Show me desktop version
CALL US 1-888-553-2256
CountryCountry

The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

ISO 27001 control objectives – Why are they important?

Peter Drucker (one of the most influential thinkers on the subject of management theory) said “What gets measured gets managed”. The same goes for information security – if you don’t know how well you are doing, you’ll have a very difficult time steering your information security in the desired direction.

And it is exactly this ‘desired direction’ that is an essential part of measurement – setting the objectives. Only if you know exactly what you want to achieve, will you be able to know how far or how close you are to actually achieving it. Equally important – you’ll be able to answer your management’s question: “Did our investment in security pay off?”

Measurement in ISO 27001

blogpost-banner-consultants-en

Those of you who know the philosophy of ISO 27001 know that the so called PDCA management cycle (Plan-Do-Check-Act) is the foundation of this standard.

The concept of measurement is also best explained through this PDCA cycle:

  • In the Plan phase you need to set the objectives (ISO 27001 4.2.1 b 1) and 4.2.1 g),
  • In the Do phase you must figure out how to measure up to which point your objectives are achieved (ISO 27001 4.2.2 d),
  • In the Check phase you need to start actual measurement (ISO 27001 4.2.3 c), and finally
  • In the Act phase, once you realized you haven’t achieved your objectives (which is very often the case), you need to make certain improvements (ISO 27001 4.2.4 d)

And ISO 27001 requires at least two different levels of objectives to be set:

  1. Objectives for the whole Information Security Management System (ISMS) – ISO 27001 4.2.1 b) 1), and
  2. Objectives for each security control (safeguard) – ISO 27001 4.2.1 g)

Of course, depending on the size and complexity of your organization, you can choose to add another layer of objectives – e.g. at the level of individual organizational units (departments, etc.)

How to set (measurable) security objectives

My clients always ask me “OK, but how can I measure my backup, or my firewall?”. The secret lies in setting objectives which are easy to measure – you might have heard of the S.M.A.R.T. concept: objectives need to be Specific, Measurable, Achievable, Relevant, and Time-based.

So, what would it look like for the firewall? Something like ‘We want our firewall to stop 100% of unwanted network traffic’. Is it measurable? Yes – you will find out, sooner or later, whether some unwanted traffic has passed through the firewall.

Another example – backup. The objective could be ‘We want to achieve our loss of data is maximum 6 hours.’ Measurable? Yes – and you don’t have to wait for data loss to happen, you can test your backup and see how much of the data you can restore.

An example of the objective for the whole ISMS could be ‘We want to decrease the number of information security incidents by 50% in the next year’. Again, pretty specific and therefore measurable.

Objectives should help you manage your security…

Setting the objectives and measuring them is a rather new and unexplored aspect of information security. It is very often considered as an overhead because of the lack of knowledge in the first place, not so much because of practical reasons.

But nowadays there is more and more literature on this topic (ISO 27004 standard being one of the best sources) and an increasing number of information security practitioners with experience in this field, so measurement is slowly making its way into information security mainstream.

To finish this post with another quote – “If you don’t know where you’re going, you’ll probably end up somewhere else.” Don’t let that happen to you.

You can also check out our webinar ISO 27001 and ISO 27004: How to measure the effectiveness of information security?

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933