Information Security Objectives & planning to achieve them for ISO 27001 Requirement 6.2

How do I tackle the requirements of 6.2 in ISO 27001:2013?

Having understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and carried out your risk assessment and treatment (6.1), you can now use these to inform your policy and controls for 6.2:

“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”

Sect. 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working well?’

To do this you need to arrive at a set of objectives (keeping in mind Sects. 4.1, 4.2, 4.3 and 6.1) and determine how you will evaluate and measure performance against each of those objectives.

Set Objectives

Consider the objectives you want to achieve as an organisation in relation to information security.

At Alliantist, the software and services company behind, we came up with about 7 objectives with the core one being:

“Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”

NB: Don’t go overboard and keep things at a high level!

Another example from our objectives:

“Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done.”

Determine metrics system

Once you have those objectives, consider the key things that should and shouldn’t be happening if you were to meet each one of them and how you would go about measuring those things.

For example, a key measure of success for us is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.

When you are thinking about what to measure have in mind the three key principles that run through ISO 27001; Confidentiality, Availability, and Integrity.

So, for example, some of the things we looked at to measure ourselves against were;

  • System uptime with a target of 99.5% (availability)
  • Any failures in our backups with a target of none (integrity)
  • Number of corrective actions with a target of none (all)

We documented a list of measures aimed at delivering on one or more of our stated objectives and then stated the frequency of measurement.

Within the ISMS.Online software solution we have a tool to handle not only incident management tracking but improvements and corrective actions too. This makes them all easy to manage and easy to evaluate using the built-in stats feature.

Of course for some measures you may need to consult external systems in order to give system readings each month. For these instances, we record the results using our handy KPI feature.


This ensures we track our results each month and that everything relevant to our information security management system is kept in one secure online environment, ready for effective management reviews.

Define process and responsibilities for evaluation

Once you have defined your objectives, determined your measures, and their frequency, it’s necessary to record how you will set about evaluating the results to influence any required changes or improvements to your ISMS.

At Alliantist we put together a team of representatives from senior management to form the Performance Audit and Improvement Board (PAIB). The PAIB is responsible for setting the targets for each of the measures. In our case, our Operations Director owns all measures on behalf of the PAIB, although source data may be delegated to relevant members of staff to obtain.

Within we’ve created a PAIB ‘Project’ where performance is documented, as a KPI, and evaluated as part of our regular management reviews (9.3), or by exception, in between reviews if necessary.

Keep in mind, you can not know whether your ISMS is effective unless you continuously measure your performance against established goals, and have processes and policies in place to make changes where they are needed.

How to evaluate and improve information security objectives

Using the workspaces provided in you can tie your work in 6.2 tightly with the management reviews in 9.3 and capture the evidence of the results inside your management review board workspace. You can even link to it for ease in specific review meetings and audits. Furthermore, you can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across and, if relevant, using our simple KPI feature within the management review workspace.


In we provide a template policy for meeting 6.2. that you can adopt or adapt to meet your own requirements.

It also includes example objectives you may wish to consider.

Furthermore, you can subscribe to our Virtual Coach for more ISO 27001 expert guidance on 6.2 and the full
ISO 27001 requirements and controls.

Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

The ISO 27001 Annex A Controls are listed below:

Need a set of ISO 27001 policies for your ISMS? includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001


Discover how you can save time & reduce management resource using to achieve & maintain your ISO 27001 ISMS

ISMS Online Rating: 5 out of 5
Share This