ISO 27001 Clause 6.2: Information Security Objectives And Planning To Achieve Them (2022)
This version of clause 6.2 is applicable to both ISO 27001:2022 and ISO 27001:2013, and concerns an organisation’s information security objectives and how to put a plan in place to achieve them.
Information security objectives for ISO 27001
Information security objectives are often different for different levels of the organisation. The senior leadership of the organisation must establish these objectives according to the functions and at what level they are applicable.
These objectives should be consistent with the information security policy and measurable (if practicable). These objectives must consider the information security requirements and results from risk assessment and treatment. This should justify the risk acceptance criteria discussed above. These objectives must be monitored, communicated with the organisation’s members, updated regularly, and kept in documented form.
What are the three ISMS security objectives?
The three ISMS security objectives are confidentiality, integrity and availability.
Confidentiality means that the information concerned by the ISMS must be secure and protected from unauthorised internal and external access. Employees must be trained in the relevant processes used to ensure confidentiality, such as password protection, encryption and control policies.
Integrity refers to the accuracy and reliability of information that an organisation holds. The information must be stored securely and updated regularly to ensure it is safe and up-to-date.
Availability means that the information stored is accessible by the relevant people when needed. It also requires threats like cyber attacks and system failures to be taken into consideration so that data can still be accessed at any time.
Planning to achieve the security objectives
Once an organisation has established its security objectives, it then has to plan a course of action to achieve them. Planning a course of action includes considering what needs to be done and how. For example, if an organisation’s objective is to secure servers within the organisation, the course of action would be securing its physical location and installing security software to protect it from unauthorised internal access or external cyber-attacks.
Another element to consider in the planning process is the availability of the resources required; organisations and senior leadership should ensure that the plan is realistic in terms of the resources available to them. They should also consider the amount of time that is required to achieve these objectives.
The planning phase also includes detailing who will be responsible for achieving the security objectives, which should be clearly communicated to the individuals involved throughout the organisation.
The final phase of the planning stage involves deciding how the results will be evaluated. This could be consistent across the identified objectives, but is more likely to require a bespoke approach to measuring the success of the individual information security objectives.