You likely already know why you want to set up your ISMS and have some general goals for what success will look like for your organisation. Clause 6.2 starts to make these goals more specific and relevant to what you’re doing to protect information security, especially keeping information private, making sure it’s accurate, and ensuring it’s available when needed (CIA) for the information you’ve included in your ISMS.
What is ISO 27001 Clause 6.2?
The organisation shall establish information security objectives at relevant functions and levels. The information security objectives shall:
a) be consistent with the information security policy;
b) be measurable (if practicable);
c) take into account applicable information security requirements, and risk assessment and risk treatment results;
d) be monitored
e) be communicated
f) be updated as appropriate.
g) be available as documented informationThe organisation shall retain documented information on the information security objectives. When planning how to achieve its information security objectives, the organisation shall determine
h ) what will be done;
ISO 27001:2022 Clause 6.2 Information Security Objectives and Planning to Achieve Them
i) what resources will be required;
j) who will be responsible;
k) when it will be completed; and
l) how the results will be evaluated.
What does Clause 6.2 involve?
To deal with this part of the standard, it’s important that you’ve already understood your organisation and its situation (4.1), figured out what interested parties need (4.2), set your ISMS scope (4.3), and at least started to do your risk assessment and treatment (6.1).
The specific requirement for 6.2 is:
“Set information security goals that apply to you (and can be measured if possible), keeping in mind the information security needs and the results of your risk assessment and treatment. Decide what will be done, what things you’ll need, who will be in charge, when it will be finished, and how you’ll check the results.”
So, this Clause 6.2 of the standard basically asks: ‘How will you know if your information security management system is working the way it’s supposed to?’
How to Set Goals for 6.2
When you’re thinking about what you want to achieve with your information security management system, make sure your goals are focused on your business. They should help you run a more secure and better-performing organisation, not just be things you can tick off a list or that look good on paper. Also, think about what the people who have an interest in your organisation will want to see measured and watched.
For example, why do customers buy from you, and what information security problems would they worry about? If they looked closely at your ISMS, what level of information security, what measures, and what monitoring would be important to them?
Focus on creating goals that really mean something, not just lots of numbers or targets that will make you spend all your time on paperwork without adding any real value to the organisation.
You might already be measuring and watching some things related to your goals, so remember to think about what you’re already doing as well as what might need more work. ISO isn’t trying to trick anyone with the measurement part; they just want to be sure you’re measuring what’s important. Many smart businesses will already be doing this in some way, even if they haven’t written it all down clearly.
Connect what you do here closely with the management reviews in section 9.3. Keep your evidence of the results in your management review area or link to it so it’s easy to find during review meetings and audits.
You can show the results of your performance measurement in different ways.
Here are some simple steps to meet the needs of Clause 6.2:
- Find your important stuff: First, figure out what information is most critical to your organisation.
- Check the dangers: Think about what could go wrong with this important information.
- Set goals that fit: Create security goals that match how much risk you’re willing to take and help lower the dangers you found.
- Write down your goals: Put your security goals on paper.
- Make a plan: Create a detailed plan that says what you’ll need, when things will happen, who will do what, and how you’ll do it.
- Do it: Put your plan into action.
- Watch and check: Regularly look at your plan to make sure it’s still working well. If it’s not working anymore, go back to steps 5 to 7 to make your goals and plan better so they protect your organisation’s important information in the best way.
By following these steps, you’ll help your organisation meet the rules of Clause 6.2 and make its overall information security stronger.
Key parts of clause 6.2
Now, let’s look at the main things this part of the standard covers:
- Relevance: Your goals must fit with what your business needs and help protect your important information.
- Risk Alignment: Make sure your goals match how much risk you’re willing to accept and the resources you have.
- Measurability: Your goals should be something you can count and that are possible to achieve.
- Planning: Create a full plan that includes what you need, when things will happen, who is responsible, and how you’ll do it.
Why is clause 6.2 important?
Clause 6.2 is really important because it makes sure organisations know how to protect their important information. By setting goals that can be measured and making a good plan, organisations can lower the chance of security problems.