ISO 27001 Clause 6.2: Information security objectives and planning to achieve them

Establishing clear, measurable information security objectives is critical for organisations seeking ISO 27001 certification. Clause 6.2 of the standard outlines specific requirements for setting, monitoring, and achieving information security goals. This post will explore practical strategies for implementing ISO 27001 Clause 6.2, particularly for startups, small businesses, and remote teams.

Overview of Clause 6.2 Requirements

First, let’s briefly summarise the key requirements in Clause 6.2:

• Information security objectives must align with the overall information security policy.
• Objectives should be measurable whenever possible.
• Objectives must consider relevant security requirements, risks, and risk treatment plans.
• Progress on objectives should be monitored and communicated.
• Objectives should be updated as needed.
• Documented information on the objectives must be retained.

When planning how to meet objectives, you must also define:

• Tasks to be completed
• Necessary resources
• Responsible parties
• Timeframes
• How results will be evaluated

Simply put, Clause 6.2 ensures that information security objectives are methodical, tracked, and revisited.

Crafting Meaningful Objectives for Startups and Small Businesses

Many smaller organisations struggle to develop objectives that meet ISO 27001’s expectations. Ambiguous or immeasurable goals lead to confusion and inadequate follow-through.

When writing information security objectives, consider these tips:

🔑 Use the SMART framework

SMART is an acronym for objectives that are:

• Specific
• Measurable
• Achievable
• Relevant
• Time-bound

For example:

❌ Improve data security

✅ Enable TLS encryption for customer data in transit and at rest by Q3

🔑 Set quantitative targets

Include specific metrics or percentages to track progress.

❌ Reduce phishing risk

✅ Decrease successful phishing attacks to less than 2% of recipients within 1 year

🔑 Assign ownership

Identify the individual or team responsible for achieving each objective.

❌ Improve malware prevention

✅ The IT team will implement automated malware detection and response by Q2 to identify 95% of incidents within 1 hour

🔑 Allocate resources

Consider the budget, tools, and workforce needed to meet goals.

❌ Minimise data loss incidents

✅ Invest $20,000 in expanded DLP capabilities and staff training by EOY to reduce data exposure events by 60%

Key Focus Areas for Startups and Small Businesses

Information security objectives should directly address your organisation’s unique risks and priorities. However, several categories tend to be particularly relevant for small and emerging organisations:

Securing Customer Data

• Implement encryption to protect sensitive customer data at rest and in transit.
• Minimise vulnerabilities that could expose customer PII or financial information.
• Reduce the risk of breaches involving client data loss

Protecting Intellectual Property

• Systematically identify and classify high-value IP like source code and product designs.
• Improve access controls around source code repositories and project management systems.
• Reduce insider threat risk related to theft of proprietary information

Preventing Operational Disruption

• Achieve 99.9% uptime for revenue-critical SaaS platforms and websites
• Recover from any outage within 1 hour through redundancy and backups
• Prevent ransomware or malware incidents that could impede operations

Maintaining Compliance

• Maintain compliant security controls and processes related to SOC2, PCI DSS, etc.
• Pass annual audits and certifications through continuous improvement
• Reduce audit findings by 25% year-over-year

Tips for Remote and Distributed Teams

Globally distributed teams face unique challenges in defining and achieving information security objectives. Consider these suggestions:

Centralise Security Ownership

Appoint a Head of Security or dedicated security team to coordinate objectives across the organisation. Don’t leave responsibility fully distributed.

Standardise Policies Globally

Avoid fragmented rules that vary by office or region. Take a consistent, centralised approach to security policies and their supporting objectives.

Prioritise Secure Collaboration

Focus objectives on protecting communication, collaboration tools, and productive data. Reduce regional obstacles to alignment.

Automate Everything

Minimise the need for complex human coordination surrounding security controls and protocols. Automated policy enforcement is essential.

Verify Identity Rigorously

Prevent unauthorised access by verifying identity stringently for remote employees. MFA, device-based context, and behavioural analysis all help.

Segment Access Carefully

Restrict access to data and systems based on geographic location, role, and other variables. Prevent overexposed assets.

Key Metrics to Track Progress

Once you’ve defined security objectives, you need meaningful metrics to monitor their achievement. Consider tracking:

• Percentage uptime for revenue-critical systems
• Time to recover from incidents
• Frequency and severity of data breaches
• Vulnerability scan scores over time
• Percentage of encrypted data
• Results of phishing and social engineering tests
• Audit findings and deficiencies year-over-year
• Accuracy of asset inventories
• Patching cadence for critical vulnerabilities
• Speed of threat detection and response

The specific metrics will vary based on your organisation’s maturity, industry, and risk profile. The key is choosing quantifiable, actionable measures.

Maintaining Relevant, Achievable Objectives

Clause 6.2 requires regular review and updating of information security objectives over time. To keep objectives meaningful, consider:

🔑 Review objectives annually: Set aside time to revisit objectives each year. Update them based on learnings, new priorities, and changes in risk.

🔑 Learn from audits: Let internal and external audits guide your objectives. Eliminate audit findings by turning them into goals for improvement.

🔑 Evolve with the business: As your organisation grows and changes, update objectives to address new activities, technologies, and risks.

🔑 Simplify and consolidate: Don’t let your objective list become overly extensive. Streamline it as processes mature.

🔑 Celebrate successes: Recognise teams who meet objectives. This builds engagement and culture around security goals.

Summary/Key Points

• Clause 6.2 of ISO 27001 requires organisations to establish clear, measurable information security objectives.
• Practical objectives follow a SMART framework: specific, measurable, achievable, relevant and time-bound.
• Regularly updating objectives based on risks, audits, and business changes is essential.
• For startups and small businesses, key focus areas include securing customer data, protecting IP, preventing outages, and maintaining compliance.
• Centralising ownership, automating enforcement, and rigorously verifying identity help for global teams.
• Tracking progress with metrics like uptime, breach frequency, and audit findings is critical.