Information Security Objectives & planning to achieve them for ISO 27001 Requirement 6.2

How do I tackle the requirements of 6.2 in ISO 27001:2013?

You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system.  Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.

So in tackling this requirement it’s important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).

The exact requirement for 6.2 is:

“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”

So this clause 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working as intended?’

 

Setting Objectives

In considering the objectives you want to achieve as an organisation in relation to information security make sure that they are business focused and are things that will help you run a (more) secure, better performing organisation.  

Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation. You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort.  ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.

Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits. You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across ISMS.online (e.g. for incidents) and if relevant using simple KPIs added within the management review workspace.

At Alliantist, the software and services company behind ISMS.online, we came up with about 7 objectives with one being:

“Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”

When you break just that one objective down, it’s clear that there are a number of measurable, actionable areas that spring from it.  For example:

  • Secure – what does that mean in terms of confidentiality and integrity?
  • Reliable – what does that mean in terms of availability of the secure cloud software service?

 

Making it measurable and actionable

Building on the above, one measure of reliability success for us is in the availability of our systems for customers to use. So we have the objective (reliability of the service), a measure (uptime) then set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against).  Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence.  We then added that into ISMS.online as a KPI that gets addressed as part of the management reviews, and of course because it is a fundamental metric for our software service success is also continuously monitored operationally too.  Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.

This is a great opportunity to develop metrics that matter for your organisation if not already done so.  We encourage a fewer and better managed instead of lots and poorly managed approach.  If your organisation has departments and specific areas of the business impacted differently with the CIA that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.

Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO around managing incidents, risk assessments/reviews, improvements and corrective actions etc.  In ISMS.online we have a number of tools that automatically provide performance statistics that are helpful in demonstrating effective performance of the ISMS.  These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.  

Define process and responsibilities for evaluation

Once you have defined your objectives, determined your measures, and their frequency, it’s necessary to record how you will set about evaluating the results to influence any required changes or improvements to your ISMS.

At Alliantist we put together a team of representatives from senior management to form the grand Performance Audit and Improvement Board (PAIB) which has since simply become our ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. In our case, our Operations Director owns the objectives that affect the ISMS from a production and operations perspective.  The source data is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with clause 9.3.

Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives

 

Need ISO 27001 policies and controls for your ISMS?

ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you up to 77% head start with ISO 27001 documentation. 

 

 

Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives

ISMS Online Rating: 5 out of 5
Share This