How to do Requirement 6.2 of ISO 27001:2022?
You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system.
Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.
So in tackling this requirement it's important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).
The requirement for 6.2 is:
"Establish information security objectives at relevant functions and levels, taking into account the information security requirements, results from risk assessment and treatment.
Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated."
So this clause 6.2 of the standard essentially boils down to the question; 'How do you know if your information security management system is working as intended?'
How to Set Objectives for Requirement 6.2?
In considering the objectives you want from your information security management system, make sure that they are business focused and are things that will help you run a (more) secure, better-performing organisation rather than just tick boxes and look nice on a page. Think about what the interested parties will want to see measured and monitored as well.
For example, why are customers buying from you and what would they be worried about going wrong from an information security perspective? What level of information assurance, what measures and monitoring would be important for them if they looked closely at your ISMS?
Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation.
You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort. ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.
Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits.
You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems and if relevant using simple KPIs added within the management review workspace.
How to make Information Security Objectives Measurable & Actionable?
Building on the above, one measure of reliability success is in the availability of systems. So we have the objective (reliability of the service), a measure (uptime) then can set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against).
Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence.
The source of that data is from the uptime logs. Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.
This is a great opportunity to develop metrics that matter for your organisation if not already done so. We encourage a fewer and better managed instead of lots and poorly managed approach. If your organisation has departments and specific areas of the business impacted differently with the confidentiality, integrity and availability (CIA) that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.
Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO 27001 around managing incidents, risk assessments/reviews, improvements and corrective actions etc.
These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.
How to Define Process & Responsibilities for Evaluation of Information Security Objectives?
Once you have defined your objectives, determined your measures, and their frequency for measurement, it's necessary to show how you will set about evaluating the results then take action for any required changes or improvements to your ISMS.
We put together a team of representatives from the senior management team to form the ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. Our Operations Director owns the objectives that affect the ISMS from a production and operations perspective.
The source data is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with clause 9.3.