In this ultimate how to audit guide to ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them, you will learn directly from an ISO 27001 Lead Auditor:
- 10 Key Audit Steps
- Verification Criteria
- Required Evidence
- The Pass / Fail Test
I am Stuart Barker, the ISO 27001 Lead Auditor and author of the Ultimate ISO 27001 Toolkit.
Using over 30 years of industry experience across hundreds of audits, I’m giving you the exact templates, walkthroughs, and practical examples you need to achieve ISO 27001 certification.
Table of contents
- 1. Objectives Formally Documented
- 2. Alignment with Security Policy Verified
- 3. Measurability Criteria (SMART) Verified
- 4. Risk & Requirement Alignment Verified
- 5. Action Plans (Who, What, When) Verified
- 6. Resource Allocation Confirmed
- 7. Communication to Relevant Parties Verified
- 8. Active Monitoring of Progress Verified
- 9. Formal Evaluation of Results Verified
- 10. Periodic Review & Update Verified
Auditing ISO 27001 Clause 6.2 verifies that an organisation has established measurable information security objectives that align with its strategic goals. The audit confirms the Primary Implementation Requirement that objectives are documented, communicated, and actively monitored for progress. The Business Benefit is a focused security strategy that drives continuous improvement and risk reduction.
Use this pass/fail checklist to strictly validate compliance with ISO 27001 Clause 6.2 (Information security objectives). For a detailed methodology on how to conduct the interviews and system tests required to generate this evidence, refer to our Clause 6.2 Audit Guide.
1. Objectives Formally Documented
- Verification Criteria: A specific document (or dashboard) exists listing current information security objectives. They are not merely “known” or verbal.
- Required Evidence: The “Information Security Objectives” document (or dedicated section in the Management Review deck) dated within the current audit period.
Pass/Fail Test: If the CISO lists objectives during the interview but cannot produce a formal record of them approved by leadership, mark as Non-Compliant.
2. Alignment with Security Policy Verified
- Verification Criteria: The stated objectives directly support the high-level commitments made in the Information Security Policy (Clause 5.2).
- Required Evidence: A mapping or cross-reference between the Policy Statement (e.g., “We commit to 99.9% availability”) and the Objective (e.g., “Implement redundant power supplies by Q3”).
Pass/Fail Test: If the Policy focuses on “Data Privacy” but all Objectives are solely about “Server Uptime,” mark as Non-Compliant (Lack of alignment).
3. Measurability Criteria (SMART) Verified
- Verification Criteria: Objectives are written in a way that allows for definite measurement (e.g., specific percentage, date, or binary outcome).
- Required Evidence: Review the wording of 3 objectives. Look for metrics like “% reduction,” “Zero critical incidents,” or “Completion by [Date].”
Pass/Fail Test: If an objective is vague, such as “Improve security culture,” without a metric (e.g., “Achieve 90% phishing test pass rate”), mark as Non-Compliant.
