ISO 27001:2022 Clause 6.2 Information security objectives and planning to achieve them

ISO 27001:2022 22 Minutes

The organization shall establish information security objectives at relevant functions and levels.
The information security objectives shall:
a] be consistent with the information security policy;
b] be measurable (if practicable];
c] take into account applicable information security requirements, and results from risk assessment and risk treatment;
d] be monitored;
e] be communicated;
f] be updated as appropriate;
g] be available as documented information.
The organization shall retain documented information on the information security objectives.
When planning how to achieve its information security objectives, the organization shall determine:
h] what will be done;
i] what resources will be required;
j] who will be responsible;
k] when it will be completed; and
l] how the results will be evaluated.

The organization shall establish information security objectives at relevant functions and levels.

Establishing information security objectives at relevant functions and levels involves a systematic approach that aligns with the organization’s overall business objectives. Here’s a step-by-step guide on how an organization can achieve this:

  1. Understand the Business Context: Gain a deep understanding of the organization’s overall business objectives, mission, and critical processes. Identify key information assets and their importance to the business.
  2. Conduct a Risk Assessment: Perform a thorough risk assessment to identify and evaluate potential threats, vulnerabilities, and risks to information assets. Prioritize risks based on their impact and likelihood of occurrence.
  3. Involve Stakeholders: Engage with stakeholders from various functions and levels within the organization. This includes executives, managers, IT personnel, and other relevant staff. Understand their roles, responsibilities, and the specific security needs of their departments.
  4. Define Information Security Objectives: Based on the risk assessment and stakeholder input, establish clear and measurable information security objectives. Ensure that these objectives align with the organization’s overall business goals.
  5. Allocate Responsibilities: Clearly define roles and responsibilities for implementing and monitoring information security objectives. Assign specific responsibilities to individuals or teams at different functions and levels.
  6. Communicate Objectives: Effectively communicate the established information security objectives throughout the organization. Ensure that all relevant personnel understand the importance of these objectives and how they contribute to the organization’s success.
  7. Integrate into Business Processes: Integrate information security objectives into existing business processes. This ensures that security measures are seamlessly woven into daily operations. Avoid creating security measures that impede productivity; instead, aim for solutions that enhance efficiency.
  8. Set Key Performance Indicators (KPIs): Define measurable KPIs to track progress toward achieving information security objectives. KPIs could include metrics related to the reduction of specific risks, improvement in employee awareness, or successful implementation of security controls.
  9. Establish Monitoring and Review Mechanisms: Implement processes for continuous monitoring and periodic review of information security objectives. Regularly assess the effectiveness of security measures and adjust them as needed based on changing circumstances.
  10. Encourage Continuous Improvement: Foster a culture of continuous improvement by encouraging feedback and learning from security incidents. Use lessons learned to refine information security objectives and enhance the overall security posture.

By following these steps, an organization can establish information security objectives that are relevant to different functions and levels, ensuring a comprehensive and integrated approach to information security management.

The information security objectives shall be consistent with the information security policy

Ensuring consistency between information security objectives and the information security policy is crucial for effective information security management. The information security policy serves as a high-level document that outlines the organization’s commitment to protecting its information assets and provides a framework for implementing security measures. The objectives, in turn, are specific, measurable targets that support the policy and help guide the organization in achieving its security goals. Here’s how you can ensure consistency between information security objectives and the information security policy:

  1. Align Objectives with Policy: Review the information security policy to understand its key principles, goals, and directives. Ensure that each information security objective directly aligns with and supports the principles outlined in the policy.
  2. Refer to Policy in Objective Statements: When formulating information security objectives, reference specific sections or principles of the information security policy. This reinforces the connection between the objectives and the overarching policy framework.
  3. Adhere to Policy Requirements: Ensure that the information security objectives are in compliance with the requirements and guidelines set forth in the information security policy. Objectives should not contradict or undermine the policy but rather enhance its implementation.
  4. Communicate Consistency: Clearly communicate to all relevant stakeholders that the information security objectives are consistent with and derived from the information security policy. This communication helps in reinforcing the importance of both the policy and the specific objectives.
  5. Integrate Policy into Objectives Development: Involve key stakeholders, including those responsible for policy development, in the process of defining information security objectives. This ensures a collaborative approach and enhances the likelihood of consistency.
  6. Regularly Review and Update: Periodically review both the information security policy and objectives to ensure they remain aligned with each other. Update either document as needed to reflect changes in the organization’s risk landscape, business processes, or technology.
  7. Training and Awareness: Conduct training sessions and awareness programs to educate employees about the information security policy and how the established objectives contribute to its implementation. Ensure that employees understand the relationship between the policy and their day-to-day activities.

By maintaining consistency between information security objectives and the information security policy, an organization creates a cohesive and integrated approach to managing information security. This alignment helps in fostering a culture of security and ensures that efforts at various levels contribute to the overall security posture defined by the organization’s policies.

The information security objectives shall be measurable (if practicable)

The requirement for information security objectives to be measurable is a fundamental aspect of effective information security management. Measurable objectives provide a clear and quantifiable way to assess progress, determine success, and demonstrate compliance with established standards. Here are key considerations for ensuring that information security objectives are measurable:

  1. Quantifiable Targets: Define objectives in specific, quantifiable terms. Use metrics, numerical values, or clear performance indicators that can be measured objectively.
  2. Establish Key Performance Indicators (KPIs): Identify and establish key performance indicators that directly align with each information security objective.KPIs provide a concrete way to measure and track progress toward achieving the objective.
  3. Set Baselines and Targets: Establish a baseline measurement to understand the current state of the security parameter associated with the objective.Define a target or goal that represents the desired level of improvement or compliance.
  4. Time-Bound Objectives: Clearly specify the timeframe within which the objectives are expected to be achieved. This temporal dimension adds context and facilitates tracking progress over specific periods.
  5. Use SMART Criteria: Ensure that each objective adheres to the SMART criteria:
    • Specific: Clearly define what needs to be achieved.
    • Measurable: Use quantifiable measures.
    • Achievable: Objectives should be realistic and attainable.
    • Relevant: Align with organizational goals and priorities.
    • Time-Bound: Include a timeframe for achievement.
  6. Implement Monitoring Mechanisms: Put in place mechanisms for continuous monitoring of the chosen metrics and KPIs. Regularly assess and report on progress to determine if the organization is on track.
  7. Regular Review and Adjustment: Periodically review the effectiveness of the measurement approach and adjust metrics or KPIs as needed. Ensure that objectives remain relevant and reflective of the organization’s evolving risk landscape.
  8. Communication of Objectives and Progress: Clearly communicate measurable objectives and associated performance metrics to relevant stakeholders. Regularly update stakeholders on progress and achievements.
  9. Link to Business Goals: Align measurable objectives with broader business goals and objectives. This helps in demonstrating the value of information security in terms that resonate with the organization’s leadership.
  10. Feedback Loop: Establish a feedback loop that allows for lessons learned from measurement outcomes to be incorporated into future planning and improvement efforts.

By incorporating these principles, an organization can ensure that its information security objectives are not only well-defined but also measurable, enabling effective monitoring, management, and continuous improvement of its information security program.

The information security objectives shall take into account applicable information security requirements, and results from risk assessment and risk treatment.

The requirement for information security objectives to take into account applicable information security requirements, as well as the results from risk assessment and risk treatment, emphasizes the need for a comprehensive and risk-based approach to information security management. Here’s how an organization can fulfill this requirement:

  1. Identify Applicable Information Security Requirements: Conduct a thorough analysis of relevant laws, regulations, industry standards, and contractual obligations related to information security. Identify and document the specific requirements that apply to the organization.
  2. Integrate Legal and Regulatory Requirements: Ensure that information security objectives align with and address the organization’s legal and regulatory obligations. This integration helps demonstrate compliance with external requirements.
  3. Consider Industry Standards and Best Practices: Take into account industry-specific standards, frameworks, and best practices that provide guidance on information security. Align objectives with the principles outlined in recognized standards such as ISO/IEC 27001.
  4. Conduct a Risk Assessment: Perform a risk assessment to identify and evaluate potential threats, vulnerabilities, and risks to information assets. Consider the likelihood and impact of these risks on the organization.
  5. Prioritize Risks: Prioritize identified risks based on their significance to the organization’s objectives and operations. Focus on addressing high-priority risks that pose the most significant threats.
  6. Develop Risk Treatment Plans: Formulate risk treatment plans to mitigate, transfer, or accept identified risks. Establish specific actions and controls to address each risk.
  7. Derive Objectives from Risk Assessment: Use the findings from the risk assessment to inform the development of information security objectives. Ensure that objectives are targeted at mitigating identified risks and enhancing overall security.
  8. Quantify Objectives Where Possible: Express objectives in measurable terms whenever feasible. This helps in assessing the effectiveness of risk mitigation efforts.
  9. Ensure Alignment with Risk Treatment Plans: Confirm that information security objectives align with the strategies outlined in the risk treatment plans. Objectives should reflect the organization’s commitment to addressing and reducing identified risks.
  10. Regularly Review and Update: Periodically review information security objectives in light of changes in the organization’s risk landscape, business environment, or applicable regulations. Update objectives to reflect evolving risks and requirements.
  11. Document the Rationalization: Clearly document the rationale behind each information security objective, linking it to specific risk considerations and applicable requirements. This documentation aids in transparency and can be valuable for audit purposes.

By integrating information security requirements and the outcomes of risk assessment and treatment into the development of objectives, an organization can establish a more robust and strategic approach to information security. This approach not only enhances the organization’s ability to protect its information assets but also supports compliance and resilience in the face of evolving threats.

The information security objectives shall be monitored

Monitoring information security objectives is a critical aspect of an effective information security management system (ISMS). Monitoring allows organizations to track progress, evaluate the effectiveness of security measures, and make informed decisions about adjustments or improvements. Here are key considerations for monitoring information security objectives:

  1. Establish Monitoring Mechanisms: Implement a systematic process for monitoring each information security objective. Define key performance indicators (KPIs) and other relevant metrics that align with the objectives.
  2. Define Frequency and Intervals: Specify the frequency and intervals for monitoring activities. This could range from continuous monitoring to periodic assessments, depending on the nature of the objectives.
  3. Automate Monitoring Where Possible: Utilize automated tools and systems to streamline the monitoring process. Automation can provide real-time insights and help identify issues promptly.
  4. Collect and Analyze Data: Collect data related to the established KPIs and metrics. Analyze the data to assess whether objectives are being met and to identify trends or areas that may require attention.
  5. Compare Results Against Objectives: Regularly compare monitoring results against the defined information security objectives. Identify any gaps or deviations from the intended outcomes.
  6. Document Monitoring Activities: Maintain documentation of monitoring activities, including the data collected, analysis performed, and any corrective actions taken. Documentation serves as evidence of compliance and aids in continuous improvement.
  7. Review and Report Findings: Conduct periodic reviews of monitoring findings. Prepare reports summarizing the status of information security objectives and any notable observations.
  8. Communicate Results to Stakeholders: Share monitoring results with relevant stakeholders, including management, employees, and other key parties. Communication helps raise awareness and fosters a culture of transparency.
  9. Implement Corrective Actions: If monitoring identifies issues or deviations from objectives, implement corrective actions promptly. Corrective actions may involve adjusting security controls, updating policies, or addressing other factors contributing to the observed issues.
  10. Continuous Improvement: Use the insights gained from monitoring to drive continuous improvement. Adjust information security objectives, strategies, or processes based on lessons learned and evolving organizational needs.
  11. Align with Business Goals: Ensure that monitoring activities are aligned with broader business goals and objectives. This alignment reinforces the value of information security in supporting the organization’s success.
  12. Adapt Monitoring to Changes: Modify monitoring activities as needed in response to changes in the organization’s structure, technology, or risk landscape. Adaptability ensures that monitoring remains relevant over time.

By incorporating these practices into their information security management processes, organizations can maintain a proactive and vigilant stance toward achieving and sustaining their information security objectives. Monitoring is a dynamic and iterative process that contributes to the overall effectiveness of an organization’s information security program.

The information security objectives shall be communicated

Communicating information security objectives is crucial for ensuring that all relevant stakeholders are aware of, understand, and actively contribute to the organization’s information security efforts. Here are key considerations for effectively communicating information security objectives:

  1. Clear and Concise Messaging: Clearly articulate the information security objectives in language that is easily understandable by a diverse audience. Use concise and straightforward wording to convey the purpose and importance of each objective.
  2. Tailor Communication to the Audience: Adapt communication methods and messages to the specific needs and knowledge levels of different stakeholders. Consider the perspectives of executives, employees, IT staff, and other relevant parties.
  3. Incorporate into Policies and Documentation: Ensure that information security objectives are prominently featured in key documents, such as the information security policy and related procedures. This integration reinforces the alignment of objectives with organizational priorities.
  4. Use Multiple Communication Channels: Employ a variety of communication channels to reach a broad audience. Channels may include email, intranet announcements, training sessions, posters, and other internal communication tools.
  5. Management Endorsement and Support: Obtain explicit support and endorsement from senior management for the information security objectives. Leadership endorsement reinforces the importance of security measures and encourages a culture of compliance.
  6. Regularly Reinforce Objectives: Reinforce information security objectives regularly through ongoing communication efforts. Use multiple touch points to remind employees of the objectives and their role in achieving them.
  7. Training and Awareness Programs: Include information security objectives in training programs and awareness initiatives. Ensure that employees understand the relevance of the objectives to their daily responsibilities.
  8. Interactive Workshops and Meetings: Conduct workshops or meetings to engage employees in discussions about information security objectives. Encourage questions and feedback to promote a two-way communication flow.
  9. Highlight Link to Business Goals: Emphasize the connection between information security objectives and broader business goals. Illustrate how achieving security objectives contributes to the organization’s success and resilience.
  10. Visual Aids and Infographics: Use visual aids, such as infographics or charts, to convey key messages related to information security objectives. Visual elements can enhance understanding and retention.
  11. Feedback Mechanisms: Establish mechanisms for receiving feedback and questions related to information security objectives. Encourage open communication and create a supportive environment for reporting concerns.
  12. Update During Changes: Communicate any changes or updates to information security objectives promptly. Transparency about changes helps maintain trust and awareness.
  13. Localized Communication for Global Organizations: For organizations with global operations, ensure that communication is localized and considers cultural nuances and language differences.
  14. Regular Review and Reinforcement: Periodically review and reinforce communication efforts to ensure that information security objectives remain top of mind for all stakeholders.

Effective communication of information security objectives fosters a culture of security within the organization and ensures that everyone understands their role in safeguarding information assets. It also contributes to the success of the overall information security program by building awareness and promoting a shared responsibility for security.

The information security objectives shall be updated as appropriate.

The requirement for updating information security objectives is essential for maintaining relevance and effectiveness in the ever-evolving landscape of information security threats and organizational changes. Here are key considerations for ensuring that information security objectives are updated as appropriate:

  1. Periodic Review: Establish a regular schedule for reviewing information security objectives. This could be tied to the organization’s overall risk management processes or conducted at predetermined intervals.
  2. Trigger Events: Update information security objectives in response to significant changes within the organization, such as mergers, acquisitions, changes in business processes, or the introduction of new technologies.
  3. Incident Response and Lessons Learned: Use insights gained from security incidents and breaches as opportunities to reassess and update information security objectives. Identify weaknesses or gaps and adjust objectives accordingly to enhance security measures.
  4. Changes in the Risk Landscape: Adapt information security objectives based on shifts in the organization’s risk landscape. Periodically revisit and reassess the risk assessment to identify emerging threats or changes in the risk profile.
  5. Technology Changes: Update objectives to reflect changes in technology, including the adoption of new systems, applications, or infrastructure. Ensure that security measures remain aligned with the evolving technological environment.
  6. Compliance Requirements: Regularly review and update information security objectives to align with changes in legal and regulatory requirements. Stay informed about amendments to relevant laws and standards that may impact the organization’s security posture.
  7. Feedback and Continuous Improvement: Solicit feedback from stakeholders, including employees, management, and external partners. Use feedback to identify areas for improvement and update information security objectives accordingly.
  8. Performance Monitoring Insights: Analyze performance monitoring data and key performance indicators (KPIs) to identify trends or patterns that may necessitate adjustments to information security objectives.
  9. Technology Risk Assessments: Conduct regular assessments of technology risks, vulnerabilities, and controls. Update information security objectives to address new findings and mitigate potential risks.
  10. Communication of Changes: Clearly communicate any changes to information security objectives to all relevant stakeholders. Ensure that employees are aware of updates and understand the implications for their roles and responsibilities.
  11. Incorporate Lessons from Audits and Assessments: Integrate lessons learned from internal and external audits, assessments, and security reviews into the update process. Use audit findings to enhance the organization’s security posture and align objectives with recommended improvements.
  12. Align with Business Strategy: Ensure that information security objectives remain aligned with the organization’s overall business strategy and goals. Adapt objectives to support the evolving needs and priorities of the business.
  13. Document and Record Changes: Maintain clear documentation of changes made to information security objectives. Keep records of the rationale behind updates, including risk assessments, compliance considerations, and other relevant factors.

By incorporating these considerations into the update process, an organization can ensure that its information security objectives remain current, relevant, and aligned with the dynamic nature of the business and threat landscape. Regular reviews and updates contribute to the organization’s resilience and ability to adapt to emerging security challenges.

The information security objectives shall be available as documented information.The organization shall retain documented information on the information security objectives.

The requirement for information security objectives to be available as documented information emphasizes the importance of formalizing and recording these objectives. Documented information provides a reference point for stakeholders, auditors, and anyone involved in information security management. Here’s how organizations can fulfill this requirement:

  1. Create a Documented Information Repository: Establish a centralized repository or documentation system where information security objectives can be recorded and accessed. This can be a part of the organization’s broader document management system.
  2. Document Each Objective: Clearly document each information security objective in a standardized format. Include details such as the objective’s purpose, measurable targets, key performance indicators (KPIs), and any relevant time frames.
  3. Link to Information Security Policy: Ensure that the documented information on information security objectives is linked or cross-referenced with the organization’s information security policy. This reinforces the alignment between high-level policy statements and specific objectives.
  4. Version Control: Implement version control mechanisms to track changes and updates to the documented information. This ensures that stakeholders are accessing the most current and relevant information.
  5. Accessibility for Stakeholders: Make the documented information on information security objectives easily accessible to all relevant stakeholders. This may involve providing access through secure document portals, intranet sites, or other communication channels.
  6. Distribution to Relevant Parties: Distribute the documented information to relevant parties, including management, employees, and individuals responsible for implementing and monitoring information security measures.
  7. Include Rationale and Context: Provide context and rationale for each information security objective. Explain why it is important, how it aligns with organizational goals, and its relevance to the overall information security strategy.
  8. Training and Communication: Incorporate information security objectives into training programs and awareness initiatives. Ensure that employees understand the documented information and its significance in the context of their roles.
  9. Regular Review and Update: Establish a process for regularly reviewing and updating the documented information on information security objectives. This ensures that the documentation remains accurate and reflective of the organization’s current priorities.
  10. Integration with Management Systems: If the organization follows a specific management system standard, such as ISO 27001, integrate the documentation of information security objectives into the broader management system documentation.
  11. Secure Storage: Implement security measures to protect the confidentiality and integrity of the documented information. Consider encryption, access controls, and other security measures to safeguard the information.
  12. Audit and Compliance Considerations: Be prepared to demonstrate the availability of documented information on information security objectives during internal and external audits. Ensure compliance with any regulatory or certification requirements related to the documentation of information security objectives.

By treating information security objectives as documented information, organizations enhance transparency, accountability, and the ability to demonstrate compliance with established objectives. This documentation serves as a valuable resource for ongoing information security management and helps create a foundation for continual improvement.

Documents and Records required for this clause

The documents and records required for ISO/IEC 27001 Clause 6.2 typically include:

  1. Information Security Policy: A documented statement that outlines the organization’s commitment to information security. The policy provides the framework for establishing information security objectives.
  2. Risk Assessment and Treatment Records: Documentation related to the organization’s risk assessment process, including the identification of risks, assessment of their impact and likelihood, and the establishment of risk treatment plans.
  3. Information Security Objectives: Documented information that clearly defines the organization’s information security objectives. This may include the objectives themselves, the rationale behind each objective, and any associated metrics or key performance indicators (KPIs).
  4. Risk Treatment Plans: Documentation specifying the actions and controls planned to address identified risks. These plans should align with the organization’s information security objectives.
  5. Statement of Applicability (SoA): A document that identifies the controls from Annex A of ISO/IEC 27001 that are applicable to the organization, along with justifications for their inclusion or exclusion.
  6. Records of Management Review: Documentation of management reviews of the ISMS, including discussions on the performance of the ISMS, the effectiveness of information security controls, and decisions related to improvements.
  7. Monitoring and Measurement Records: Records of monitoring and measurement activities related to information security performance, including results of internal audits, compliance assessments, and other relevant measurements.
  8. Reports on the Status of Information Security Objectives: Reports or documented information that communicates the status of information security objectives, progress toward achieving them, and any actions taken to address deviations or non-conformities.
  9. Documented Information on Changes: Records of changes made to the information security objectives, risk treatment plans, or other elements of the ISMS. This may include change requests, approvals, and implementation details.
  10. Training and Awareness Records: Documentation related to training and awareness programs for employees regarding information security objectives, policies, and their roles in achieving security goals.

When planning how to achieve its information security objectives, the organization shall determine what will be done; what resources will be required; who will be responsible; when it will be completed; and how the results will be evaluated.

When planning to achieve information security objectives, organizations can follow a systematic approach that involves determining what needs to be done, identifying required resources, assigning responsibilities, establishing timelines, and defining evaluation criteria. Here’s a step-by-step guide:

  1. Determine What Will Be Done:
    • Risk Assessment: Conduct a comprehensive risk assessment to identify potential threats, vulnerabilities, and risks to information assets. This will help prioritize actions based on the level of risk they mitigate.
    • Compliance Requirements: Identify applicable legal, regulatory, and contractual requirements that the organization must comply with. Determine actions needed to meet these requirements.
    • Objectives Alignment: Ensure that planned actions align with the organization’s information security objectives, as stated in its information security policy.
  2. Identify Resources Required:
    • Personnel: Determine the human resources required to implement the planned actions. This includes skilled personnel for security management, system administrators, and other relevant roles.
    • Technology: Identify the necessary technologies, tools, and systems required to support information security measures. This may include security software, hardware, and other technical controls.
    • Training: Assess the need for training programs to enhance the skills and awareness of employees regarding information security practices.
    • Financial Resources: Estimate the budget required to fund information security initiatives, including personnel costs, technology investments, and training expenses.
  3. Assign Responsibilities:
    • Role Mapping: Clearly define and assign roles and responsibilities for individuals or teams involved in implementing and managing information security measures.
    • Cross-Functional Collaboration: Ensure cross-functional collaboration, involving IT, security, legal, compliance, and other relevant departments.
  4. Establish Timelines:
    • Timeline Development: Develop a realistic and achievable timeline for the completion of each planned action. Consider dependencies and prioritize tasks accordingly.
    • Phased Approach: If applicable, break down the implementation into phases to manage complexity and facilitate monitoring.
  5. Define Evaluation Criteria:
    • Performance Metrics: Establish key performance indicators (KPIs) and other metrics to measure the effectiveness of implemented security measures.
    • Compliance Audits: Plan for regular audits and assessments to verify compliance with internal policies, external regulations, and standards.
    • Incident Response Exercises: Conduct simulated incident response exercises to evaluate the organization’s readiness to respond to security incidents.
    • Feedback Mechanisms: Implement feedback mechanisms to gather insights from employees, stakeholders, and system users regarding the effectiveness of security measures.
  6. Document the Plan:
    • Documented Information: Record the details of the plan, including what actions will be taken, the resources required, responsible parties, timelines, and evaluation criteria.
    • Risk Treatment Plans: Document risk treatment plans, detailing how specific risks will be addressed, mitigated, or accepted.
  7. Communication and Training:
    • Communication Plan: Develop a communication plan to inform stakeholders, employees, and relevant parties about the planned actions and changes.
    • Training Programs: Implement training programs to ensure that personnel are aware of their roles and responsibilities in achieving information security objectives.
  8. Regular Monitoring and Review:
    • Continuous Monitoring: Implement continuous monitoring mechanisms to track progress, identify deviations, and take corrective actions as needed.
    • Regular Reviews: Conduct periodic reviews of the plan to ensure its relevance and effectiveness. Update the plan based on changes in the organizational environment.

By following these steps, organizations can develop a comprehensive plan to achieve their information security objectives. This approach ensures that the planning process is structured, measurable, and aligned with the organization’s overall goals. Additionally, it facilitates ongoing improvement and adaptability to changing security landscapes.

Here are some examples of information security objectives:

  1. Objective: Reduce the Risk of Unauthorized Access to Sensitive Data
    • Measurable Target: Implement multi-factor authentication (MFA) for all privileged user accounts.
    • Timeline: Within the next six months.
    • Responsibility: IT Security Team.
    • Evaluation: Regularly monitor access logs and conduct periodic audits to ensure MFA implementation effectiveness.
  2. Objective: Enhance Employee Awareness and Training on Information Security
    • Measurable Target: Achieve 100% completion of mandatory information security training for all employees.
    • Timeline: Within the next quarter.
    • Responsibility: Human Resources and IT Security Team.
    • Evaluation: Conduct post-training assessments and track completion rates to ensure all employees have undergone the required training.
  3. Objective: Improve Incident Response and Management Capability
    • Measurable Target: Reduce the average time to detect and respond to security incidents by 20%.
    • Timeline: Within the next year.
    • Responsibility: Incident Response Team.
    • Evaluation: Regularly assess incident response times through simulations, drills, and post-incident reviews.
  4. Objective: Ensure Data Confidentiality and Integrity
    • Measurable Target: Implement encryption for all sensitive data at rest and in transit.
    • Timeline: Within the next nine months.
    • Responsibility: IT Security Team.
    • Evaluation: Conduct regular vulnerability assessments and penetration tests to verify the effectiveness of encryption controls.
  5. Objective: Achieve Compliance with Relevant Data Protection Regulations
    • Measurable Target: Obtain and maintain certification for ISO/IEC 27001 within the next two years.
    • Timeline: Two years.
    • Responsibility: Information Security Officer and Compliance Team.
    • Evaluation: Regularly assess and update policies and controls to ensure ongoing compliance with ISO/IEC 27001.
  6. Objective: Enhance Physical Security Measures for Data Centers
    • Measurable Target: Implement biometric access controls for all data center entry points.
    • Timeline: Within the next year.
    • Responsibility: Facilities Management and IT Security Team.
    • Evaluation: Conduct regular security audits and physical inspections to ensure the effectiveness of access controls.
  7. Objective: Improve Patch Management Process
    • Measurable Target: Reduce the time taken to apply critical security patches by 30%.
    • Timeline: Within the next six months.
    • Responsibility: IT Operations and Security Teams.
    • Evaluation: Monitor patching timelines and conduct regular vulnerability assessments to measure the impact on the security posture.

Example of procedure for Information security objectives and planning to achieve them

1. Purpose: The purpose of this procedure is to define the process for establishing information security objectives, determining the necessary actions to achieve them, and planning the resources and responsibilities for effective implementation.

2. Scope: This procedure applies to all employees, contractors, and relevant stakeholders involved in information security management within the organization.

3. Responsibilities:

  • Information Security Officer (ISO): Overall responsibility for overseeing the establishment and planning of information security objectives.
  • IT Security Team: Implementing and monitoring security controls and actions.
  • Risk Management Team: Conducting risk assessments and assisting in the development of risk treatment plans.
  • Department Heads/Managers: Collaborating with the IT Security Team to ensure that department-specific security objectives are aligned with organizational objectives.

4. Procedure Steps:

4.1. Establish Information Security Objectives:

  • Risk Assessment: – Conduct regular risk assessments to identify and prioritize information security risks. – Document risk findings and assess their potential impact on the organization’s objectives.
  • Review of Legal and Regulatory Requirements: – Regularly review and update a list of applicable legal, regulatory, and contractual requirements related to information security. – Ensure that information security objectives align with these requirements.
  • Stakeholder Input: – Seek input from key stakeholders, including management, IT teams, and relevant departments, to identify their information security priorities.
  • Define Information Security Objectives: – Develop clear and specific information security objectives that address identified risks, legal requirements, and stakeholder input. – Document each objective, including the purpose, measurable targets, and associated key performance indicators (KPIs).

4.2. Planning to Achieve Information Security Objectives:

  • Resource Identification: – Identify the resources required to achieve each information security objective, including personnel, technology, training, and financial resources.
  • Responsibility Assignment: – Assign responsibilities for implementing and monitoring each information security objective. – Clearly define roles and responsibilities for IT Security Team, department heads, and other relevant personnel.
  • Timeline Development: – Develop a detailed timeline for the implementation of actions associated with each information security objective. – Consider dependencies and prioritize tasks accordingly.
  • Evaluation Criteria: – Establish criteria and metrics to evaluate the effectiveness of implemented security measures. – Develop key performance indicators (KPIs) and measurement methods.
  • Documentation: – Document the entire planning process, including identified resources, assigned responsibilities, timelines, and evaluation criteria. – Maintain records of risk assessments, legal and regulatory reviews, and stakeholder input.

4.3. Review and Approval:

  • Review: – Conduct a formal review of the information security objectives and the associated planning documentation. – Ensure that the objectives are realistic, achievable, and aligned with the organization’s strategic goals.
  • Approval: – Obtain approval from senior management for the established information security objectives and the corresponding planning. – Document the approval and communicate the objectives and plans to relevant stakeholders.

5. Monitoring and Review:

  • Continuous Monitoring: – Implement continuous monitoring mechanisms to track progress toward information security objectives. – Regularly assess and report on the effectiveness of security measures.
  • Periodic Review: – Conduct periodic reviews of the information security objectives, planning, and associated controls. – Update the objectives and plans based on changes in the organizational environment or risk landscape.

6. Training and Communication:

  • Conduct training sessions to ensure that personnel are aware of their roles and responsibilities in achieving information security objectives.
  • Communicate changes or updates to objectives and plans to all relevant stakeholders.

7. Record Keeping:

  • Maintain records of the entire process, including risk assessments, objectives, planning documents, and review outcomes.
  • Ensure proper version control and retention of records.

8. Revision History:

  • Document any changes or updates made to this procedure, including the date of revision and a summary of changes.

9. References:

  • Include references to relevant policies, standards, and regulatory requirements that guide information security objectives and planning.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply