Build or upgrade your ISMS on our platform

Information Security Objectives & Planning to Achieve Them – ISO 27001 Requirement 6.2

How to do Requirement 6.2 of ISO 27001:2013?

You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system. Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.

So in tackling this requirement it’s important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).

The exact requirement for 6.2 is:

“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk_assessment”>risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”

So this clause 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working as intended?’

We make achieving ISO 27001 easy

Get a 77% headstart

Get a 77% headstart

Our ISMS comes pre-configured with tools, frameworks and documentation you can Adopt, Adapt or Add to. Simple.  
Your path to success

Your path to success

Our Assured Results Method is designed to get you certified on your first attempt. 100% success rate.  
Watch and learn

Watch and learn

Forget about time consuming and costly training. Our Virtual Coach video series is available 24/7 to guide you through.  

How to Set Objectives for Requirement 6.2?

In considering the objectives you want from your information security management system, make sure that they are business focused and are things that will help you run a (more) secure, better-performing organisation rather than just tick boxes and look nice on a page.  Think about what the interested parties will want to see measured and monitored as well.  For example, why are customers buying from you and what would they be worried about going wrong from an information security perspective?  What level of information assurance, what measures and monitoring would be important for them if they looked closely at your ISMS?

Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation. You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort.  ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.

Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits. You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across (e.g. for incidents) and if relevant using simple KPIs added within the management review workspace.

At Alliantist, the software and services company behind, we came up with about 7 information security objectives with one being:

“Delivery of a secure, reliable cloud service for users (and other interested parties) who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”

When you break just that one objective down, it’s clear that there are a number of measurable, actionable areas that spring from it.  For example:

  • Secure – what does that mean in terms of confidentiality and integrity?
  • Reliable – what does that mean in terms of availability of the secure cloud software service?
Read our free guide to achieving ISO 27001 first time

How to make Information Security Objectives Measurable & Actionable?

Building on the above, one measure of reliability success for Alliantist is in the availability of systems like for customers to use. So we have the objective (reliability of the service), a measure (uptime) then can set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against). Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence. We then added that into as a KPI that gets addressed as part of the management reviews, and of course because it is a fundamental metric for our software service success is also continuously monitored operationally too. The source of that data is from the uptime logs. Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.

This is a great opportunity to develop metrics that matter for your organisation if not already done so. We encourage a fewer and better managed instead of lots and poorly managed approach. If your organisation has departments and specific areas of the business impacted differently with the confidentiality, integrity and availability (CIA) that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.

Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO 27001 around managing incidents, risk assessments/reviews, improvements and corrective actions etc. In we have a number of tools that automatically provide performance statistics that are helpful in demonstrating effective performance of the ISMS. These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.

How to Define Process & Responsibilities for Evaluation of Information Security Objectives?

Once you have defined your objectives, determined your measures, and their frequency for measurement, it’s necessary to show how you will set about evaluating the results then take action for any required changes or improvements to your ISMS.

At Alliantist we put together a team of representatives from the senior management team to form the ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. Our Operations Director owns the objectives that affect the ISMS from a production and operations perspective.  The source data is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with clause 9.3.

See how simple it is with

How to easily demonstrate 6.2 Information security objectives

The platform makes it easy to establish applicable, practical and measurable information security objectives.

Step 1 : Adopt, adapt and add

Our pre-configured ISMS will enable you to evidence requirement 6.2 within our platform and can easily be adapted to your organisation’s needs. The AAA framework will guide you on developing meaningful objectives and provide a structure for recording these objectives. You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.

This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.

Step 1 : Adopt, adapt and add

Step 2 : Demonstrate to your auditors

You can easily demonstrate your work to auditors by documenting your evidence within the platform e.g. by uploading flip chart images, brainstorm work, or more detailed notes.
Step 2 : Demonstrate to your auditors

Step 3 : A time-saving path to certification

Our Assured Results Method, ARM, is your simple, practical, time-saving path to first-time ISO 27001 compliance or certification. Requirement 6.2 is part of the first section that ARM will guide you on, which will help you to understand your organisation in relation to information security. This will then help you to determine which Assets, Systems, People, Locations etc. fall within the scope of you
Step 3 : A time-saving path to certification

Step 4 : Extra support whenever you need it

If you need extra support, our optional Virtual Coach provides context-specific help whenever you need it. Additionally, our Service Delivery Team and your Account Manager are only ever a phone call away.
Step 4 : Extra support whenever you need it