What are information security objectives in ISO 27001? Who should define these? And why are they important? These are some of the common questions we are asked and attempt to answer in this article.
Information security objectives in ISO 27001 allow organisations to set their requirements from the outset and to continuously monitor to ensure they are achieving them. Because how will you know how effective your security controls are if you aren’t measuring them? And how will you know you are meeting your desired level of security if this isn’t defined from the outset?
For those familiar with the plan do check act lifecycle this forms a fundamental part of it. Organisations should establish their information security objectives, criteria and measurements to ensure there is a constant lifecycle of monitoring, review and improvement.
So, in this instance for Plan you would set your organisations security goals in line with the strategic direction of the organisation (this is where senior input is required). For the do phase, you would then define how you will measure these goals with realistic metrics. During the check phase, you would continuously review metrics at defined periods. And finally in the act phase if you haven’t met the objectives specified you will improve controls, and the cycle repeats.
What do information security objectives look like?
So, now we know that information security objectives in ISO 27001 enable organisations to effectively set a bar and measure against that bar, what do information security objectives look like? How should these be phrased?
Objectives need to be realistic, measurable and tangible that is, they can be compared over time and deliver real time snap shots of how controls are performing. The SMART concept is often remembered here: Specific, Measurable, Achievable, Relevant and Time-Based (SMART).
Below are examples of effective objecties, at a strategic level and at control level to support the business objective. It is often easier to begin with a stategic level requirement and support this through individual control level requirements. See below for an example.
A strategic level requirement for the ISMS may be to “Ensure systems are available at all times to those who require it, and minimise downtime”. This is obviously not measurable, but sets the strategic direction for the organisation and indicates that availability is key.
This can be supported by a tactical level objective which states “System uptime shall be maintained at 95% availability over the year, and systems shall be fully restored within 4 hours of loss”. This is a tangible, measurable asset which supports achieving the strategic objective above it.
How can objectives be measured?
At the time of defining objectives, it is often prudent to define metrics and measurements. This should include metrics that can be obtained, reviewed and used to improve security posture. Using the example above, system uptime metrics can be pulled from systems on a monthly basis and used to validate that tactical (and by proxy, strategic) objectives are being met. This can be reviewed as part of ISMS meetings and driven as part of continual improvement.
So, in a nutshell that is what information security objectives in ISO 27001 are, why they are useful, how to define them and how they can be measured.
The key points for this are:
- Information security objectives in ISO 27001 must be driven from the top down. It is often helpful to define strategic objectives, supported by tactical low-level objectives that can be measured.
- Metrics should be measurable and support continual improvement. Measurement periods should be defined, and metrics reviewed to support control objectives.