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them template can be found in the ISO 27001 Toolkit.
Senior management are responsible for ensuring that ISO 27001 Clause 6.2 is implemented and maintained.
Other than your ISO 27001 certification requiring it, the following are benefits of implementing ISO 27001 Clause A 6.2:
Improved security: You will have an effective information security management system that address people’s needs
Reduced risk: You will reduce the risk to your information security management system by identifying relevant people, their needs and addressing them
Improved compliance: Standards and regulations require you to understand the objectives and goals of your management system
Reputation Protection: In the event of a breach having effectively managed risks to the management system will reduce the potential for fines and reduce the PR impact of an event
