ISO 27001 Clause 6 Clause 6.2

ISO 27001 clause 6.2 Information security objectives and planning to achieve them

The basics

ISO 27001 sub-clause 6.2 is called “Information security objectives and planning to achieve them” — it requires establishing measurable information security objectives and defining the plan on how to achieve them.

Documentation

ISO 27001 clause 6.2 Information security objectives and planning to achieve them requires writing the following document:

  • List of information security objectives

Implementation

To comply with clause 6.2 Information security objectives and planning to achieve them, you must define information security objectives by following these steps:

  1. Define what the top management wants to achieve with the implementation of the ISMS.
  2. Based on those inputs, define the top-level security objectives that are measurable.
  3. Define which controls are applicable through the Statement of Applicability.
  4. Define if operational security objectives will be set for individual controls and/or for groups of controls and/or for security processes and/or for organizational units.
  5. Based on those inputs, define operational controls that are measurable.

Audit evidence

During the ISO 27001 certification audit, the auditor will assess the following regarding clause 6.2 Information security objectives and planning to achieve them:

  1. If you have a document where you have written your security objectives.
  2. If the objectives are measurable.
  3. If the employees in your company are aware of the appropriate objectives – for example, if the top management is aware of the top-level ISMS objectives, or if the software testers are aware of the objective for the control related to software testing.
  4. If the achievement of the objectives was measured.
  5. If the top management was informed about the performance of the ISMS during the management review.
  6. If corrective actions were raised in cases where the objectives were not achieved.
  7. In general, the auditor will want to see proof that the ISMS and security controls are effective, i.e., that the risks are lower and that the objectives have been achieved.

These are the things the auditor will be looking for, if they are not found this is considered a nonconformity.

Note: Since the security key performance indicators (KPIs) are not required by ISO 27001, the certification auditor will not be looking for KPIs during the audit.