ISO 27001 Clause 6.2 for AI Companies: Setting Security Objectives

ISO 27001 Clause 6.2 is a security control that mandates establishing measurable information security goals. It requires the systematic alignment of security objectives with business strategy, delivering the business benefit of transparent compliance and increased investor confidence for AI firms protecting proprietary training datasets and core intellectual property.

For an AI company, your value isn’t just in your product; it’s in the terabytes of curated data and the unique architecture of your proprietary models. The theft of a pre-trained model or the subtle poisoning of a dataset isn’t just an incident; it’s an existential threat. In this context, ISO 27001 Clause 6.2 is not a bureaucratic hurdle to be cleared, but a strategic imperative.

It provides the framework for defining what “secure” truly means for your organisation. By setting clear security objectives, you create a focused strategy to protect your intellectual property, ensure the reliability of your AI-powered services, and build the foundational customer trust necessary for growth. This guide will demystify Clause 6.2, providing a practical, no-jargon roadmap for setting meaningful security objectives that actively support your unique business goals.

The “No-BS” Translation: Decoding the Requirement
The Business Case: Why This Actually Matters for AI Companies
DORA, NIS2 and AI Regulation: The New Battleground
ISO 27001 Toolkit vs SaaS Platforms: The Objective Truth
Decoding Clause 6.2: The “What” and “Why” of Your Security Strategy
Structuring Your Objectives: A Two-Level Approach
- The High-Level Objective
- Detailed & Operational Objectives
The Blueprint for Action: How to Define and Document Your Objectives
The SMART Objectives Debate: A Pragmatic View for AI Companies
Tailoring Objectives for AI: Protecting Your Core Assets
The Evidence Locker: What the Auditor Needs to See
Common Pitfalls & Auditor Traps
Handling Exceptions: The “Break Glass” Protocol
The Process Layer: “The Standard Operating Procedure (SOP)”

The “No-BS” Translation: Decoding the Requirement

Let’s strip away the consultant-speak and look at what this actually means for a 25-year-old DevOps engineer trying to ship code without getting sued.

The Auditor’s View (ISO 27001)	The AI Company View (Reality)
“Establish information security objectives at relevant functions and levels.”	Stop guessing what “secure” means. Pick 3-5 KPIs that prove you aren’t leaking data. Put them on a dashboard everyone can see.
“Objectives shall be consistent with the information security policy.”	Don’t say you value “Privacy” in your policy and then set a goal to “Scrape 1B emails without consent.” Your goals must match your rules.
“Objectives shall be measurable (if practicable).”	If you can’t track it in Datadog, Jira, or a Spreadsheet, it doesn’t exist. “Be more secure” is not a goal. “Close P0 vulns in 24h” is.
“Objectives shall be monitored and updated.”	Review these numbers in your Quarterly Business Review (QBR). If you hit 100% easily, your goal was too easy. If you hit 0%, you are in trouble.

The Business Case: Why This Actually Matters for AI Companies

Compliance often feels like homework, but Clause 6.2 is where you define the metrics that protect your revenue. If you delete this control, here is what happens to your sales cycle and bank account.

The Sales Angle

Enterprise buyers are terrified of AI. They think you are going to hallucinations, leak their IP, or train your public model on their private data. When you fill out their Security Questionnaire, they will ask: “How do you measure the effectiveness of your security programme?”

If your answer is “We try our best,” you lose the deal. If your answer is “We track Model Integrity Drift, Time-to-Patch for Critical CVEs, and Privileged Access Revocation rates against strict SLAs,” you look like a grown-up enterprise partner. This control gives you the data points to win the argument.

The Risk Angle

Without defined objectives, you are flying blind. You might be focusing all your energy on “Firewall Rules” (which matter less in a serverless world) while ignoring “Insider Threat” or “Model Inversion Attacks.” Clause 6.2 forces you to align your goals with your actual risks. It prevents the nightmare scenario: You pass the audit, but you still get hacked because you were measuring the wrong things.

DORA, NIS2 and AI Regulation: The New Battleground

If you think ISO 27001 is tough, wait until you meet DORA (Digital Operational Resilience Act) and NIS2. For AI companies, especially those selling to fintech or critical infrastructure, your ISO 27001 objectives are your first line of defence against these regulations.

DORA Alignment: DORA doesn’t just want you to have a backup; it wants proof of “Operational Resilience.” Your Clause 6.2 objectives should include metrics like “Recovery Time Objective (RTO) verification tests per quarter” or “Third-party risk assessment completion rates.”
NIS2 & Incident Reporting: NIS2 mandates strict reporting timelines (often 24 hours). An excellent ISO 27001 objective for AI companies is: “Mean Time To Detect (MTTD) security incidents,” aiming for under 4 hours to ensure you have breathing room for regulatory reporting.
AI Act & Model Safety: Your objectives must now include model safety. Tracking “Percentage of training data validated for bias/poisoning” is no longer just a quality metric; it is a compliance requirement that slots perfectly into Clause 6.2.

ISO 27001 Toolkit vs SaaS Platforms: The Objective Truth

There is a massive industry trying to rent you your own security programme. They promise automation but often deliver dashboard fatigue and vendor lock-in. When it comes to setting and managing objectives (Clause 6.2), here is why the ISO 27001 Toolkit beats a SaaS subscription every time.

Feature	ISO 27001 Toolkit (Hightable.io)	Online SaaS Platform
Ownership	You keep your files forever. It is your strategy, in your SharePoint/Google Drive. You don’t rent your own goals.	You rent your compliance. Stop paying the monthly fee, and you lose access to your history and evidence.
Simplicity	Everyone knows Word & Excel. No training required. Your DevOps team can edit a spreadsheet in seconds.	Complex new UI. You have to train your team on yet another tool. “How do I update a KPI in Drata/Vanta?” becomes a support ticket.
Cost	One-off fee. Pay once, use it for 10 years. Invest the savings in actual security engineering.	Expensive subscriptions. Thousands per year, forever. Prices hike once you are locked in.
Freedom	No Vendor Lock-in. Move your files anywhere. You are in control.	Trapped. Migrating data out of a proprietary platform is a nightmare designed to keep you paying.
Flexibility	100% Customisable. Change any row, column, or formula to fit your AI workflow exactly.	Rigid Templates. You are forced to use their definition of “Objectives,” which often doesn’t fit high-growth AI startups.

Decoding Clause 6.2: The “What” and “Why” of Your Security Strategy

Understanding the core components of Clause 6.2 is the first step towards creating an Information Security Management System (ISMS) that is both robust and effective. This clause moves beyond generic security statements and requires you to articulate precisely what you want to achieve and how you plan to get there. It is, in essence, the “why” behind your entire security programme.

The Formal Definition

The standard officially requires organisations to establish information security objectives at relevant functions and levels. These objectives must be consistent with the information security policy, measurable (if practicable), monitored, communicated, and updated as appropriate.

Breaking It Down

This clause has two fundamental parts that work together:

Establishing Objectives: This is about defining what you want your ISMS to accomplish. These objectives articulate the desired outcomes and provide the strategic direction for your security efforts. This is the “why” that drives your ISMS.
Planning to Achieve Them: This is about creating a concrete, documented action plan. For each objective, you must detail how you will achieve it, including who is responsible, what resources are needed, and how you will measure success.

DO IT YOURSELF ISO 27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Your ISMS Roadmap

Think of Clause 6.2 as the roadmap for your organisation’s security programme. The objectives set the destination—what you aim to achieve—while the plan defines the specific route you will take to get there. Toolkits like Hightable.io are designed to centralise this roadmap, ensuring that your objectives aren’t just written in a static document but are actively tracked and managed.

Structuring Your Objectives: A Two-Level Approach

Not all objectives are created equal, nor should they be. A practical and highly effective way to approach Clause 6.2 is to structure your objectives at two distinct levels: a high, strategic level and a more detailed, operational level. This approach provides both a clear, overarching mission and the flexibility to address specific risks and processes.

The High-Level Objective

It is often beneficial to establish a single, overarching objective for the entire ISMS. This high-level goal is typically documented directly within the Information Security Policy, anchoring the entire system to a core business principle.

An excellent example of such an objective is:

“To help prevent or minimise the impact of information security incidents or breaches to protect our business, reputation and to safeguard our people.”

The value of this approach is its clarity and focus. It connects all subsequent security activities back to the fundamental goal of protecting the business, its reputation, and its personnel.

Detailed & Operational Objectives

These are more specific objectives that typically emerge from your risk assessment and treatment process (Clause 6.1). They are designed to address particular threats or strengthen specific controls. However, it is crucial to apply a pragmatic filter here.

You should only create detailed, documented objectives if they provide a tangible benefit to the organisation. The goal is not to generate a long list for the sake of compliance, but to define targeted objectives where they will actively help achieve the top-level mission. Formally defining an objective allows you to report progress on critical initiatives to senior management effectively.

The Blueprint for Action: How to Define and Document Your Objectives

Proper documentation is not just an exercise for the auditor; it is a critical management tool. A well-defined plan for each objective ensures clarity, assigns accountability, and provides a clear benchmark for evaluating success. This turns your security goals from abstract statements into a tangible blueprint for action.

To ensure compliance and practicality, your documented plan for each objective must answer the following key questions. Using a compliance management tool like Hightable.io can simplify this process by providing structured templates for these elements:

What will be done? Provide a clear, concise sentence describing the specific action or initiative.
What resources will be required? List the high-level needs, such as engineering time, specific software, or allocated budget.
Who will be responsible? Assign a specific person’s name or role (e.g., Head of Data Science, Lead MLOps Engineer).
When will it be completed? Set a target completion date, or note if it is an ongoing, continuous activity.
How will results be evaluated? Define what success looks like and how you will measure it (e.g., penetration test results, uptime metrics).
How will it be monitored? Define the process for tracking progress (e.g., monthly review, dashboard metric).
How will it be communicated? Identify the channels and audiences for communication (e.g., all-hands meeting, management report).

The SMART Objectives Debate: A Pragmatic View for AI Companies

While the “SMART” framework is a widely known tool for objective-setting, there is a nuanced debate about its application within ISO 27001. Understanding this debate can help AI companies avoid common pitfalls and create objectives that are genuinely meaningful, rather than just easy to measure.

What are SMART Objectives?

SMART is an acronym that stands for: Specific, Measurable, Achievable, Relevant, and Time-bound.

The Case Against Strict Adherence

The primary risk of focusing too heavily on the SMART framework is that it can lead you to choose objectives that are easily measurable over those that are strategically important. In consulting practice, teams often get paralysed by trying to make every objective perfectly SMART. Consider the analogy: “Keep my family happy.” This goal is vital, but it fails most of the SMART criteria—it isn’t easily “measurable” or “time-bound” in a conventional sense. Prioritising a less important but perfectly SMART objective would be a mistake.

The Auditor’s Perspective

It is important to know that ongoing objectives are perfectly valid under ISO 27001. Some auditors may incorrectly insist that every objective must have a fixed end date or be strictly SMART. This is not a requirement of the standard. An objective like protecting the business from security incidents is, by its nature, continuous.

A Balanced Recommendation

Use the SMART framework as a helpful guide to bring clarity and focus to your objectives, but do not treat it as a rigid constraint. It is far better to have a strategically vital objective that isn’t perfectly “SMART” than a perfectly “SMART” objective that isn’t important. The most important objectives for an AI company will always relate to protecting its core assets: data, models, and infrastructure.

Tailoring Objectives for AI: Protecting Your Core Assets

For an AI company, the foundational principles of information security—Confidentiality, Integrity, and Availability (the CIA triad)—have specific and critical applications. Translating this triad into tangible objectives is the key to protecting the assets that define your business.

Confidentiality: Protecting Your Secrets

Confidentiality ensures that information is protected from unauthorised access. For an AI company, this is about safeguarding your intellectual property.

Example Objective: “To prevent the exfiltration of proprietary models and sensitive training data, we will implement data loss prevention (DLP) rules that trigger alerts on the unusual movement of large model files (e.g., .pt, .safetensors) and conduct mandatory exit interviews focused on IP with all departing technical staff.”

Integrity: Trusting Your Data and Models

Integrity refers to the accuracy and reliability of information. In the AI world, this is crucial for preventing issues like data poisoning or model drift that can render your technology useless or even dangerous.

Example Objective: “To maintain model integrity and prevent data poisoning attacks, we will implement statistical drift detection on all incoming training data streams, aiming to keep data anomalies below a 0.1% threshold.”

Availability: Ensuring Your Service is Online

Availability means that information and services are accessible to authorised users when needed. For an AI company providing a service, this directly translates to uptime and customer satisfaction.

Example Objective: “To ensure uninterrupted service and defend against resource exhaustion attacks, we will maintain a minimum of 99.5% uptime for production API endpoints and implement rate limiting to protect against inference-based denial-of-service (DoS) attacks.”

The Evidence Locker: What the Auditor Needs to See

When the audit week arrives, you do not want to be scrambling. An auditor needs proof that your objectives are not just hallucinations. Prepare these 3-5 specific artifacts to turn “audit panic” into a simple file-gathering exercise.

The Objectives Register (Excel/SharePoint): A single source of truth listing your objectives, owner, and current status. This is your primary document.
Management Review Minutes (PDF): Meeting notes where the CTO or CISO presented these objectives to leadership. Highlight the section where they were approved.
Data Exports (CSV/Screenshots): Evidence of the metric being tracked. e.g., A screenshot of the Datadog dashboard showing 99.9% uptime, or a Jira export of “Security Tasks Completed.”
Corrective Action Tickets (Jira/Linear): If you missed an objective (e.g., you only hit 95% uptime), show the ticket where you investigated why. Auditors love failure if it is managed correctly.

Common Pitfalls & Auditor Traps

Learn from the failure of other AI companies. These are the top 3 reasons companies get a Non-Conformity for Clause 6.2 during a Stage 2 Audit, particularly when relying on automated platforms.

The “Set and Forget” Error: You configured the objectives in your SaaS platform during onboarding 12 months ago and never looked at them again. The auditor will see the “Last Reviewed” date is a year old. Instant fail.
The “Vanilla” Objective: You accepted the default objectives provided by your compliance tool (e.g., “Ensure Information Security”). This is too vague. It shows you haven’t thought about your specific risks (like Model Inversion or Data Poisoning).
The “Dashboard” Gap: Your platform dashboard shows “100% Compliant,” but your actual engineering logs show you missed every internal SLA. If the evidence contradicts the dashboard, the auditor will dig deeper, and you won’t like what they find.

Handling Exceptions: The “Break Glass” Protocol

Sometimes, strategy changes. You might pivot from B2C to B2B, rendering your old objectives useless. You cannot wait 12 months for the next annual review to change them. You need a protocol to change course without breaking compliance.

The Emergency Realignment Workflow:

Trigger: CTO/CISO identifies that an objective is no longer relevant or achievable due to a major business shift.
Action: Call an ad-hoc Management Review (can be a 15-minute Slack huddle, if documented).
Documentation: Update the Objectives Register. Add a comment: “Objective suspended/changed on [Date] due to [Reason]. Approved by [Name].”
Audit Trail: Keep the old version. Never delete history; just mark it as “Superseded.” This proves to the auditor that you are actively managing the system, not just reacting to it.

The Process Layer: “The Standard Operating Procedure (SOP)”

How do you actually do this? Here is a step-by-step SOP for an AI Company using Google Workspace, Slack, and Linear.

Step 1: The Strategy Session (Manual). Once a year, the CISO and CTO sit down. They look at the Risk Register and decide on 3-5 key goals for the year.
Step 2: Drafting (Manual). Document these goals in the Hightable.io Objectives Register (Excel/Sheets). Define the metrics.
Step 3: Operationalising (Automated/Manual). Create a “Security” project in Linear. Create tickets for the initiatives required to hit the goals. Assign them to engineers.
Step 4: Monitoring (Automated). Set up a dashboard (Grafana/Datadog) for the technical metrics (e.g., Uptime, Latency). For process metrics (e.g., Training Completion), check the HR system.
Step 5: Reviewing (Manual). Quarterly, during the Management Review, open the Register. Update the “Current Status” column. If a goal is “Red,” raise a Linear ticket to investigate why.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them for AI Companies

Table of contents