Tackling the requirements of 6.2 in ISO 27001:2013

We hear a lot about ROI – Is the investment paying off?

It’s what drives most boardroom decisions.

Indeed, to ensure we can judge correctly whether anything is effective, we need to measure performance against a set of key objectives and use that data to inform good decision making.

If you are implementing ISO 27001:2013 and are struggling on the requirements of 6.2, consider it in terms of ROI.

Without these important controls you have an ISMS that you’ve invested heavily in but have no idea whether it is being effective in reducing the risk of an information security breach (and its related cost!).

You have no defined goals, no system metrics and no data to base decisions.

The whole ISO 27001 implementation boils down to, are we meeting our information security objectives and how do we know we are? Oh, and of course, if we’re not then what are we doing about it?

In 6.2, just as with any business process, it’s necessary to:

Set your information security objectives
Establish your metrics
Define your process for evaluation.

The tools and frameworks in ISMS.Online will help you measure and evaluate your ISMS whilst our ISO 27001 Virtual Coach Programme gives expert guidance where and when you need it most.

by Mark Sharron

27 September 2021

ISO 27001

How to write an internal audit report for ISO 27001

An Internal audit report structure for ISO 27001 is something you need to know. Creating an effective and professional internal audit report is essential for… Keep reading >

by Sami Derfoufi

27 September 2021

ISO 27001

How to prepare for an internal ISO 27001 audit – The auditee’s perspective

Internal audits of ISO 27001 assist organisations in ensuring that their requirements and those required by the standard are being met. The ISO 27001 internal… Keep reading >

by Aaron Korpal

27 September 2021

ISO 27001

What are the different types of ISO 27001 internal audits?

An audit of your ISMS allows for the management system to be reviewed by an objective and competent auditor. It will test the elements of… Keep reading >

by Micah Mutsani

24 September 2021

ISO 27001

How to avoid common ISO 27001 internal audit mistakes

Internal audits of the management system are a mandatory requirement of ISO 27001 and all other mainstream ISO standards. The requirements are very minimal, however… Keep reading >

by Mark Sharron

24 September 2021

ISO 27001

What is the ISO 27001 audit process?

Audits are commonly used to ensure that an activity meets a set of defined criteria. For all ISO management system standards, audits are used to… Keep reading >

by Mark Sharron

24 September 2021

ISO 27001

How do I explain an ISMS to my colleagues?

An information security management system (ISMS) is essentially a cohesive collection of documents, systems and data that combine to enable the appropriate measures to be… Keep reading >

by Mark Darby

3 August 2021

Cyber security

ISO 27001 Simplified: Assured Results Method (ARM) Guide

One of the most common questions organisations that are new to information security management ask is ‘where do I start with ISO 27001:2013?’ To achieve… Keep reading >

by Al Robertson

27 May 2021

Certification

How to maintain your ISO 27001 certification

Even with the best help and support available, achieving ISO 27001 certification is a challenging process. It takes time, effort and real organisational commitment. So… Keep reading >

Making-the-case-for-an-ISO-27001-certified-ISMS

by Al Robertson

19 May 2021

ISO 27001

How the Colonial Pipeline hack makes the case for ISO 27001

We’ve already talked briefly about last week’s Colonial Pipeline hack. It’s one of the most impactful ransom attacks in history. Even the hackers, DarkSide, felt… Keep reading >