How to do Requirement 6.2 of ISO 27001:2013?
You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system. Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.
So in tackling this requirement it’s important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).
The exact requirement for 6.2 is:
“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk_assessment”>risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”
So this clause 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working as intended?’
How to Set Objectives for Requirement 6.2?
In considering the objectives you want from your information security management system, make sure that they are business focused and are things that will help you run a (more) secure, better-performing organisation rather than just tick boxes and look nice on a page. Think about what the interested parties will want to see measured and monitored as well. For example, why are customers buying from you and what would they be worried about going wrong from an information security perspective? What level of information assurance, what measures and monitoring would be important for them if they looked closely at your ISMS?
Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation. You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort. ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.
Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits. You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across ISMS.online (e.g. for incidents) and if relevant using simple KPIs added within the management review workspace.
At Alliantist, the software and services company behind ISMS.online, we came up with about 7 information security objectives with one being:
“Delivery of a secure, reliable cloud service for users (and other interested parties) who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”
When you break just that one objective down, it’s clear that there are a number of measurable, actionable areas that spring from it. For example:
- Secure – what does that mean in terms of confidentiality and integrity?
- Reliable – what does that mean in terms of availability of the secure cloud software service?
How to make Information Security Objectives Measurable & Actionable?
Building on the above, one measure of reliability success for Alliantist is in the availability of systems like ISMS.online for customers to use. So we have the objective (reliability of the service), a measure (uptime) then can set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against). Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence. We then added that into ISMS.online as a KPI that gets addressed as part of the management reviews, and of course because it is a fundamental metric for our software service success is also continuously monitored operationally too. The source of that data is from the uptime logs. Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.
This is a great opportunity to develop metrics that matter for your organisation if not already done so. We encourage a fewer and better managed instead of lots and poorly managed approach. If your organisation has departments and specific areas of the business impacted differently with the confidentiality, integrity and availability (CIA) that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.
Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO 27001 around managing incidents, risk assessments/reviews, improvements and corrective actions etc. In ISMS.online we have a number of tools that automatically provide performance statistics that are helpful in demonstrating effective performance of the ISMS. These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.
How to Define Process & Responsibilities for Evaluation of Information Security Objectives?
Once you have defined your objectives, determined your measures, and their frequency for measurement, it’s necessary to show how you will set about evaluating the results then take action for any required changes or improvements to your ISMS.
At Alliantist we put together a team of representatives from the senior management team to form the ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. Our Operations Director owns the objectives that affect the ISMS from a production and operations perspective. The source clause 9.3.is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement