Information Security Objectives and Planning to Achieve Them for ISO 27001

ISO 27001 Clause 6.2

This sub-clause requires the organisation to establish documented information security objectives at relevant functions and levels, consistent with the policy.

ISO 27001 Clause 6.2 - Information Security Objectives and Planning to Achieve Them

Information security objectives turn the commitments made in the policy into measurable targets. Clause 6.2 sets out what the objectives have to look like and what the organisation has to plan to achieve them. Both the objectives and the plan need to be documented.

What ISO 27001 Clause 6.2 Requires

The information security objectives must be consistent with the information security policy, measurable where practicable, take account of applicable information security requirements and the results of risk assessment and risk treatment, be monitored, be communicated, be updated as appropriate, and be available as documented information.

For each objective the organisation must determine what will be done, what resources will be needed, who will be responsible, when it will be completed and how the results will be evaluated. This is the "planning to achieve them" part of the clause and it is what turns objectives into something the organisation can actually deliver.

Setting Useful Information Security Objectives

Useful objectives are specific, measurable and tied to something the organisation actually wants to improve. "Improve information security" is not an objective. "Reduce the average time to patch critical vulnerabilities from 14 days to 7 days by the end of the year" is. The wording forces the organisation to be clear about what it is trying to achieve and how it will know whether it has done so.

Objectives can sit at different levels. There might be one or two top-level objectives that come from the strategic direction of the organisation, plus a set of more operational objectives at department or system level. The mix is for the organisation to decide. What the standard expects is that they are linked to the policy, traceable through to the risk assessment and risk treatment, and meaningful to the people responsible for delivering them.

Reviewing and Updating Objectives

Objectives are reviewed at the management review and updated when circumstances change. Achieving an objective is a result, not the end of the process - new objectives are set as old ones are met. The objectives register sits alongside the risk register and the treatment plan as a live document, not an annual paperwork exercise.

Two or three good objectives a year are worth more than ten that nobody owns. The objectives that get achieved are the ones with a clear owner, a clear deadline and a clear way of measuring whether they have been hit. Everything else tends to drift.

I check that the objectives are consistent with the policy and that they take account of the risk assessment results. If the risk assessment shows phishing as a top risk and there is no objective about phishing awareness or technical controls, the link is broken. The objectives have to come from somewhere, and that somewhere is the policy and the risk register.

Practical Compliance Guidance

Information security objectives are typically maintained in a single objectives register that records each objective, the measure used, the owner, the deadline and progress. The register is reviewed at management review and updated as objectives are completed or new ones are added.

The documents below support the setting and tracking of information security objectives.

alphaZ document	How to use it
ISO 27001 Toolkit	Complete documentation set for ISO 27001:2022 including the objectives register and management review template.
F-Q11 Company Objectives	Objectives register that records each objective, the measure, owner, deadline and progress in line with the planning requirements of Clause 6.2.
F-Q3 Management Review	Management review template where objectives are reviewed for progress and updated as needed.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How many information security objectives should we have?

There is no required number. A small organisation might have two or three. A larger one might have ten or more across different functions. The key is that the objectives are meaningful, tied to the policy and risk assessment, and actually being worked on - not a long list that nobody pays attention to.

Do objectives have to be measurable?

Where practicable, yes. Some objectives lend themselves to numerical measurement (patch time, training completion rates, audit scores). Others are evaluated qualitatively (improving the security culture, completing a project). The standard accepts that not every objective can have a numerical target, but every objective needs a clear way of evaluating whether it has been achieved.

Can objectives be combined with quality or environmental objectives?

Yes. In an integrated management system, the objectives can sit in a single register with information security, quality, environmental and H&S objectives clearly identified. The integration removes duplication and helps top management see the whole picture.

UK Legislation

No UK legislation directly governs the setting of information security objectives. The policy commitments and the risk assessment results - which influence the objectives - are shaped by the legislation referenced under Clause 4.2.

Further Resources