Tackling the requirements of 6.2 in ISO 27001:2013

We hear a lot about ROI – Is the investment paying off?

It’s what drives most boardroom decisions.

Indeed, to ensure we can judge correctly whether anything is effective, we need to measure performance against a set of key objectives and use that data to inform good decision making.

If you are implementing ISO 27001:2013 and are struggling on the requirements of 6.2, consider it in terms of ROI.

Without these important controls you have an ISMS that you’ve invested heavily in but have no idea whether it is being effective in reducing the risk of an information security breach (and its related cost!).

You have no defined goals, no system metrics and no data to base decisions.


Mathias Golombek tweet



The whole ISO 27001 implementation boils down to, are we meeting our information security objectives and how do we know we are? Oh, and of course, if we’re not then what are we doing about it?

In 6.2, just as with any business process, it’s necessary to:

  1. Set your information security objectives
  2. Establish your metrics
  3. Define your process for evaluation.

For more help on satisfying the requirements of 6.2, and other sections of ISO 27001, visit our resources at www.isms.online.

If you’d like to learn more about how the tools and frameworks in ISMS.Online will help you measure and evaluate your ISMS, visit us at www.isms.online or contact us today.

ISMS Online Rating: 5 out of 5
Share This