Objectives and planning
ISO 27001 CLAUSE 6.2 Information security objectives & planning to achieve them.
The organization establishes information security objectives and plans to realize them at relevant functions and levels.
Information security objectives help to implement strategic goals of a corporation also on implement the knowledge security policy. Thereby, objectives in an ISMS are the knowledge security objectives for confidentiality, integrity and availability of data. Information security objectives also help to specify and measure the performance of data security controls and processes, in accordance with the knowledge security policy.
The organization plans establishes and issues information security objectives to relevant functions and levels.
Requirements in ISO/IEC 27001 concerning information security objectives apply to all or any information security objectives. If the knowledge security policy contains objectives, then those objectives are required to satisfy the standards. If the policy contains a framework for setting objectives, then the objectives produced by that framework are required to that can be satisfy .
Requirements to be taken under consideration when establishing objectives are those determined when understanding the organization and its context also because the needs and expectations of interested parties.
The results from risk assessments and risk treatments are used as input to the on-going review of objectives to make sure that they continue to be appropriate to the circumstances of a corporation Information security objectives are inputs for risk assessment: risk acceptance criteria and criteria for performing information security risk assessments take under consideration these security objectives and thus make sure that levels of risk are aligned with them.
Information security objectives as per ISO/IEC 27001 are:
- According to the knowledge security policy;
- Measurable if practicable; this suggests that it’s important to be ready to determine whether or not an objective has been met;
- Connected to applicable information security requirements, and results from risk assessment and risk treatment;
- Updated as appropriate;
The organization retains documented information on the knowledge security objectives.
When planning the way to achieve its information security objectives, the organization determines:
- What is going to be done;
- What resources are going to be required;
- Who are going to be responsible;
- When it’ll be completed;
- How the results are going to be evaluated;
The above requirement concerning planning is generic and applicable to other plans required by ISO/IEC 27001. Plans to think about for an ISMS include:
- Plans for improving the ISMS;
- Plans for treating identified risks;
- The other plans that are found necessary for effective operation (e.g. plans for developing competence and increasing awareness, communication, performance evaluation, internal audits and management reviews).
The information security policy should state the knowledge security objectives or provide a framework for setting the objectives. Security objectives are often expressed in various ways. The expression should be suitable to satisfy the need of being measurable (if practicable) (ISO/IEC 27001:2013, ).
For example, information security objectives are often expressed in terms of:
- Numerical values with their limits, e.g. “not re-evaluate a particular limit”, and “reach level 4”;
- The targets for measurements of data security performance;
- The targets for measurements of the effectiveness of the ISMS;
- Compliance with ISO/IEC 27001;
- Compliance with ISMS procedures;
- The necessity to finish actions and plans;
- Risk criteria to be met.
The following guidance applies to the bullets addressed within the explanation:
- The knowledge security policy specifies the wants for information security in a corporation. All other specific requirements set for relevant functions and levels should be according to them. If the knowledge security policy has information security objectives, then the other specific information security objective should be linked to those within the information security policy. If the knowledge security policy only provides the framework for setting objectives, then that framework should be followed and will make sure that more specific objectives are linked to the more generic ones;
- Not every objectives are often measurable, but making objectives measurable supports achievement and improvement. it’s highly desirable to be ready to describe, qualitatively or quantitatively, the degree to which an objective has been met. for instance, to guide priorities for extra effort if objectives aren’t met, or to supply insights into opportunities for improved effectiveness if objectives are exceeded. It should be possible to know whether or not they are achieved or not, how achievement of objectives is decided, and whether it’s possible to work out the degree of accomplishment of objectives using quantitative measurements. Quantitative descriptions of objective attainment should specify how associated measurement is completed. it’s going to not be possible to quantitatively determine the degree of attainment of all objectives. ISO/IEC 27001 requires objectives to be measurable if practicable;
- Information security objectives should be aligned with information security needs; for this reason, risk assessment and treatment results should be used as inputs when setting information security objectives;
- Information security objectives should be communicated to relevant internal interested parties of the organization. they’ll even be communicated to external interested parties, e.g. customers, stakeholders, to the extent they have to understand and are suffering from the knowledge security objectives;
Also Read:- ISO 27001 CLAUSE 6.2 Information security objectives & planning
Related Product:- ISO 27001 Lead Auditor Training And Certification ISMS
When information security needs change over time, related security objectives should be updated accordingly. Their update should be communicated as needed in d), to internal and external interested parties as appropriate.
The organization should plan the way to achieve its information security objectives. The organization may use any methodology or mechanism it chooses to plan for the achievement of its security objectives. There could also be one information security plan, one or more project plans, or actions included in other organizational plans. Whatever form planning takes.
The resulting plans should define as:
- the activities to be done;
- the specified resources to be committed to execute the activities;
- the responsibilities;
- the timelines and milestones of activities;
the methods and measurements to guage whether the results achieve objectives, which incorporates timing of such evaluations.
ISO/IEC 27001 requires organizations to retain documented information on the knowledge security objectives. Such documented information can include:
- plans, actions, resources, responsibilities, deadlines and evaluation methods;
- requirements, tasks, resources, responsibilities, evaluation frequency and methods.
Questions related to this topic
- What are the 3 ISMS security objectives?
- What are the 14 domains of ISO 27001?
- What does ISO 27001 certified mean?
- What are ISO 27001 requirements?
- What is ISO 27001 CLAUSE 6.2 Information security objectives & planning?
ISO 27001 Requirements
Clause 4.4 Information security management system
Clause 4.3 Determining the scope of the information security management system
Clause 5.1 Leadership and commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities
Clause 6.1 Actions to address risks and opportunities
Clause 6.1.2 Information security risk assessment process
Clause 6.1.3 Information security risk treatment
Clause 7.1 Resources
Clause 7.2 Competence
Clause 7.3 Awareness
Clause 7.4 Communication
Clause 7.5 Documented information Implementation Guideline
Clause 8.1 Operational planning & control
Clause 8.2 Information security risk assessment
Clause 8.3 Information security risk treatment
Clause 9.1 Performance evaluation Monitoring, measurement, analysis & evaluation
Clause 9.2 Internal audit
Clause 9.3 Management review
Clause 10.1 Non conformity and corrective action
Clause 10.2 Continual Improvement
ISO 27001 Annex A Controls
Annex A.5 Information Security Policies
Annex A.6 Organization of Information Security
Annex A.6.2 Mobile Devices and Teleworking
Annex A.7 Human Resource Security
Annex A.7.2 During Employment
Annex A.7.3 Termination and Change of Employment
Annex A.8 Asset Management
Annex A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets
Annex A.8.2 Information Classification
Annex A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets
Annex A.8.3 Media Handling
Annex A.9 Access Control
Annex A.9.1.2 Access to Networks and Network Services
Annex A.9.2 User Access Management
Annex A.9.2.3 Management of Privileged Access Rights
Annex A.9.2.4 Management of Secret Authentication Information of Users
Annex A.9.2.5 Review of User Access Rights
Annex A.9.2.6 Removal or Adjustment of Access Rights
Annex A.9.3 User Responsibilities
Annex A.9.4 System and Application Access Control
Annex A.9.4.4 Use of Privileged Utility Programs
Annex A.9.4.5 Access Control to Program Source Code
Annex A.10 Cryptography
Annex A.11 Physical and Environmental Security
Annex A.11.2 Equipment
Annex A.11.1.3 Securing Offices, Rooms and Facilities
Annex A.11.1.4 Protecting Against External and Environmental Threats
Annex A.11.1.5 Working in Secure Areas
Annex A.11.1.6 Delivery and Loading Areas
Annex A.11.2.4 Equipment Maintenance
Annex A.11.2.5 Removal of Assets
Annex A.11.2.6 Security of Kit and Assets Off-Premises
Annex A.11.2.7 Secure Disposal or Re-use of Equipment
Annex A.11.2.8 Unattended User Equipment
Annex A.11.2.9 Clear Desk and Clear Screen Policy
Annex A.12 Operations Security
Annex A.12.2 Protection from Malware
Annex A.12.3 Backup
Annex A.12.4 Logging and Monitoring
Annex A.12.5 Control of Operational Software
Annex A.12.6 Technical Vulnerability Management
Annex A.12.7 Information Systems Audit Considerations
Annex A.13 Communications Security
Annex A.13.2 Information Transfer
Annex A.13.2.3 Electronic Messaging
Annex A.13.2.4 Confidentiality or Non-Disclosure Agreements
Annex 14 System Acquisition, Development and Maintenance
Annex A.14.1.2 Securing Application Services on Public Networks
Annex A.14.1.3 Protecting Application Services Transactions
Annex A.14.2 Security in Development and Support Processes
Annex A.14.2.3 Technical Review of Applications after Operating Platform Changes
Annex A.14.2.4 Restrictions on Changes to Software Packages
Annex A.14.2.5 Secure System Engineering Principles
Annex A.14.2.6 Secure Development Environment
Annex A.14.2.7 Outsourced Development
Annex A.14.2.8 System Security Testing
Annex A.14.2.9 System Acceptance Testing
Annex A.14.3 Test data
Annex A.15 Supplier Relationships
Annex A.15.1.2 Addressing Security Within Supplier Agreements
Annex A.15.1.3 Information and Communication Technology Supply Chain
Annex A.15.2 Supplier Service Delivery Management
Annex A.16 Information Security Incident Management
Annex A.16.1.2 Reporting Information Security Events
Annex A.16.1.3 Reporting Information Security Weaknesses
Annex A.16.1.4 Assessment of and Decision on Information Security Events
Annex A.16.1.5 Response to Information Security Incidents
Annex A.16.1.6 Learning from Information Security Incidents
Annex A.16.1.7 Collection of Evidence
Annex A.17 Information Security Aspects of Business Continuity Management
Annex A.17.1.3 Verify, Review and Evaluate Information Security Continuity
Annex A.18 Compliance
Annex A.18.1.3 Protection of Records
Annex A.18.1.4 Privacy and Protection of Personally Identifiable Information
Annex A.18.1.5 Regulation of Cryptographic Controls
Annex 18.2 Information Security Reviews
About ISO 27002
- ISO 27002 – INTRODUCTION
- ISO 27002 Information technology Security techniques Code of practice for information security controls
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com