How do I tackle the requirements of 6.2 in ISO 27001:2013?
Having understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and carried out your risk assessment and treatment (6.1), you can now use these to inform your policy and controls for 6.2:
"Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated."
Sect. 6.2 of the standard essentially boils down to the question; 'How do you know if your information security management system is working well?’
To do this you need to arrive at a set of objectives (keeping in mind Sects. 4.1, 4.2, 4.3 and 6.1) and determine how you will evaluate and measure performance against each of those objectives.
Consider the objectives you want to achieve as an organisation in relation to information security.
At Alliantist, we came up with about 7 objectives with the core one being:
"Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information."
NB: Don't go overboard and keep things at a high level!
Another example from our objectives:
“Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done.”
Determine metrics system
Once you have those objectives, consider the key things that should and shouldn't be happening if you were to meet each one of them and how you would go about measuring those things.
For example, a key measure of success for us is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.
When your are thinking about what to measure have in mind the three key principles that run through ISO27001 of Confidentiality, Availability and Integrity.
So, for example, some of the things we looked at to measure ourselves against were;
System uptime with a target of 99.5% (availability)
Any failures in our backups with a target of none (integrity)
Number of corrective actions with a target of none (all)
We documented a list of measures aimed at delivering on one or more of our stated objectives and then stated the frequency of measure.
Within ISMS.Online we have a tool to handle not only incident tracking but improvements and corrective actions too. This makes them all easy to manage and easy to evaluate using the built in stats feature.
Of course, for some measures you may need to consult external systems in order to give system readings each month. For these instances we record the results using our handy KPI feature.
This ensures we track our results each month and that everything relevant to our information security management system is kept in one secure online environment, ready for effective management reviews.
Define process and responsibilities for evaluation
Once you have defined your objectives, determined your measures, and their frequency, it’s necessary to record how you will set about evaluating the results to influence any required changes or improvements to your ISMS.
At Alliantist we put together a team of representatives from senior management to form the Performance Audit and Improvement Board (PAIB). The PAIB is responsible for setting the targets for each of the measures. In our case, our Operations Director owns all measures on behalf of the PAIB, although source data may be delegated to relevant members of staff to obtain.
Within ISMS.Online we’ve created a PAIB ‘Project’ where performance is documented, as a KPI, and evaluated as part of our regular management reviews (9.3), or by exception, in between reviews if necessary.
We hope this as helped! Keep in mind, you can not know whether your ISMS is effective unless you continuously measure your performance against established goals, and have processes and policies in place to make changes where they are needed.
Keep tuned in...we’ll be taking a look at 9.3 - Management Reviews next.