Your Essential 10-Point Audit Checklist for ISO 27001 Clause 6.2

In the world of information security, ISO 27001 Clause 6.2 Information security objectives and planning to achieve them, is far more than a bureaucratic box-ticking exercise. Think of it as the strategic compass for your entire Information Security Management System (ISMS).

This clause compels an organisation to move beyond vague intentions and establish a clear direction, ensuring that every security effort is purposeful and aligned with the business’s core mission. Well-defined objectives provide the answer to a fundamental question: “What are we trying to achieve with our information security, and how will we know if we’ve succeeded?”

To help you prepare for a successful audit of this critical clause, we’ve developed a practical, 10-point checklist. It breaks down exactly what an auditor looks for, providing the insight you need to demonstrate that your security objectives are not just documented, but are a driving force for a more secure and resilient organisation.

The Auditor’s View: Your 10-Point Checklist for Clause 6.2

Auditors approach Clause 6.2 with a clear set of expectations. We look for evidence of a complete lifecycle for each objective: Establish, Plan, Monitor, Evaluate, and Update. This checklist will guide you through each stage.

1. Are Your Objectives Formally Documented?

The very first thing an auditor will ask to see is the documented information on your security objectives. This isn’t just a high-level statement; we expect a formal, easily accessible record. This documentation must explicitly state each objective and include the detailed plan for achieving it. As outlined in sub-clauses 6.2 h) through l) of the standard, we look for plans covering actions, resources, responsibilities, completion dates, and evaluation methods.

Auditor’s Tip: Don’t bury this. Have a dedicated ‘Information Security Objectives’ document or a clear section in your ISMS.

2. Are Objectives Aligned with Your Security Policy and Business Goals?

Security objectives cannot exist in isolation; your compass must be aligned with your organisation’s true north. An auditor will verify that your objectives are consistent with the high-level principles stated in your Information Security Policy (Clause 5.2) and support the broader strategic goals of the business. Evidence of sign-off from senior leadership is a key indicator that this alignment is genuine.

3. Are Your Objectives Measurable (If Practicable)?

The standard requires objectives to be “measurable (if practicable),” and auditors expect a clear method for determining if an objective is being met. While the SMART framework (Specific, Measurable, Achievable, Relevant, Time-bound) is helpful, it is not mandatory. We look for a practical approach to measurement, avoiding rigid adherence to a framework that might stifle meaningful goals.

4. Do Objectives Account for Risks and Requirements?

A robust ISMS is risk-based. An auditor will cross-reference your stated objectives with your risk assessment results (from Clause 6.1.2) to ensure they directly address your most significant information security risks. We will also check that your objectives account for all applicable legal, regulatory, and contractual requirements.

5. Is There a Clear Plan for Achievement?

Having an objective is one thing; having a plan to achieve it is what demonstrates operational capability. An auditor will examine your action plans looking for:

• What will be done: A clear description of actions and tasks.
• What resources will be required: Notes on people, time, and budget.
• Who will be responsible: The name of the accountable person or role.
• When it will be completed: A target date or a statement like ‘ongoing’.
• How results will be evaluated: Specific metrics or methods for success.

6. Are Sufficient Resources Allocated?

A plan without resources is just a wish. We will assess whether your plans are realistic and backed by genuine commitment. This involves looking for evidence that the necessary financial, human, and technical resources have been allocated. Setting ambitious objectives without providing the means to achieve them indicates a lack of senior management commitment.

7. Have the Objectives Been Communicated?

For an ISMS to be effective, people must understand their role in it. An auditor will verify that security objectives have been communicated to relevant functions and levels throughout the organisation. We review communication records and interview staff to ensure employees understand their personal contribution.

8. Are You Actively Monitoring Progress?

The ISO 27001:2022 update made the requirement to monitor objectives explicit. We need to see evidence that progress is being actively tracked via performance dashboards, regular reports, or as a standing agenda item in management meetings. The goal is to prove that objectives are part of the ongoing rhythm of the business.

9. Is There a Formal Evaluation of Results?

Monitoring tracks progress, while evaluation assesses final success. An auditor will require evidence of how you formally evaluate the results of your objectives. This involves comparing actual outcomes against defined measures to determine if the objective was met effectively. This evaluation is a mandatory input for the management review process (Clause 9.3).

10. Are Objectives Reviewed and Updated?

The threat landscape is not static. An auditor will verify that you have a process to review your objectives at planned intervals (e.g., annually) and update them whenever there are significant changes to your business or context. This demonstrates a commitment to the principle of continual improvement.

---

---

Common Audit Pitfalls and How to Avoid Them

The “Every Objective Must Have an End Date” Myth

It is a common misunderstanding that every objective must be time-bound with a fixed completion date. An objective is simply something you are trying to achieve. Many critical security objectives, like “preventing or minimising the impact of security incidents,” are ongoing by nature. Be prepared to defend the validity of your ongoing objectives.

The “Everything Must Be SMART” Trap

While SMART is a useful guide, it is not mandatory. A dangerous pitfall is choosing objectives simply because they are easy to make SMART, rather than because they are important. Focus first on defining meaningful, business-relevant objectives that address key risks. The method of measurement should serve the objective, not the other way around.

Conclusion: Turning Objectives into Your Security North Star

Defining, planning, and managing your information security objectives under Clause 6.2 is a core leadership activity that gives your entire ISMS direction, purpose, and accountability. Use this checklist not merely as a tool to pass an audit, but as a framework for continual improvement. By treating your security objectives as your organisation’s North Star, you will build a more effective, responsive, and resilient security posture.

About the author

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.

Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.

As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.

His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.