Font size: +
4 minutes reading time (810 words)

ISO27001 - Information Security Objectives and Planning to Achieve Them

Having objectives is pretty important if you want to achieve something or get somewhere. Organisations (hopefully) have objectives for most things like profitability, sales per year, marketing and even their ISO9001 Quality Management System. It makes sense then that there should be some objectives linked to your ISO27001 Information Security Management System. As luck would have it, clause 6.2 of the ISO27001 standard is labelled Information Security Objectives and Planning to Achieve Them, here is what is involved.  

Defining and Communicating

Be consistent with your information security policy

Think carefully what you are trying to achieve with the objective, having things like zero incidents is not a great way to go. You absolutely will have incidents; setting a target of zero means either an instant fail when you do have an incident or people won't report things. It is about how you deal with them that counts. One of the objectives should surely be getting people to buy into and use the system and know the policy so how will you do that? 

Be measurable (if practicable)

This is an interesting point for me, because on one hand ISO say measure your objective, on the other hand it is basically saying only If it is feasible or you can do it successfully. Here is my advice, do not set objectives you cannot measure if you do you will never know if you are winning or losing. When something seems too hard then consider what other leading indicators would give you a clue on the objective being a success. 

Take into account applicable information security requirements, and results from risk assessment and risk treatment 

What they are saying here is you have to be realistic about the objective and it should be based on something. For example the objective you set for your ISMS as say NASA is going to be very different from Joe Bloggs Plumbing (no offence to Joe Bloggs Plumbing) The level of risk, consequence and so risk treatments are just not the same. A great approach is to head to Annex A of the standard where it has all the control objectives and control suggestions, what things there should you implement or improve? 

Be Communicated

Communicating it once by standing in from of your entire workforce and reading out the objectives is not communicating it. 5 minutes after you do it no one will remember. Do not get me wrong, it's a start, a better start however would be to actually involve your people in defining the objectives if possible. If not, then do workshops on them as a roll out. Talk about the objectives, how they were selected, what the impact on the business and more importantly the person is, how can they contribute. Then plan more reminders until everyone knows off the top of their heads and please with you to stop. 

Be updated as appropriate

Like everything in ISO it's about continuous improvement, getting better over time, which is probably why they appeal so much to my lean geek self. Think about this one however, the key word is appropriate. What is appropriate? It depends! It could be annual, but unlikely, it could be when the business changes, when laws change e.g. the pending update to the NZ Privacy Act (Dec 2020) will almost certainly impact your information security management objectives. As technology changes and work patterns change you need to think about the impact, think of the impact of COVID19 and the level of working from home for example 

Building a plan to achieve your objectives

The second part of the requirements of this clause is actually defining what a plan is. In other words it's not good enough to make a list, a plan needs some very specific things attached to it, that way it'll be followed through one. Again ISO 27001 clause 6.2 has the answer for you, here's what you need in your plan:

  • What will be done
  • What resources will be required
  • Who will be responsible (hint… it should be 1 name of a real person, not a group or a team!)
  • When will it be completed
  • How the results will be evaluated.

It is not an unreasonable list is it? Without any of these things it's not a plan, it's a list and it won't succeed. Do yourself and the organisation a big favour and take the time to really think this through, it will be huge dividends later.

As part of your ISO27001 ISMS processes you will have built in management reviews, that is the perfect time to check on progress of these objectives, but do not wait till then. Review them when it makes sense to do so, change them when it makes sense to do so and above all, communicate them all the time.

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better

Ready To Start Your ISO27001 Journey?

Make a booking now and find out how we can help you Make Things, Better
Mango Logo
When it comes to managing your ISO or compliance system, managing documentation, capturing incidents / NCR's and ensuring that you follow through on everything having a tool that makes it easy is a must.

Mango QHSE is a cloud based QHSE system that is fully integrated to manage all of your compliance requirements in one, easy to use system.
Virtual Quality Management Logo
Our Virtual Quality Management Support is designed to help your company achieve improved results plus meet the requirements of any ISO Standard, but at a fraction of the cost.


© Many Caps Consulting Ltd | All Rights Reserved

ISO27001 and the Resources and Competence Requirem...
ISO27001 and the Actions to Address Risk & Opportu...

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Wednesday, 02 December 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to