Part 18: Clause 6.2 Information security objectives and planning to achieve them
This clause is a tricky one and difficult to get right. This takes thought and understanding.
Most companies have regular objectives they want to achieve. This is mainly in sales, in marketing, in operations or in the support areas. The objectives will be around meeting budget, delivering things on time or answering questions in a certain time-frame. These things are easy to measure. They are easy to define. For information security though, putting objectives together is another level of difficulty.
An objective like “having zero information security incidents” is probably the most common. There is a lot of debate around the term “zero”. In the safety industry there has been a decade’s long debate on the objective “zero harm”. So tread carefully if you have that objective. One argument against having that objective is the easiest way to achieve it is for staff to not record any incidents. They will hide incidents because they want the company to achieve the objective. This is the exact opposite of what your ISMS wants to achieve.
My advice is to work through the 14 sections of Annex A of ISO 27001 and define your objectives from the risk assessment and the risk treatment you have on your risk register from the previous blog. This advice comes from a sub-clause of 6.2. The clause 6.2 c) says:
Take into account applicable information security requirements and the results from risk assessment and risk treatment.
From a previous blog it’s important to use the SMART framework: SMART stands for Smart, Measurable, Attainable, Realistic and Timely. Read through that blog to get a good understanding.
So how many objectives should our organisation have? Well that depends on your risk assessment and your risk treatments. Having too many will make your system bloated. Having too few will not drive your system along,
My advice is 3 to 5 objectives is generally optimal.
Here at Mango we have 4 objectives. These are around making sure the employees are involved in the systems development, achieving ISO 27001 certification and meeting the European General Data Protection Regulations (GDPR) prior to May 25th 2018. We have created plans to achieve these objectives. We have sales plans, marketing plans and operations plans. We then update progress against these objectives on a monthly basis in our management review meeting
As per the my blog on creating quality objectives, companies tend to fail to communicate objectives clearly to employees.
One way we did this at Mango was to hold a staff meeting. We discussed the following:
- Each objective needs to be discussed in detail.
- The plan on how each objective will be attained and the time-frame of each objective needs to be clear.
- The role of each team member.
- Identify who is responsible for meeting the objectives.
- Every team member needs to receive a print out of the list of objectives and the steps necessary to reach them.
- End with a questions and answers session.
It’s important to constantly monitor your objectives so you can identify when you are not on track and do something about it. Keep a documented record of doing that.
Finally always remember that you can change your objectives if they don’t fit with the rest of the information security management system (ISMS). Here at Mango, we know that our objectives are OK for starting out the system but over time they will develop some more as new technology, new regulations and new vulnerabilities are found.
- Give your objectives plenty of thought.
- Use your risk assessments and risk treatments when creating your quality objectives.
- Include your team members in the establishment and implementation of the objectives
- Communication is the key.
- Monitor and evaluate the results.
View previous blogs in this series "ISO 27001 Information Security Management Standard":