ISO 27001 Clause 6.2 is a security control that mandates the establishment of information security objectives at relevant functions and levels. It requires these goals to be consistent with the security policy, measurable, and monitored to ensure effectiveness. Implementing this control provides the Business Benefit of transforming vague security aspirations into tracked performance metrics that demonstrate continuous improvement.
For a tech startup moving at a thousand miles an hour, anything that sounds like “compliance documentation” can feel like a bureaucratic hurdle. It is easy to view ISO 27001 Clause 6.2, which deals with “Information Security Objectives”, as just another box to tick. But that is a missed opportunity. This clause is a strategic tool in disguise.
For a startup, well-defined objectives are not about satisfying an auditor, they are about aligning your security efforts with your core business goals. They translate technical controls into business value: protecting your hard-won reputation, ensuring the reliability of your service, and building the deep, lasting trust that turns early adopters into loyal customers.
Table of contents
- The Business Case: Why This Actually Matters
- The No-BS Translation: Decoding the Requirement
- DORA, NIS2, and AI Laws
- Why the ISO 27001 Toolkit Trumps SaaS Platforms
- Top 3 Non-Conformities When Using SaaS Platforms
- Deconstructing Clause 6.2
- Crafting Meaningful Objectives
- The Evidence Locker: What the Auditor Needs to See
- Common Pitfalls and Auditor Traps
- Handling Exceptions: The Break Glass Protocol
- The Process Layer: Standard Operating Procedure (SOP)
- Frequently Asked Questions (FAQ)
The Business Case: Why This Actually Matters
If you don’t know where you are going, any road will get you there. In security, “any road” usually leads to overspending on tools you don’t need or under-protecting critical assets. Clause 6.2 is your GPS.
- Sales Angle: Sophisticated enterprise buyers will ask: “What are your SLAs for uptime and incident response?” Your Clause 6.2 objectives are the answer to that question. Having documented, tracked targets proves you are a mature vendor, not a risky bet.
- Risk Angle: The “Zombie Security” Risk. Without objectives, security teams tend to do “security for security’s sake.” They patch servers that don’t hold data while ignoring the S3 bucket that does. Clause 6.2 forces you to define what success looks like (e.g., “Protect Customer Data”), ensuring resources target the nightmare scenarios (Data Leak/Ransomware).
The “No-BS” Translation: Decoding the Requirement
The Auditor’s View: “The organisation shall establish information security objectives at relevant functions and levels. The objectives shall be measurable (if practicable) and monitored.”
The Startup’s View: Set Security OKRs (Objectives and Key Results). Don’t just say “We want to be secure.” Say “We want 99.9% uptime and zero critical vulnerabilities in production for more than 48 hours.”
For a DevOps engineer, this translates to:
- Objective: High Availability.
- Key Result: Keep the Datadog uptime monitor green (>99.9%).
- Objective: Secure Code.
- Key Result: Block any PR in GitHub that fails the Snyk vulnerability scan.
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
DORA, NIS2, and AI Laws
Your objectives act as the “API” between your business and the law. If a regulation mandates a capability, you must set an objective to achieve it.
- DORA (Fintech): Focuses heavily on Resilience. You must set specific objectives for RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Clause 6.2 is where you formally document that your target is “Restore service within 2 hours.”
- NIS2: Focuses on Supply Chain. You should set an objective regarding vendor due diligence, such as “100% of critical suppliers must pass security vetting before onboarding.”
- AI Act: Focuses on Transparency & Safety. If you build AI, you need objectives like “Ensure 100% of training data sets are screened for bias” or “Maintain human oversight logs for all high-risk outputs.”
Why the ISO 27001 Toolkit Trumps SaaS Platforms
SaaS platforms turn objectives into “vanity metrics.” They track how many employees watched a cartoon video, not whether your business is secure.
| Feature | ISO 27001 Toolkit (High Table) | Online SaaS GRC Platform |
|---|---|---|
| Ownership | You define the KPIs in Excel. You own the data. | KPIs are locked in their dashboard. If you leave, you lose your history. |
| Relevance | Totally customisable to your specific tech stack. | Generic “out of the box” goals that often don’t apply to your business model. |
| Cost | One-off fee. | Monthly subscription. You pay rent to track your own goals. |
| Simplicity | A simple dashboard everyone understands. | Complex modules that confuse staff and hide the real data. |
Top 3 Non-Conformities When Using SaaS Platforms
- The “Vanity Metric” Trap: The SaaS dashboard shows “100% Compliance” because everyone watched a video, but you had 3 major outages. The auditor sees the disconnect between the “Green Dashboard” and the “Red Reality.” Major Non-Conformity for ineffective monitoring.
- The “Set and Forget” Error: You accepted the default objectives suggested by the SaaS tool during onboarding 12 months ago. You have pivoted the business since then, but the objectives remain the same. This violates Clause 6.2(f): “Be updated as appropriate.”
- The “Hidden Objective” Fail: The objectives are buried inside the GRC tool that only the Compliance Officer can access. Developers and Sales have no idea what the security goals are. This violates Clause 6.2(e): “Be communicated.”
Deconstructing Clause 6.2: What the Standard Actually Asks For
According to the standard, your information security objectives must meet several criteria:
- Consistent: They must match your high-level policy. Don’t say “Security First” in policy and then have zero budget in objectives.
- Measurable: You need numbers. “Be safe” is not a goal. “Reduce vulnerability count by 10%” is.
- Monitored: You must check them regularly (e.g., Quarterly Business Reviews).
- Communicated: Staff need to know them. Slack is a valid communication channel.
- Updated: If the world changes (e.g., new AI laws), your goals change.
Crafting Meaningful Objectives for Your Startup
Keep it lean. Use a “North Star” objective supported by 3-4 tactical KPIs.
Your High-Level “North Star”
“To prevent information security incidents that could damage our reputation or disrupt our service to customers.“
Startup-Focused Tactical Examples
| Topic | Objective | Metric / KPI |
|---|---|---|
| Availability | Ensure reliable service delivery. | System Uptime > 99.9% per quarter. |
| Vulnerability | Reduce attack surface. | Zero Critical vulnerabilities open > 7 days. |
| People | Build a security-aware culture. | 100% of new hires complete training within 14 days. |
| Sales | Enable enterprise growth. | 100% of Security Questionnaires completed within 3 days. |
The Evidence Locker: What the Auditor Needs to See
To pass the audit, have these artifacts ready:
- Objectives Document: A simple Excel/Notion table listing Objective, Metric, Owner, and Target Date.
- Measurement Data: Screenshots from your actual tools (Datadog, Jira, Vanta, Linear) showing the current status of those metrics.
- Meeting Minutes: Notes from a Management Review meeting where these numbers were discussed. “We missed the patching target, so we are hiring a contractor.”
- Communication Evidence: A screenshot of a Slack post or All-Hands slide sharing these goals with the company.
Common Pitfalls and Auditor Traps
- The “Perfection” Trap: Setting a target of “100% Uptime.” This is impossible. When you inevitably fail, you have a non-conformity. Set realistic targets (e.g., 99.9%).
- The “Unmeasured” Goal: “We will improve culture.” How do you measure that? If you can’t put a number on it, don’t make it a formal ISO objective.
- The “Secret” Goal: The CTO knows the goal, but the engineers don’t. The auditor will ask a random engineer: “What are the security goals for this year?” If they say “I don’t know,” it’s a finding.
Handling Exceptions: The Break Glass Protocol
What if you miss a target? (e.g., Uptime drops to 98%).
- Do NOT hide it: Auditors respect honesty and process. They punish cover-ups.
- The Analysis: Conduct a “Root Cause Analysis.” Why did we miss it?
- The Correction: Create a “Continual Improvement” plan (e.g., “Invest in multi-region failover”).
- The Audit Win: Show the auditor: “We missed the target, here is why, and here is what we are doing to fix it.” This proves the system works.
The Process Layer: Standard Operating Procedure (SOP)
Tools: Excel/Notion (Tracking), Jira (Action Items).
- Annual Set-Up: At the start of the year, leadership defines 3-5 key security objectives aligned with the business plan.
- Quarterly Review: During the Quarterly Business Review (QBR), review the actual data against the targets.
- Action: If on track, great. If off track, assign a Jira ticket to the relevant owner to investigate.
- Update: If business priorities shift (e.g., pivoting to a new product), officially update the objectives table.
Frequently Asked Questions (FAQ)
Do we need specific percentages for our objectives?
Whenever possible, yes. ‘Improve security’ is not an objective; it is a wish. ‘Achieve 99.9% uptime’ or ‘Close High severity vulnerabilities within 48 hours’ are measurable objectives that an auditor can verify.
Can we change our objectives mid-year?
Absolutely. ISO 27001 Clause 6.2(f) explicitly states objectives must be ‘updated as appropriate’. If you pivot from B2C to Enterprise B2B, your security goals *must* change to reflect new customer demands.
How does this relate to OKRs?
Clause 6.2 is effectively asking for your Security OKRs (Objectives and Key Results). If you already use the OKR framework, simply add a ‘Security’ stream. Do not create a separate, parallel system just for compliance.
Conclusion: Your Roadmap to Effective Security Goals
About the author
For a tech startup, successfully implementing ISO 27001 Clause 6.2 is not about bureaucratic paperwork. It is about setting a clear direction for your security program. Start simple with one “North Star” objective, plan for action using a simple spreadsheet from the ISO 27001 Toolkit, and live your objectives by actively monitoring progress.