In the beginner’s guide to ISO 27001 Objectives you will learn
- what ISO 27001 objectives are
- how to write your own objectives
- example objectives you can use straightaway
I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.
Table of contents
What are ISO 27001 Objectives?
ISO 27001 Objectives are statements of what you want the information security management system to achieve.
Objectives should be:
- Specific
- Measurable
- Achievable
- Realistic
- Timely
For each information security objective you record
- What will be done
- What resources will be required
- Who will be responsible
- When will it be completed
- How the results are evaluated
The objectives should be measurable and clear so that you can track your progress over time.
Key Points
You need to understand your organisation and its context before setting goals.
The goals should be focussed on the needs of the business and improving security.
The goals do not have to be overly complex.
Examples
The following are common best practice ISO 27001 objectives:
- Meet legal, regulatory and contractual obligations for information security
- Effectively manage third parties to reduce potential information security risk from suppliers
- Ensure the confidentiality, integrity and availability of data and services of the company.
- Ensure the confidentiality, integrity and availability of data and services of the company.
- Make available the required resources to manage the information security management system and address risks through the risk management and continual improvement
- Implement a culture of information security through training and awareness
Let’s explore each example in more detail.
1. Meet legal, regulatory and contractual obligations for information security
It is important the management system that you implement meets the requirements of the law, your regulators and your customers.
What will be done
Implementation of the ISO 27001 Standard with completion of and adherence to the legal, regulatory and contractual register for information security.
Achieve Accredited ISO 27001 Certification and maintain it.
What resources will be required
Experienced ISO 27001 implementation resource
Who will be responsible
Decide who will be responsible and record it.
When will it be completed
Review and Sign Off of Legal Register: [Insert date]
ISO 27001 Implementation: [Insert date]
ISO 27001 Certification Audit: [Insert date]
ISO 27001 Certification: [Insert date]
How the results are evaluated
Legal Register Evidenced as Reviewed and Signed Off
ISO 27001 Audits Booked
ISO 27001 Audits Completed
ISO 27001 Certificate Issued
2. Effectively manage third parties to reduce potential information security risk from suppliers
Third party suppliers are outside of your direct control and therefore represent one of the most significant risks to your information and data. It is important to secure the supply chain.
What will be done
Implementation of third party management policy, process and register.
Review of all relevant third parties for contracts and information security assurances.
What resources will be required
Supplier Management
Who will be responsible
Decide who will be responsible and record it.
When will it be completed
Implementation of third party management policy, process and register: [Insert date]
Review of all relevant third parties for contracts and information security assurances: [Insert date]
Ongoing supplier reviews based on changes to suppliers: Monthly
How the results are evaluated
All relevant third parties are recorded in the third party supplier register and the third party supplier register columns are complete
All relevant third parties have an in date contract that covers the products and / or services we are buying and relevant clauses for information security.
All relevant third parties have provided an ISO 27001 certificate that covers the products / or services we are buying or we have adequate assurances or they are being managed via the risk management process and tracked on the risk register.
3. Ensure the confidentiality, integrity and availability of data and services of the company.
Information security is about the confidentiality, integrity and availability of data so it makes sense to enshrine that in your objectives.
What will be done
Implementation of the ISO 27001 Standard that includes
- Risk Management
- ISO 27001 Annex A Controls Implementation based on the Statement of Applicability
- Appropriate measurement of controls in place, monitored and reviewed
What resources will be required
Information Security Management
Who will be responsible
Decide who will be responsible and record it.
When will it be completed
ISO 27001 Implementation: [Insert date]
ISO 27001 Annex A Controls Implemented: [Insert date]
Effectiveness of controls: Monthly
How the results are evaluated
Appropriate measures are in place for the controls and reported to the management review team
Internal audit checks the effectiveness of risk management and controls based on the audit plan and audit management process which reports to the management review team.
External verification evaluation is conducted via external audits that includes Accredited ISO 27001 certification and may include client audits.
4. Make available the required resources to manage the information security management system and address risks through the risk management and continual improvement
A management system cannot run without the resources it needs and therefore an objective is to make resources available to support information security, to continually improve and to mitigate risks with effective risk management.
What will be done
Complete the Information Security Assigned Roles and Responsibilities Document
Implement a risk management policy, process and risk register
Implement a continual improvement policy, process and incident and corrective action log
Conduct risk reviews
What resources will be required
Information Security Management
Who will be responsible
Decide who will be responsible and record it.
When will it be completed
Information Security Assigned Roles and Responsibilities Document completed and people assigned: [Insert date]
Risk Policy, Process, Register in place: [Insert date]
Continual Improvement Policy, Process and Corrective Action log implemented: [Insert date]
Risk Reviews Completed: In line with operational processes, management review team meetings and annual risk review
How the results are evaluated
Documentation is in place and up to date
Corrective actions are recorded and evidenced
Risk reviews are recorded and evidenced
Management Review Team Meeting minutes are in place
5. Implement a culture of information security through training and awareness
A straight forward and common sense objective that easy to implement and track, information security culture is a base requirement.
What will be done
A communication plan will be implemented that will plan information security communication for the year ahead and keep evidence of communication completed. It will include who will be communicated to, who will communicate, what they will communicate, how they will communicate it and it will be across communication methods.
A training tool will be implemented that will allow the effective information security training required which will include training in basic information security, data protection and additional training based on risk and business need.
A Management Review Team will be put in place that will follow the structured agenda of the standard with at least one senior leadership representative and representatives for each area of the business.
What resources will be required
Information Security Training and Awareness Management
A tool for effective information security training and awareness management
Who will be responsible
Decide who will be responsible and record it.
When will it be completed
Management Review Team in place: [Insert date]
Management Review Team Meetings: in with communication plan.
Communication Plan In Place: [Insert date]
Communication ongoing in line with communication plan.
Training Tool in Place: [Insert date]
Training ongoing in line with training schedule set up in tool.
Basic information security and data protection training: annually
How the results are evaluated
Management Review Team Meeting Agenda and Minutes
Communication Plan with evidence of communication
Training tool with records of training completion
ISO 27001 objectives template
The ISO 27001 objectives template is included as part of the ISO 27001 Toolkit.
How to write ISO 27001 objectives
Writing objectives for the information security management system is a straightforward process. These are the steps to follow:
Identify your stakeholders
Stakeholders are people that have a vested interest in the operation of the management system and you will identify who those people are.
They fall into 2 broad categories being:
- People that are required to provide resources
- People with a vested interest in objectives being met
Define stakeholder requirements
Once you have identified who the stakeholders are you should ask them what their requirements are for the information security management system. This is more formally covered in the needs and expectations of interested parties and at the end of this step you will be ready to translate those needs and requirements into objectives.
Document the objectives
Taking the requirements you will define the objectives. There are several elements of an objective that you are required to record. They are:
- Information Security Objective
- What will be done
- What resources will be required
- Who will be responsible
- When will it be completed
- How the results are evaluated
Agree the objectives
Once the objectives have been documented they must be agreed and approved. To do this you will either:
- Follow your internal approval method
- Have them signed off at the management review team meeting and the decision documented in the minutes
Manage the objectives
Objectives are not approved and then forgotten. They are part of the operation of the management system and should be managed.
You will evidence that you are
- reviewing the performance of the objectives on a regular basis
- reviewing the appropriateness of the objectives at least annually
- addressing any deviation of the management system from it’s objectives through the continual improvement process
The framework for setting ISO 27001 objectives
You will document your framework for setting objectives. The following is a great framework that you can consider adopting.
Objectives are reviewed at least annually or when significant change occurs to the organisation.
Objectives are approved and signed off by the Management Review Team.
Objectives are published in the Information Security Policy which is communicated to and accepted by all staff.
The objectives are based on a clear understanding of the business requirements and as a minimum are based on
- the Organisation Overview that records the business objectives.
- the Context of Organisation that records interested parties, internal issues, and external issues.
- Feedback from Interested Parties capture as part of the Management Review process
- Output from Risk Assessment and Risk Treatments
Objectives are measured and progress against objectives is tracked at the Management Review Team Meeting.
The objectives are recorded in the Information Security Objectives document that sets out what will be done, what resources are required, who will be responsible, when it will be completed. The Information Security Management system will be measured upon its ability to meet these overall objectives and to achieve these objectives.
ISO 27001 objectives training video
In this free ISO 27001 training video we look specifically at implementing ISO 27001 Objectives.
ISO 27001 objectives FAQ
Meet legal, regulatory and contractual obligations for information security
Effectively manage third parties to reduce potential information security risk from suppliers
Ensure the confidentiality, integrity and availability of data and services of the company.
Make available the required resources to manage the information security management system and address risks through the risk management and continual improvement
Implement a culture of information security through training and awareness
Once agreed, the objectives become the measure of what success looks like for the operation of the management system. They are used to hold it to account and to demonstrate that is fit for purpose and operating effectively.
There has to be a reason why you are implementing an information security management system. The reality is that there will be many reasons. Those reasons are based on the requirements of the stakeholders. The stakeholders are going to invest resources and in return they want something back. Having objectives documented and managed ensures that those stakeholder requirements are addressed directly.
ISO 27001 Clause 6.2 Information Security Objectives and Planning to Achieve Them