ISO 27001 is an international standard specifying how organizations should develop and implement an effective information security management system (ISMS).

Organizations can apply ISO 27001 to manage their information security risks and be certified as ISO 27001-compliant. The measures to achieve compliance are specified in Annex A of the standard; organizations should select and apply the necessary controls to safeguard their stakeholders based on their own company risk profile.

One ISO 27001 criterion is rarely highlighted, but it can be critical to the long-term success of your ISMS. That would be clause 6.2 of the standard, which addresses information security objectives.

What Are ISMS Security Objectives?

An ISMS has three security objectives: confidentiality, integrity, and availability.

Confidentiality refers to the protection of sensitive information (both personal and corporate) from unauthorized access and disclosure. Unauthorized access, data breaches, and cyber assaults are all potential threats to confidentiality. 

Unauthorized access, data breaches, and cyber assaults are all potential threats to confidentiality. Implementing access control regulations, deploying encryption and password protection, and providing regular data protection training to staff are all strategies for maintaining confidentiality.

Integrity is the guarantee of information’s authenticity and completeness while protecting it against unwanted tampering. Data tampering, malicious modifications, and illegal changes are all potential threats to integrity. 

Data tampering, malicious modifications, and illegal changes are all potential threats to integrity. Integrity strategies include putting in place security measures, backing up data, and testing and verifying data on a regular basis.

Availability assures that information and systems are available and operating when required. System failures, natural catastrophes, and cyber assaults all threaten the availability of information.

System failures, natural catastrophes, and cyber assaults are all potential sources of availability threats. Implementing backup systems, investing in redundancy and failover procedures, and performing regular maintenance and upgrades are all strategies for increasing availability.

How to Identify Objectives for ISO 27001

When contemplating the goals you want your information security management system to achieve, make sure those goals are business-oriented and will help you operate a (more) secure, better-performing organization; don’t pursue objectives that simply look good on a page. Consider what the interested parties would like to have assessed and monitored.

For example, ask yourself: Why do consumers buy from your business, and what are their concerns regarding information security? What amount of information assurance, protections, and monitoring would they require if they thoroughly examined your ISMS?

Concentrate on setting meaningful objectives rather than a slew of metrics or targets that will require you to spend all your time on administration but provide no value to the organization.

You may already be measuring and monitoring your objectives, so remember what you are doing and what may require further work. ISO 27001 isn’t meant to catch anyone by surprise with its measurement requirements; it just drives you to measure what is essential for your information security — which many organizations already do, either implicitly or formally.

What You Need to Know for Your Information Security Objectives

Now that we know that information security objectives in ISO 27001 allow organizations to establish a baseline and measure against it successfully, what do the objectives look like? How should they be phrased?

Consistent with the Information Security Policy

The objectives you define for the information security management system must align with your information security policies — or, more accurately, your information security policies must align with your objectives. Your objectives should be written into your policies (say, at the top, before the details of an individual policy are listed) so that everyone understands what the objective of the policy is; employees need to know why they are doing what they are doing. Including the objective in the policy also helps to assure that documentation you gather as part of your policy is actually relevant to what you want to achieve.

Measurable Objectives

Information security objectives must be quantifiable. A nice method to think about quantifying an aim is to write it using the SMART framework. The objectives should be:

  • Specific
  • Measurable
  • Achievable
  • Realistic
  • Timely

A goal is meaningless if it cannot be measured.

Risk-Based Information Security Objectives

ISO 27001 is a risk-based information security management framework. So identify the risks to your information security first, such as by following clause 6.1.2 (information security risk assessment) or 6.1.3 (information security risk treatment). The identified risks will guide your information security objectives.

Communicated Information Security Objectives

You should convey your information security objectives in a variety of formats, such as including them in your information security policy or in employee security training. 

Information Security Objectives are Updated

Information security objectives are not static; as risks change and as your security capabilities improve, your objects should be updated to reflect those new realities. Evaluate your information security management system constantly for relevance and take corrective actions as appropriate.

How Do You Measure Information Security Objectives?

When creating objectives, identify metrics and benchmarks. This should include measurements that may be collected, analyzed, and used to improve security posture.

Set Objectives and Maintain Compliance with ZenGRC

Compliance audits for ISO (or any other regulatory framework) can be complicated and time-consuming. Understanding what is required of you, performing internal audits, and documenting your efforts is tricky — but help is available.

ZenGRC is a fully integrated platform that allows you to monitor the whole life cycle of your compliance and risk management program. ZenGRC enables you to monitor outstanding needs, organize documents, and prioritize activities to achieve and maintain compliance.

Schedule a demo to see how ZenGRC can help establish your company’s compliance program.