ISO 27001:2013 Clause 6.2 Information Security objectives

by Pretesh Biswas,

Business managers expect information security to protect the information in business systems and prevent the systems from being interrupted. Information security supports the business in achieving its objectives. To begin the development of a strategic plan for security it is essential to understand the business objectives and the key elements of the information security function. Business objectives can be analyzed to identify dependencies on security. The security objectives can then be defined in terms of business objectives. The security objectives are then impacted by business and environmental constraints, and by threats and vulnerabilities. Metrics are developed to allow comparison between current security capability and the capability required to meet business requirements. Strategies can be developed to fill the gap between current and planned capability while allowing for environmental constraints and threats. A strategy is a direction or approach taken to meet one or more objectives. Strategies do not have priorities: they are mutually exclusive. Each strategy is supported by one or more initiatives. An initiative is the implementation of an operational plan that achieves part or all of the security objectives. The overall objective is to implement a range of initiatives that collectively achieve all of the security objectives. Your security policy defines what you want to protect and the security objectives are what to expect of users.  Each network service that you use or provide poses risks to your system and the network to which it is connected. A security policy is a set of rules that apply to activities for the computer and communications resources that belong to an organization. These rules include areas such as physical security, personnel security, administrative security, and network security. Your security policy defines what you want to protect and what you expect of your system users. It provides a basis for security planning when you design new applications or expand your current network. It describes user responsibilities, such as protecting confidential information and creating nontrivial passwords. Your security policy should also describe how you will monitor the effectiveness of your security measures. Such monitoring helps you to determine whether someone might attempt to circumvent your safeguards. To develop your security policy, you must clearly define your security objectives. After you create a security policy, you must take steps to put into effect the rules it contains. These steps include training employees and adding the necessary software and hardware to enforce the rules. Also, when you make changes in your computing environment, you should update your security policy. This is to ensure that you discuss any new risks that your changes might impose.
When you create and carry out a security policy, you must have clear objectives. Security objectives fall into one or more of the following categories:

  1. Resource protection
    Your resource protection scheme ensures that only authorized users can access objects on the system. The ability to secure all types of system resources is a System strength. You should carefully define the different categories of users that can access your system. Also, you should define what access authorization you want to give these groups of users as part of creating your security policy.
  2. Authentication
    The assurance or verification that the resource (human or machine) at the other end of the session really is what it claims to be. Solid authentication defends a system against the security risk of impersonation, in which a sender or receiver uses a false identity to access a system. Traditionally, systems have used passwords and user names for authentication; digital certificates can provide a more secure method of authentication while offering other security benefits as well. When you link your system to a public network like the Internet, user authentication takes on new dimensions. An important difference between the Internet and your intranet is your ability to trust the identity of a user who signs on. Consequently, you should consider seriously the idea of using stronger authentication methods than a traditional user name and password login procedures provide. Authenticated users might have different types of permissions based on their authorization levels.
  3. Authorization
    The assurance that the person or computer at the other end of the session has permission to carry out the request. Authorization is the process of determining who or what can access system resources or perform certain activities on a system. Typically, authorization is performed in the context of authentication.
  4. Integrity
    The assurance that arriving information is the same as what was sent out. Understanding integrity requires you to understand the concepts of data integrity and system integrity.  
    1. Data integrity: Data is protected from unauthorized changes or tampering. Data integrity defends against the security risk of manipulation, in which someone intercepts and changes information to which he or she is not authorized. In addition to protecting data that is stored within your network, you might need additional security to ensure data integrity when data enters your system from untrusted sources. When data that enters your system comes from a public network, you need security methods so that you can perform the following tasks:
      • Protect the data from being sniffed and interpreted, typically by encrypting it.
      • Ensure that the transmission has not been altered (data integrity).
      • Prove that the transmission occurred (nonrepudiation). In the future, you might need the electronic equivalent of registered or certified mail.
    2. System integrity
      Your system provides consistent and expected results with expected performance. For the i5/OS operating system, system integrity is the most commonly overlooked component of security because it is a fundamental part of i5/OS architecture. i5/OS architecture, for example, makes it extremely difficult for a hacker to imitate or change an operating system program when you use security level 40 or 50.
  5. Nonrepudiation
    The proof that a transaction occurred, or that you sent or received a message. The use of digital certificates and public-key cryptography to sign transactions, messages, and documents support nonrepudiation. Both the sender and the receiver agree that the exchange takes place. The digital signature on the data provides the necessary proof.
  6. Confidentiality
    The assurance that sensitive information remains private and is not visible to an eavesdropper. Confidentiality is critical to total data security. Encrypting data by using digital certificates and Secure Socket Layer (SSL) or virtual private network (VPN) connection helps ensure confidentiality when transmitting data across untrusted networks. Your security policy should conclude how you will provide confidentiality for information within your network as well as when information leaves your network.
  7. Auditing security activities
    Monitoring security-relevant events to provide a log of both successful and unsuccessful (denied) access. Successful access records tell you who is doing what on your systems. Unsuccessful (denied) access records tell you either that someone is attempting to break your security or that someone is having difficulty accessing your system.

6.2 Information security objectives and planning to achieve them

The organization must establish information security objectives at relevant functions and levels. The information security objectives must be consistent with the information security policy. If practicable it must be measurable. It must take into account applicable information security requirements, and results from risk assessment and risk treatment. It must be communicated and updated as appropriate.  The organization must retain documented information on the information security objectives.
When planning how to achieve the quality objectives, the organization must determine what will be done; what resources will be required; who will be responsible; when it will be completed; how the results will be evaluated.

Set Objectives

Sect. 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working well?’ To do this you need to arrive at a set of objectives keeping in mind the clause. 4.1, 4.2, 4.3, and 6.1 and determine how you will evaluate and measure performance against each of those objectives. Consider the objectives you want to achieve as an organization in relation to information security. Some examples could be

  • “Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”
  • “Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day-to-day work practices to ensure it becomes a habit for good performance, not an inhibitor to getting their work done.”
  • How can you write measurable objectives?
    Plans by their nature are largely concerned with change or an effort to maintain valued aspects of the current situation. The extensive process of information collection and analysis, consultation, validation, and priority setting is used to identify where you think the effort needs to be focussed. When it comes to writing these into objectives, there should be a clear logic between objectives and the goal they are pursuing. Objective statements will follow a general form: ‘To do what, for whom, by when?’. Careful selection of the language used to express objectives can provide a clearer intention of what will be done and what you hope to achieve. Strong, clear verbs describe the ‘do’ component and are the key to setting the tone and commitment of the objective. The list of verbs below provides some examples of words that are action-oriented applied to common interventions.
    Caution is recommended against the over-use of words such as ‘develop’, ‘facilitate’ or ‘support’. These are less descriptive and can dull the tone of a plan if over-used. However, they should not be replaced with inferior, vaguer words or at the other extreme, technical terms or jargon. Avoid words like ‘enhance’, ‘commit’, which are not specific and hence more difficult to measure. Also, avoid multiple verb use for objectives: For example:
    Not: ‘To explore opportunities to increase access to…’
    Try: ‘To increase access to …’
    In this case, ‘exploring opportunities’ is probably a step towards ‘increasing access’. However, you don’t need to include the steps you will take to achieve your objective in the objective statement. If it warrants it, this will be described at the strategy level (which, as stated above, are the actions taken to reach these objectives). Words like ‘explore’, ‘discuss’, ‘commence’, seek, and ‘encourage’ are often used in this way and should be avoided. If these words cannot be eliminated in favor of a more direct word, the likelihood is that you are describing a strategy, not an objective, or you are not clear enough in your own mind about what you propose to do.
  • How can you keep your objectives consistent?
    One of the challenges of plan writing is creating a consistent relationship between plan statements so that they are pitched at a consistent level. It is confusing if an objective in one part of a document is a broad statement while in another it is quite specific (more like a strategy). One way of checking whether your objectives are pitched at the right level is to ask ‘why?’ The answer will test the theory behind your objective and should lead you to a health and wellbeing goal – whether stated or implied. If the goal is more than one step away from the statement the likelihood is that is pitched at a strategic level. The verbs used might not provide any clues to the appropriate level. Words like ‘increase’ and ‘decrease’ are also likely to be used at the goal level and a strategic level. However, at a goal level ‘increase’ is likely to be applied to the quality of life and ‘decrease’ to the incidence of illness or disease. At a strategy level, both are likely to be applied to features of service systems or standards. Other words might fit an objective or strategy level, however, some will suggest that the statement is better included as a strategic level. Words more common at a strategy level include:
  • How can I check my objectives?
    A good way to test your objectives is to use the SMART technique. SMART statements have the following characteristics.
    S- specific: it indicates clear action on a determinant, population group, and setting.
    M- measurable: it includes features that will help you tell whether it has succeeded.
    A- attainable: it can be realistically achieved on time and within available resources.
    R- relevant: it is a logical way to achieve your goals.
    T- time-framed: it indicates a timeframe for action.

Determine the metrics system

Once you have those objectives, consider the key things that should and shouldn’t be happening if you were to meet each one of them and how you would go about measuring those things. For example, a key measure of success could be the availability of systems for customers to use. So you can have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems. When you are thinking about what to measure have in mind the three key principles that run through ISO27001 of Confidentiality, Availability, and Integrity. So, for example, some of the things we looked at to measure ourselves against were;

  • System uptime with a target of 99.5% (availability)
  • Any failures in our backups with a target of none (integrity)
  • Number of corrective actions with a target of none (all)

The philosophy of ISO 27001 is the PDCA management cycle (Plan-Do-Check-Act). The concept of measurement is also best explained through this PDCA cycle:

  • In the Plan phase, you need to set the objectives
  • In the Do phase, you must figure out how to measure up to which point your objectives are achieved
  • In the Check phase you need to start the actual measurement, and finally
  • In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements

So how can you measure backup or firewall? The secret lies in setting objectives which are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

  • So, what would it look like for the firewall? Something like ‘We want our firewall to stop 100% of unwanted network traffic’. Is it measurable? Yes – you will find out, sooner or later, whether some unwanted traffic has passed through the firewall.
  • Another example – backup. The objective could be ‘We want to achieve our loss of data is a maximum of 6 hours.’ Measurable? Yes – and you don’t have to wait for data loss to happen, you can test your backup and see how much of the data you can restore.
  • An example of the objective for the whole ISMS could be ‘We want to decrease the number of information security incidents by 50% in the next year’. Again, pretty specific and therefore measurable.

Setting the objectives and measuring them is a rather new and unexplored aspect of information security. It is very often considered as an overhead because of the lack of knowledge in the first place, not so much because of practical reasons.

Here is the example of the Information Security objectives

S. No.ParameterObjectivePeriodicityResponsible Team
1Average Minor  Non-conformities per AUDIT Cycle (per department)<=5Every 6 months (Post Audit)ISMS
2Impact on assets/human resources  due to  Fire Accidents=100% complianceEvery 6 monthsISMS
3Internet Downtime (on Working days in working hours)>=99% availabilityEvery 6 monthsIT Team
6Infected file status (new + still infected) count because of virus and spyware<=3Every 6 monthsIT Team
5Overall High priority Incidence Occurrence Rate
Admin +Facilities
HR(should include incidents related to POSH)
Customer Delivery/Project
Every 6 months (Pre-audit)ISMS
6Customer Satisfaction on Internal infrastructure>=90%Every 6 months (Pre- Audit)Support/ Delivery/ IT
7 License Issues=100% complianceEvery 6 monthsIT
8IP/Legal issues=100%  complianceEvery 6 monthsManagement/ Directors
9Repetition of Audit Findings in next Internal Audit<=2Every 6 months (Post Audit)ISMS
10Count of residual risks<=10Every 6 months (Pre-audit)ISMS
11Full back up failures<=2 timesEvery 6 monthsIT Team
12Downtime due to power failure (during working hours)<=6 hoursEvery 6 monthsAdmin team
13Number of employees relieved/ terminated without execution of HR Exit checklist=100% complianceEvery 6 monthsHR team
14Security testing for all projects=100% complianceEvery 6 monthsDelivery team

Information security key performance indicators

A key performance indicator (KPI) is a metric used to evaluate factors that are crucial to the success of an organization. It differs from an objective in that an objective is something you want to achieve, while a KPI is something used to verify if your efforts are leading you toward the defined objective. For example, if 60 mph is the speed objective, the speedometer helps you to achieve and maintain this speed. In a scenario where decision-makers are surrounded by information and have limited resources to work on objectives, to define those most relevant (the KPIs) and how and when they should be presented is a good way to help monitor results and make proper decisions. Besides the verification, if one is on course to achieve the proposed objectives, KPIs may be used to support ISO 27001 by helping to communicate the importance of information security management and objectives. Though there are many criteria you can use for KPI selection, some aspects are common to them and they can make your task easier:

  • Business relevant: the indicator should be aligned to clear business objectives or legal requirements, which makes it easier for people to understand why it should be measured and evaluated. ISO 27001 has some requirements that may be attended by the use of indicators related to effectiveness and compliance, but an organization should consider efficiency indicators, too; for example, the Return On Security Investment (ROSI) can show how well the resources are Used to support security planning.
  • Process integrated: activities to collect the necessary data for a KPI should add the least amount of work possible, compared to the usual activities required to deliver the product/service, and the information (e.g., marking a step as completed or recording the time to perform an activity) needed should be in the same forms already used by the process.
  • Assertive: the indicator should be capable of pinpointing relevant issues (e.g., process steps, organizational areas, resources, etc.) that need attention. For example, a KPI related to the number of failed login attempts explicitly limits the scope to the login process.

Examples of performance indicators

The following examples cover a complete PDCA (Plan-Do-Check-Act) sequence, showing how different indicators can be used to get a full view of the performance of the processes related to information security management.

  1. Plan
    Percent of business initiatives supported by the ISMS: indicator that shows the ISMS’s level of alignment and integration with the business. The higher the value, the more optimized the ISMS resources, since management resources are being used over more aspects of the organization. You can use the ISMS Scope Document, compared to all services/processes of the organization, to obtain this information.  
    1. Percent of information security initiatives containing cost/benefit estimates: an indicator that shows the organization’s maturity on risk treatment. The higher the value, the more the risk treatment decisions are based on facts. You can use the Risk Assessment and Treatment Report and the Risk Treatment Plan, compared to all security initiatives implemented, to obtain this information.
    2. Percent of agreements with information security clauses: indicator that shows how services and products, provided by you or supplied to you, are legally supported considering information security aspects (e.g., availability, confidentiality, integrity, and continuity). The higher the value, the better supported your relationships with clients and suppliers are. You can use Non-Disclosure Agreements and SLAs with information security clauses, compared to all agreements related to services and products, to obtain this information.
  2. Do
    The number of security-related service downtimes: downtimes related to information security issues directly reflect the effectiveness of the ISMS. This information can be obtained from operational reports. Duration of service interruptions: as important as the number of downtimes, the average duration of downtimes is an important measurement of ISMS effectiveness. This information can be obtained from operational reports. Incident resolution time: another important measurement of ISMS effectiveness, this information can be obtained from operational reports.
  3. Check
    Percent of controls assessment performed: an indicator that gives you a view of how many security measures are being reviewed. The higher the value, the more controls are being analyzed in terms of effectiveness, efficiency, and opportunities for improvement. You can use the Risk Treatment Plan, compared to Training Plans, Incident Logs, Audit Reports, and Management Review Minutes, to obtain this information.
  4. Act
    The number of improvement initiatives: an indicator that shows the proactivity of an organization’s ISMS with respect to changes in the environment and the opportunities identified. Changes with the objective to improve results or prevent losses, instead of correct errors or problems, are good examples that reflect a high value on his KPI. You can use the Audit Reports and Management Review Minutes to obtain this information.

Proper monitoring to improve results and avoid problems

Organizations are under constant pressure to achieve results and to do so, it is essential that they can count on proper navigational instruments that can show them if they are on the right course and allow timely adjustments. But, it is also essential that these instruments are well-chosen and calibrated, or else you may find yourself attacking the wrong problems and turning a bad situation into something worse.

Steps to establish Information Security Objective

1. Establishing a Strategy Plan

The purpose of a strategic plan for security is to provide management with the necessary information to make informed decisions about investment in security. The strategic plan links the security function with the business direction. The strategy must present a business case that describes key business benefits and outcomes related to security, with recommended strategies for achieving those outcomes. Strategies for security help achieve business objectives by identifying and addressing security requirements in business functions and initiatives and providing infrastructure, people, and processes that meet those requirements. Although driven by business requirements, strategies must take into account other factors that may impact the achievement of those outcomes. The strategies must be revised periodically to allow for changes in the business direction and in the constraining factors.

2. Security functions

As the strategy describes business outcomes related to security, the scope for security strategy is defined by an organization’s definition, or scope, of its security function. The security function should be defined by objectives. The key functional areas defined are security policy, security organization, personnel security, asset classification and control, physical and environmental security, computer and operations management, system access control, system development and maintenance, business continuity planning, and compliance.
For E.g. The objective of security at <organization> is to protect information and information systems and prevent unauthorized access, unauthorized modification or damage, or interruption to business functions.
Under company law, directors are obliged to take reasonable actions to protect company assets. Reasonable action can be demonstrated by aligning an organization’s security functions with industry standards. Security functions can be strategic, tactical, or operational. Security functions are implemented in terms of technology, processes, and people. Security functions should be documented with accountability against organizational roles. Accountability for security functions may be concentrated in a single security group, or allocated to other areas that have common objectives. For example, the accountability for business continuity may be allocated to an operational support group. A security strategic plan should include objectives for all security functions regardless of where they are placed within the organization

3. Business objectives

Business objectives are the highest level, or fundamental, objectives of the organization. At the conceptual level, these objectives relate to the prosperity of the organization and all of its stakeholders. When enumerated by the business the objectives become more descriptive and may include the following:

  • to reduce costs by efficiency gains
  • to reduce potential costs through risk reduction
  • to protect assets
  • to create opportunities for revenue growth by enhancing or creating customer services and products by creating competitive advantage and to extend the customer bench.
  • to create opportunities for revenue growth by enhancing or maintaining a reputation in the marketplace, reducing time to market and by marketing/advertising and channel management

Business objectives are implemented through a range of business strategies. Strategies will vary greatly between organizations. Example business strategies may include the following:

  • Building infrastructure to provide extended customer functions
  • Joint venture or mergers to improve market position
  • Outsourcing to achieve flexibility and cost reduction
  • Business strategies will be achieved through the implementation of a range of business initiatives.

4. Security objectives

  1. Determining Security objectives

    Security objectives are the sub-set of the business objectives that can be achieved by the application of the security functions. To determine the security objectives, evaluate the potential for each business objective or initiative to be impacted by each security function. For example, consider the business objective of increasing revenue through reduced time to market.
    How does security policy impact on time to market?
    The policy provides a statement of acceptable risk. If security policy does not define protection requirements for sensitive information, then development may be delayed while the risk is assessed and security controls defined. At the same time, stringent policy requirements may also delay the development of system enhancements, and may even preclude some business initiatives as excessively risky. The security objective would be to optimize between the policy that defines the minimum controls – giving the best time to market, minimum cost and maximum business enablement – while keeping residual risk below an acceptable threshold.
    How does security organization impact on time to market?
    Security organization ensures that accountability for security functions has been allocated to organizational roles. If security functions have not been effectively allocated, delays could be incurred at any point of the development lifecycle that depends on a security function. For example, if inadequate resources have been allocated for security assessment, there may be delays in getting approval to promote a system into production. The security objective would be to ensure that security functions are supported adequately to prevent delays in getting products and services into production. Continuing the evaluation to assess the impact of each security function on each business objective will produce security objectives directly aligned with business objectives. This method may be more relevant when revenue and growth is a priority. An alternative method may be. We can start with each of the security functions and create a scenario showing the potential impacts to the organization should the security fail. The security objectives for each scenario are then to implement security that prevents those impacts. For example, consider the security function to manage access. In a scenario where access management fails, a hacker might gain access to an internal server and expose information from business partners. Information may be commercial in confidence and also contain information subject to information privacy legislation. Resulting impacts could include:

    • Parties whose information is exposed seeking penalties for breach of the non-disclosure agreement, and also seeking to recover subsequent losses;
    • Customers using alternative service providers. The organization’s reputation and revenue is adversely impacted;
    • Exposure resulting in the breach of privacy legislation, litigation costs, penalties and impact on reputation.

    The security objectives of this scenario could include:

    • to prevent hackers from gaining unauthorized access to internal servers;
    • to ensure adequate controls are in place to reduce the risk of claims under privacy legislation should exposure result in such claims.

    Scenarios should be developed to cover each security function. Multiple impacts may be associated with each function. Further validation can be attained by including scenarios for actual losses previously incurred by the organization, or by including potential losses from risks identified in recent audits or recorded in risk registers. In addition to event-based scenarios (e.g. failure of security controls) also consider pre-event scenarios. Using the security assurance function as an example, if customers perceive that security in a web service is inadequate they may not take it up, resulting in lost revenue. This method may be more relevant when reducing cost is a priority.

  2. List of strategic security objectives

    Having determined the security objectives using either (or preferably both) of the methods above, the rationalized list of security objectives now describes the purpose of the security function. Security objectives must be achievable by security functions. Security objectives will vary across organizations. A list of possible security objectives, including how they are achieved by security functions follows:

    • Objective – to reduce security events
      Security functions can alter the likelihood and impact of security events. For example, access management can prevent unauthorized access. Reduction in security events will reduce system interruptions, reduce costs arising from
      business interruptions and from recovery protects the reputation and existing revenue streams, reduce information exposure and damage, and reduce legal penalties.
    • Objective – to provide security infrastructure that reduces development costs
      • Security functions can implement security infrastructure (e.g. authentication services, access management and provisioning, identity management, key management) that can be re-used by multiple systems. Re-use reduces development costs and also reduces complexity.
      • Infrastructure may provide revenue-generating opportunities through product differentiation.
    • Objective – to reduce operational costs
      • Security functions can reduce operation costs by increasing the efficiency of providing services, such as access control mechanisms.
      • Security functions can reduce insurance costs by reducing the risk profile of the organization.
    • Objective – to reduce development costs
      Security functions can reduce development costs by imposing minimal security controls, by providing infrastructure to reduce the cost of developing controls, by providing the policy that reduces the need for risk assessments,

5. Measuring security outcomes

  1. Metrics
    Once security objectives have been identified, an organization must choose methods that demonstrate when those objectives have been met or not met. Metrics must be established that show if security is effectively achieving the security objectives. Strategies for implementing security cannot be achieved unless their impact on security objectives can be assessed either qualitatively or quantitatively. The typical management process includes planning for an outcome, implementing a process to achieve the outcome, measuring the results, and using the results as a measure of effectiveness to improve on the original plan. The process for the management of security is atypical in this regard. Security assurance cannot be measured in terms of the “results” where there are none. Major security events may never occur or occur very infrequently. There are also limitations on assessing security in terms of the likelihood of impacts occurring. Consider a scenario in which there is a one in a million chance in any given year that there will be a security breach resulting in a Rs 50 crore loss. The probabilistic loss rate is Rs 5000 per year. Therefore any mitigation plan to reduce the risk must cost less than Rs 5000 per year to provide a positive return. For straight-line risk tolerance, the definition of acceptable risk levels is limited by the difficulty in determining the true probability of the event and the true loss that may occur. In practice, risk tolerance is non-linear. Organizations tend to exhibit an increasing aversion to high-level impacts despite the very low likelihood of occurrence. Furthermore, security events are not as simple as the product of likelihood and impact as often used. Due to the nature of security incidents, they are typically based on a number of successive events. A simple vulnerability may result in a low impact event. There is a lower probability that this will be exploited into a higher impact event. Successively unlikely events will result in successively higher impacts. Therefore, a security event has a risk probability function showing decreasing likelihood with increasing impact. Likelihood may be indicated by a history of previous events if available. Typically there is no history of high impact events. Security assurance needs to be measured in terms of the reduction in this risk probability function. Security assurance also needs to be measured in terms of each of the security objectives. For example, metrics for the first security objective derived above (to reduce security events) are described as follows:
    Objective – to reduce security events
    Metric – The reduction in the risk of security events can be measured in the following terms:


    •  Security can be measured by a system’s resistance to a range of penetration and/or vulnerability tests.
    • Security can be measured against benchmark implementations. For example, the security of a Window server could be measured by assessing compliance with the CIS Benchmarks.
    • Security controls can be measured analytically. This might be done by measuring the number of Top 20 twenty vulnerabilities occurring across critical services within the organization.

    Metrics should be customized to reflect organizational objectives and values. This assessment should be continued to establish metrics for each security objective. This task is demanding but essential to providing the context for risk assessment. As the requirements for security controls change rapidly in response to changes in business initiatives, legislative requirements, customer expectations, and new technology, measurement of security should also distinguish between the effectiveness of existing controls and the capability of the organization to maintain the desired level of security assurance. Each security measure should be assessed in terms of the current effectiveness, and the organization’s ability to maintain that level of effectiveness. Taking the first metric above (resistance to penetration and vulnerability testing) as an example, the capability would be measured in terms of the processes, technology, and resources in place to plan, implement and respond to penetration and vulnerability tests.

  2. Current security capability
    Once the security metrics have been established it is possible to assess the current (point-in-time) security capability of the organization. Each of the measures described above should be applied to the organization to produce a statement of capability. This can serve as the baseline against which enhancements and changes to security can be planned and measured. A sanitized version of this statement of capability could be used to represent capability to customers and business partners.
  3. Current outcomes
    Current outcomes are a measure of the actual security events rather than assurance. Information is collected in regard to actual events impacting on each of the security objectives. For example for the objectives of reducing security events, the current outcomes will be the number of recorded security breaches and the actual costs arising from that event. For the objective of minimizing litigation, the outcome would be the number of litigations raised against the organization and the actual costs arising from such litigation. Some objectives will always be difficult to measure, such as reputation. Customer surveys may indicate levels of satisfaction in existing customers. The current outcomes are used in conjunction with the current capability to define the baseline for security planning.

6 Security vision

The vision is the picture of the future environment, showing how people, processes, and technology, work together to overcome constraints and threats and meet all security objectives. For example, the vision for fulfilling the security objective of reducing risk to litigation (e.g. obligation for due care under company law) will be achieved by establishing comprehensive policy, procedures, and training that either reduce events of information disclosure or transfer the responsibility to the individual. For example, the vision for fulfilling the security objective of reducing security events (e.g. in response to increased attacks from the internet and exploitation of vulnerabilities in new technology) will be achieved by a combination of system hardening, segregation of sensitive systems, and enhanced perimeter security that will reduce vulnerabilities to an absolute minimum. Continue the process and create a vision of the future environment that meets all security objectives.

7 Constraints

In addition to the business objectives and initiatives driving security, there is also a range of constraints that inhibit or prevent the achievement of security objectives. These factors may be internal to the organization and controllable, or external and beyond the control of the organization.

  1. External constraints
    • Emerging technology (e.g. wireless networking) creates business opportunities but also brings new vulnerabilities and risks.
    • Legislation (e.g. information privacy) may increase the potential costs arising from exposure of sensitive information and may create new obligations for providing controlled access to information.
    •  Customer requirements (e.g. increased connectivity) may increase vulnerability and complexity in internal systems.
  2. Internal constraints
    • Cost – organizations tend to vary their level of risk acceptance in response to growth or retraction in the market.
    •  Architecture – (e.g. authentication systems) may restrict the use of strong authentication or inhibit adequate monitoring.
    • Culture – organizations with a strong culture of trust may fail to recognize weak security systems. Attitude and awareness play a key role in building effective security.
    • Complexity – organizations that are highly responsive to customer requirements may create solutions with increasing complexity and

8. Threats and vulnerability

Threats and vulnerability also impact the organization’s ability to achieve its objectives. Vulnerability is a weakness in a system that can be exploited. A threat is something that may act to exploit the vulnerability. Threats to an organization should be identified and allowed for in setting security objectives. Typical threats include external hackers (script kiddies, criminals, competitors), disgruntled staff and contractors, viruses and other malicious code, and inadvertent action by authorized operators.  Typical vulnerabilities include published system vulnerabilities, poor configuration, inconsistent application of processes, and untrained staff. Security strategies must allow for vulnerabilities and threats.

9 Strategies

Strategies are the plans for moving from the current environment towards the vision. Strategies do not have priorities: they are mutually exclusive. A strategy is a direction, plan, or approach to achieving the security objectives while allowing for the influence of the constraining factors. Use the business objectives, security objectives, and measures of the current capability to identify security objectives that are not fully met. Create strategies to meet those objectives while allowing for constraints and threats. For example, the business objective is to generate more revenue. The business strategy is to create additional connectivity with customers to provide value-added services. One security objective is to allow connectivity while mitigating the risk of hacker and virus infiltration to an acceptable level. Another security objective is to ensure that customer expectations for integrity and availability can be met. The vision includes comprehensive perimeter monitoring and access controls. The current capability meets existing needs but will require enhancement to protect new communication channels used to provide the planned increase to connectivity. External constraining factors could include the technology (e.g. inherent weakness in wireless networking), and the obligation to protect customer information that is subject to information privacy legislation. Internal constraining factors could include the complexity of internal systems. Adding new connectivity may require additional resources to cover essential security monitoring. The security strategies might be:

  • to increase monitoring of external connections. This will mitigate some risk associated with increased connectivity.
  • to increase the security “hardening” of all customer-facing systems.
  • to provide redundancy for critical production system components to improve the availability of services.

Continue the process to identify strategies for all security objectives. Each strategy must support at least one objective. In total, all of the strategies must meet all of the objectives. Examine each security objective and ensure that it will be fully achieved if the strategies are fully implemented. If not, further strategies are required.

10 Initiatives

  1. Setting Initiatives
    Initiatives are the operational plans for the implementation of processes, technology and people that achieve the security objectives. Each initiative must support at least one strategy. Initiatives, if fully implemented, should completely achieve the strategy and its objectives. If the initiatives do not meet all of the objectives, further initiatives should be prepared. For example, with a strategy of hardening all customer-facing systems, the initiatives might be:  
    • to configure all customer-facing servers in accordance with CIS security benchmarks ;
    • to replace network bridges with switches; relocated inside the organizations trusted network; Each initiative must include an assessment of the expected benefits (reduction in residual risk), costs (allocation of funding and resources to achieve changes in technology, process, and people), priorities,

      and interdependencies. In the example above, consider if customer-facing systems will be adequately hardened when these initiatives are fully implemented. If there are further measures that can be taken to harden these systems, multiple initiatives should be identified. Multiple initiatives provide further opportunity for senior management to determine the appropriate level of investment and an acceptable risk by choosing between initiatives. Owing to the inter-dependencies between strategies and initiatives, changes to timing or acceptance of one initiative may impact on others. For example delays to virtual private networking may impact on the delivery of a single-sign-on solution using the same infrastructure (directory service and certificate authority). Initiatives can be validated against best-practice. Cost-effective outcomes may be achieved by following the approach other organizations have used in similar situations and leveraging off their experience to avoid costly errors. Continue this process to include initiatives for all security objectives. The strategic security plan should include a summary showing that the initiatives in total meet the strategic objectives, and also produce the future vision as described earlier.

  2. Accountability and governance
    The security function cannot be made responsible for the achievement of business objectives outside of its area of control. For example, a security objective may be to provide certification to international standards so that the business can differentiate services on that basis. The security staff cannot be held accountable for revenue generation: that is the sales team’s responsibility. The security team can be accountable for the achievement of the certification. When completed, the strategic security plan will have input from business areas to ensure alignment with business direction, and input from information technology, legal services, personnel, and other support areas to ensure that the plan is realistic and feasible. Governance of the security process should be included in the organization’s governance process along with risk management. Security reporting should be consistent with risk reporting. The organization’s senior officers will be seeking to demonstrate reasonable care. The question that could be expected might include the following. At this point, the strategic security plan should be able to answer all of these questions except for the question of the appropriate level of investment. This must be answered by senior management. The plan provides the rationale behind each of the strategies and initiatives and allows management to invest in security based on the financial position of the organization and the level of risk considered acceptable by senior management. Senior management will be looking for a comparison of the security in their organization against organizations of similar ilk to validate the strategic plan. An approach to determining the cost of security and comparative industry costs follows. 
    • Is Management confident that security is being adequately addressed in the company?
    • What are other people doing and how is the enterprise placed in
      relation to them?
    • Does management have a view on how much the enterprise should invest in IT security improvements?
  3. Cost of security
    The cost models for security are still evolving. Models supported by security consulting firms tend to emphasize operational costs backed up by the potential cost of disastrous events in order to generate sales of security services. Such models may understate the significance of other security objectives such as asset protection or legal risk mitigation. Security costs can be described as being made up of planned costs and potential (risk) costs.
  4. Planned costs
    Planned costs are incurred regardless of the occurrence of actual security events and can be direct or indirect costs. Direct costs are associated with planning, implementing, and operating security functions. This includes salaries, depreciation on security assets, and maintenance and service charges related to the supply of security functions. Indirect costs include the cost of insurance (premiums may vary with the level of security assurance). A strategy showing an increase in planned security spending should demonstrate a reduction in the overall risk profile to the organization, or containment of escalating risk. A reduction in security spending should be reflected in the acceptance of a higher risk profile
  5. Potential Costs
    Potential costs are only incurred if security events occur. Potential costs are tied into the strategy as optional implementation plans. Different implementations have different probabilities and impacts. Senior management can adjust the risk/investment balance by choosing between initiatives. Potential costs need to take into account all of the security objectives and include security events (response and recovery, loss of business, reputation etc), interruption to operations, loss of operational data, exposure of confidential data, contract claims for non-performance, cost of litigation and legal penalties for breach of obligations regarding privacy, copyright, trades practice, company governance, etc.

Example of Objective and plan

Hacking and Unauthorised Interception

Developing an IS Objectives plan
The purpose of an‟ IS Objectives plan‟ is to set out how an intended action will be achieved, who will undertake it and how it will be measured.
Objectives to be achieved

  • Issues to be addressed
    Our current firewalls are old and are insufficient to prevent new threats. “Hacking and Unauthorised Interception‟ – This is the deliberate interception or collection of data or voice traffic on our network. Competitors or thieves seek to gather personal information that enables them to commit fraud. Although we have not detected this happening as yet, it is a real and present concern. The main ways this is done are:  
    • External parties gaining access to our IT systems
    • Staff finding ways to access restricted information internally
  • Proposed Actions
    Replace our existing external firewalls with Enterprise-grade products that offer state-full inspection capabilities. The design must contain the most advanced firewall capabilities, including:  
    • proxies (including SOCKS)
    • stateful inspection or dynamic packet filtering
    • network address translation
    • virtual private networks
    • Internet Protocol version 6 or other non-Internet Protocol versions 4 protocols
    • network and host intrusion detection technologies
  • External Firewall deployment steps
    Prepare:  Ensure network diagrams are up to date
    1. Select and acquire firewall hardware and software as above
    2. Acquire firewall documentation, training, and support
    3. Install firewall hardware and software
    4. Configure IP routing
    5. Configure firewall packet filtering
    6. Configure firewall logging and alert mechanism


    1. Test the firewall system
    2. Install the firewall system
    3. Phase the firewall system into operation
  • Internal Intellectual Property control deployment steps
    Implement internal Intellectual Property Controls based on information signatures.
    1. Information signatures identification – credit card details, personal information.
    2. Assign approved locations for information types
    3. Approve staff access structure
    4. Select and acquire agents and management application


    1. Implement tracking agents onto PC’s and servers
    2. Acquire firewall documentation, training, and support
    3. Configure physical server
    4. Configure logging and alert mechanisms

      Test: Test the system
      Deploy: Enable the live the IP system

  • Accountability
    John Bishop IT Manager is responsible for the approval of this plan. Chris Flood, IT Analyst is responsible for plan implementation.
  • Resources and responsibilities
    1. Management will provide a budget (to be set) for the purchase of new Firewalls, the budget is still pending. The objective is on hold.
    2. IT will project manage the process but a specialist supplier will undertake this work.
  • Completion schedule:  Implementation Resource Estimates
    The following rough-order-magnitude timeframes represent the calendar time required by staff/supplier to implement each of the practices described in the “Proposed Actions section‟.  
    1. Design the firewall system 3 months
    2. Acquire firewall hardware and software 2 months
    3. Acquire firewall documentation, training, and support 1 month
    4. Install firewall hardware and software 1 month
    5. Configure IP routing 1 week
    6. Configure firewall packet filtering 3 weeks
    7. Configure firewall logging and alert mechanisms 2 weeks
    8. Test the firewall system 2 weeks
    9.  Install the firewall system 1 week
    10.  Phase the firewall/IP system into operation 2-3 months
  • Evaluating results
    1. Internal and external penetration testing (undertaken by a third party) will be undertaken to ensure a successful deployment.
pdfExample of template of Information security objective register and plan

Subscribe .

Back to Home Page

If you need assistance or have any doubt and need to ask any questions contact me at You can also contribute to this discussion and I shall be happy to publish them. Your comment and suggestion are also welcome.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s