Information Security Objectives & planning to achieve them for ISO 27001 Requirement 6.2
How do I tackle the requirements of 6.2 in ISO 27001:2013?
Having understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and carried out your risk assessment and treatment (6.1), you can now use these to inform your policy and controls for 6.2:
“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”
Sect. 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working well?’
To do this you need to arrive at a set of objectives (keeping in mind Sects. 4.1, 4.2, 4.3 and 6.1) and determine how you will evaluate and measure performance against each of those objectives.
Consider the objectives you want to achieve as an organisation in relation to information security.
At Alliantist, the software and services company behind ISMS.online, we came up with about 7 objectives with the core one being:
“Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”
NB: Don’t go overboard and keep things at a high level!
Another example from our objectives:
“Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done.”
Determine metrics system
Once you have those objectives, consider the key things that should and shouldn’t be happening if you were to meet each one of them and how you would go about measuring those things.
For example, a key measure of success for us is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.
When you are thinking about what to measure have in mind the three key principles that run through ISO 27001; Confidentiality, Availability, and Integrity.
So, for example, some of the things we looked at to measure ourselves against were;
- System uptime with a target of 99.5% (availability)
- Any failures in our backups with a target of none (integrity)
- Number of corrective actions with a target of none (all)
We documented a list of measures aimed at delivering on one or more of our stated objectives and then stated the frequency of measurement.
Within the ISMS.Online software solution we have a tool to handle not only incident management tracking but improvements and corrective actions too. This makes them all easy to manage and easy to evaluate using the built-in stats feature.
Define process and responsibilities for evaluation
Once you have defined your objectives, determined your measures, and their frequency, it’s necessary to record how you will set about evaluating the results to influence any required changes or improvements to your ISMS.
At Alliantist we put together a team of representatives from senior management to form the Performance Audit and Improvement Board (PAIB). The PAIB is responsible for setting the targets for each of the measures. In our case, our Operations Director owns all measures on behalf of the PAIB, although source data may be delegated to relevant members of staff to obtain.
Within ISMS.online we’ve created a PAIB ‘Project’ where performance is documented, as a KPI, and evaluated as part of our regular management reviews (9.3), or by exception, in between reviews if necessary.
Keep in mind, you can not know whether your ISMS is effective unless you continuously measure your performance against established goals, and have processes and policies in place to make changes where they are needed.
Using the workspaces provided in ISMS.online you can tie your work in 6.2 tightly with the management reviews in 9.3 and capture the evidence of the results inside your ISMS.online management review board workspace. You can even link to it for ease in specific review meetings and audits. Furthermore, you can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across ISMS.online and, if relevant, using our simple KPI feature within the management review workspace.
In ISMS.online we provide a template policy for meeting 6.2. that you can adopt or adapt to meet your own requirements.
It also includes example objectives you may wish to consider.
Furthermore, you can subscribe to our Virtual Coach for more ISO 27001 expert guidance on 6.2 and the full
ISO 27001 requirements and controls.
Discover how you can save time & reduce management resource using ISMS.online to achieve & maintain your ISO 27001 ISMS
The ISO 27001 requirements are listed below:
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication (read 7.1 – 7.4 here)
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- (read 9.1 – 9.3 here)
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement (read 10.1 – 10.2 here)
The ISO 27001 Annex A Controls are listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
Need a set of ISO 27001 policies for your ISMS?
ISMS.online includes practical policies and controls for your organisation to easily adopt, adapt and add to, giving you a
77% head start with ISO 27001