ISO 27001 CLAUSE 6.2 Information security objectives & planning
Objectives and planning
ISO 27001 CLAUSE 6.2 Information security objectives & planning implementation.
Required activity
Information security objectives are established and plans are made to realize them at relevant levels and functions.
Guide for Implementation
Information security objectives facilitate the implementation of strategic goals, as well as the implementation of knowledge security policies. An ISMS, therefore, provides objectives for ensuring confidentiality, integrity, and availability of data. Specifically defining and measuring information security objectives contributes to the development of the knowledge security policy and data security controls and processes.
The organizational plan identifies information security objectives for relevant parties and levels.
Information security objectives can be all or any of the objectives defined by ISO/IEC 27001 concerning information security. If the knowledge security policy outlines objectives, they must be following the standards. When a policy contains a framework for identifying objectives, those objectives must be able to meet the objectives that are generated by the framework.
The requirements to be considered when establishing objectives can also be determined by understanding how the organization and its environment intersect as well as by knowing the expectations of the interested parties.
As the results of risk assessments and risk treatment are used to conduct an ongoing review of the objectives to ensure they remain relevant to the circumstances of a corporation’s information security objectives. Information security risk assessments are aided to a great extent by these objectives, which provide inputs into risk assessments, risk acceptance criteria, and criteria to perform those assessments. Be sure to consider these security objectives so that risk levels are aligned with them.
As per ISO/IEC 27001, the following information security objectives should be met:
– Consistent with knowledge security policy;
– Measurable if possible; this implies that it is important to know when an objective has been achieved;
– Aligned with applicable information security requirements, based on risk assessments and risk reduction measures;
– Communication was made;
– Updated as necessary;
The organization maintains documentation of its knowledge security objectives.
Organizations determine the path to achieving their security objectives by:
– Plans for action;
– Resources needed;
– In whose hands the responsibility lies;
– The completion date;
– The method of evaluating the results;
The above planning requirement is generic and can apply to other plans mandated by ISO/IEC 27001. Plans to think about for an ISMS include:
– Plans to improve the ISMS;
– Treatment plans for identified risks;
– Any other plans deemed necessary to make the organization run efficiently (for instance, initiatives to develop competence and raise awareness, or performance evaluations, or management reviews and audits).
Information security policies will state or provide a framework for defining knowledge security objectives. There are many ways to express security objectives. Whenever practicable, the expression should be able to satisfy the need for measurement (ISO/IEC 27001:2013).
Information security objectives can be summarized as follows:
– Numbers with their limitations, such as “not re-evaluate a particular limit”, or “reach level 4”;
– Measuring the performance of data security;
– Measurement targets for ISMS effectiveness;
– Conformity with ISO/IEC 27001;
– Adherence to ISMS procedures;
– The need to complete actions and plans;
– Risk criteria that must be met.
These guidelines apply to the bullets in the explanation:
– An organization’s knowledge security policy states its needs for information security. Then, based on those other specific requirements for the relevant functions and levels, the other requirements should be established. When the knowledge security policy has information security objectives, then those details should be connected to those in the policy. If the knowledge security policy merely sets objectives, then the objectives should be defined within the framework and made sure that some more specific goals are linked to the more generic ones;
– Measuring goals does not apply to all objectives, but if goals are measurable, they are more likely to be achieved and improved. Being able to describe quantitatively or qualitatively the extent to which an objective has been met is extremely desirable. The outcomes of such an analysis may, for instance, indicate what should be done extra to meet objectives, or to reveal opportunities for improved efficiency if objectives are exceeded. Whether the objectives were achieved or not should be clear, how the goal-achieving process works, and if it’s possible to quantify the degree of achievement. In the quantitative description of objective attainment, it should be specified how the associated measurement is conducted. Otherwise, determining the level of achievement of all objectives will not be possible.
If possible, objectives must be measurable according to ISO/IEC 27001;
A clear alignment between information security objectives and information security needs should be the goal; in this regard, results of risk assessment and treatment should be used to establish information security goals;
As part of your information security objectives, you should communicate them to relevant internal stakeholders of the organization. Communication with external parties should be undertaken, such as customers and stakeholders, to ensure they understand the knowledge security objectives;
Security objectives should be updated as information security needs to change over time. An update on their progress should be communicated as necessary, both internally and externally, as need be.
An organization needs to plan how to achieve its information security objectives. Any method or mechanism that will ensure that the organization’s security objectives are met can be used. A security plan could also be part of one or more project plans, or actions could be implemented through other organizational plans. Whatever form planning takes.
The resulting plans should be as follows:
– a list of activities;
– a list of the specified resources for each activity;
– what the responsibilities are;
– a timeline and milestone for each activity;
– an evaluation plan that includes methods and measures for assessing whether results are in line with objectives.
Organizations are required to keep documented information on knowledge security objectives under ISO/IEC 27001 standards. Documented information includes:
– Goals, actions, resources, deadlines, responsibilities, and methods for evaluation;
– Features such as the requirements, tasks, resources, responsibilities, and modes of evaluation.
Related Questions
1. What are the three ISMS security objectives?
2. What are the various domains of ISO 27001?
3. What does ISO 27001 certification entail?
4. What are the requirements of ISO 27001?
5. How does ISO 27001 CLAUSE 6.2 Information security objectives & planning work?