ExamSimul
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • CyberSecurity
      • ISO 27001
      • NIST
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • AgilePM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM®
    • Agile Scrum Product Owner®
    • Agile Scrum Master®
    • Design Thinking®
    • DevOps®
    • DORA Resilience
      • DORA Foundation
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM®
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301 Continuity
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
      • ISO 27701 Foundation
    • ISO 31000 Risk Mgmt
    • IT Governance
    • ITIL®
      • ITIL® Foundation
      • ITIL® Managing Professional
      • ITIL® Strategic Leader
      • ITIL® Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
      • NIS 2 Foundation
    • NIST Privacy
      • NIST Privacy Foundation
    • OpenSM™
      • OpenSM Foundation
    • PM2®
      • PM2 Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2® Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Cloud Management
    • Design Thinking
      • DT Method® Foundation
    • DORA Cybersecurity
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301 Continuity
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000 Risk Mgmt
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
    • OpenSM
      • OpenSM Foundation
    • PM2 EU Project
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • Privacy
      • ISO 27701 Privacy Foundation
      • NIST Privacy Foundation
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Academy
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us

Signup  Login

Requirements 6.2

  • Home\
  • Blog \
  • Learn\
  • ISO 27001\
  • ISO 27001 Requirements\
  • Clause 6\
  • Requirements 6.2

How to do Requirement 6.2 of ISO 27001:2022?

You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. The business case builder materials are a useful aid to that for the more strategic outcomes from your management system.

Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.

So in tackling this requirement it's important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).

The requirement for 6.2 is:

"Establish information security objectives at relevant functions and levels, taking into account the information security requirements, results from risk assessment and treatment.

Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated."

So this clause 6.2 of the standard essentially boils down to the question; 'How do you know if your information security management system is working as intended?'

How to Set Objectives for Requirement 6.2?

In considering the objectives you want from your information security management system, make sure that they are business focused and are things that will help you run a (more) secure, better-performing organisation rather than just tick boxes and look nice on a page. Think about what the interested parties will want to see measured and monitored as well.

For example, why are customers buying from you and what would they be worried about going wrong from an information security perspective?  What level of information assurance, what measures and monitoring would be important for them if they looked closely at your ISMS?

Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation.

You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort.  ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.

Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits.

You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems and if relevant using simple KPIs added within the management review workspace.

How to make Information Security Objectives Measurable & Actionable?

Building on the above, one measure of reliability success is in the availability of systems. So we have the objective (reliability of the service), a measure (uptime) then can set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against).

Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence.

The source of that data is from the uptime logs. Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.

This is a great opportunity to develop metrics that matter for your organisation if not already done so. We encourage a fewer and better managed instead of lots and poorly managed approach. If your organisation has departments and specific areas of the business impacted differently with the confidentiality, integrity and availability (CIA) that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.

Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO 27001 around managing incidents, risk assessments/reviews, improvements and corrective actions etc.

These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.

How to Define Process & Responsibilities for Evaluation of Information Security Objectives?

Once you have defined your objectives, determined your measures, and their frequency for measurement, it's necessary to show how you will set about evaluating the results then take action for any required changes or improvements to your ISMS.

We put together a team of representatives from the senior management team to form the ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. Our Operations Director owns the objectives that affect the ISMS from a production and operations perspective.

The source data is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with clause 9.3.

  • Learn
    Learn
    • Agile
      Agile
      • Agile History
      • Manifesto Agile
      • AgilePM
        AgilePM
        • About AgilePM
        • Choosing DSDM
    • Design Thinking
      Design Thinking
      • Background
      • About Design Thinking
      • What is Design Thinking
      • Design Thinking Process
    • Enterprise Architecture
      Enterprise Architecture
      • About TOGAF® Standard, 10th Edition
      • Structure of TOGAF® Standard, 10th Edition
      • Migration TOGAF® EA certification
    • ISO 27001
      ISO 27001
      • ISO 27001 Requirements
        ISO 27001 Requirements
        • Clause 4
          Clause 4
          • Requirements 4.1
          • Requirements 4.2
          • Requirements 4.3
          • Requirements 4.4
        • Clause 5
          Clause 5
          • Requirements 5.1
          • Requirements 5.2
          • Requirements 5.3
        • Clause 6
          Clause 6
          • Requirements 6.1
          • Requirements 6.2
        • Clause 7
          Clause 7
          • Requirements 7.1
          • Requirements 7.2
          • Requirements 7.3
          • Requirements 7.4
          • Requirements 7.5
        • Clause 8
          Clause 8
          • Requirements 8.1
          • Requirements 8.2
          • Requirements 8.3
        • Clause 9
          Clause 9
          • Requirements 9.1
          • Requirements 9.2
          • Requirements 9.3
        • Clause 10
          Clause 10
          • Requirements 10.1
          • Requirements 10.2
    • Lean Six Sigma
      Lean Six Sigma
      • LSS Define Phase
        LSS Define Phase
        • The Basics of Six Sigma
          The Basics of Six Sigma
          • Meanings of Six Sigma
          • History of Six Sigma
          • LSS Project Deliverables
          • y= f(x)
          • Voice of Customer
          • Six Sigma Teams
      • LSS Measure Phase
      • LSS Analyze Phase
      • LSS Improve Phase
      • LSS Control Phase
    • Project Management
      Project Management
      • PM2
    • Service Management
      Service Management
      • ISO/IEC 20000
        ISO/IEC 20000
        • ISO20k vs Practices
      • ITIL® 4
        ITIL® 4
        • ITIL® 4 Roles based
        • ITIL® 4 Practices based
        • ITIL® 4 Certification guide
        • ITIL® 4 DITS Practical Assignments
  • News
    News
    • Agile Scrum
    • Design Thinking
    • Enterprise Architecture
    • Examination Institute
    • Information Security
    • Project Management
    • Service Management
AgilePM® Practitioner with exam
AgilePM® Practitioner with exam
830.00‎€
View Details
Lean Six Sigma Yellow Belt with exam
Lean Six Sigma Yellow Belt with exam
345.00‎€
View Details
APMG ISO/IEC 27001 Foundation with exam
APMG ISO/IEC 27001 Foundation with exam
855.00‎€
View Details
AgilePM® Practitioner with exam
AgilePM® Practitioner with exam
830.00‎€
View Details

ExamSimul - is the training centre for the BITIL.COM group - an organization of professionals and senior experts whose main interest is the spread of knowledge and the application of methodologies Agile, Scrum, ITIL®, PRINCE2®, CobiT®, TOGAF®, Design Thinking and Standard International. [...]

Latest downloads

Cybersecurity Act
Cyber Resilience Act
Data Governance Act
09 ITIL 4 Master Brochure
ITIL 4 Case Study The Co-operative Group

Quick link

  • Course Catalogue
  • Academy
  • News
  • FAQs
  • Term of Use
  • Privacy Policy
  • Contact

Contact

Where we areEmail: info@examsimul.com
Linkedin: ExamSimul
2025 © Copyright ExamSimul - All Right Reserved
ITIL®, PRINCE2®, PRINCE2 Agile® are Registered Trade Marks of the PeopleCert group. IASSC Lean Six Sigma™ is trademark of the PeopleCert group. Used under licence from PeopleCert. All rights reserved. TOGAF® is a registered trademarks of The Open Group in the United States and other countries. COBIT® 2019 is a Registered Trade Marks of the Information Systems Audit and Control Association and the IT Governance Institute. AgilePM® is a registered trademark of Agile Business Consortium. All rights Reserved. The APMG International Scrum and Swirl Device logo is a trademark of The APM Group Limited, used under permission of The APM Group Limited. All rights reserved. APMG International ISO/IEC 20000™ is a trademark of The APM Group Limited. All rights reserved. APMG International ISO/IEC 27001™ is a trademark of The APM Group Limited. All rights reserved. FitSM® is a registered trademark of ITEMO e.V. DTMethod® is a registered trademark of Inprogress Sp.zo.o.
  • Certifications
    • Agile
    • Agile Scrum
    • Business Continuity
    • CyberSecurity
      • ISO 27001
      • NIST
    • Design Thinking
    • DevOps
    • Enterprise Architecture
    • Governance System
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • Project Management
      • AgilePM
      • PM2
      • PRINCE2
      • PRINCE2 Agile
    • Service Management
      • FitSM
      • ISO 20000
      • ITIL
        • ITIL Foundation
        • ITIL Managing Professional
        • ITIL Strategic Leader
        • ITIL Practitioner
      • OpenSM
    • SW Testing
  • Exams
    • AgilePM®
    • Agile Scrum Product Owner®
    • Agile Scrum Master®
    • Design Thinking®
    • DevOps®
    • DORA Resilience
      • DORA Foundation
    • Enterprise Architecture
      • Exam Simulator for TOGAF® EA Foundation
    • FitSM®
    • ISO 20000
      • ISO 20k Foundation
      • ISO 20k Auditor
    • ISO 22301 Continuity
    • ISO 27001
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Lead Auditor
      • ISO 27701 Foundation
    • ISO 31000 Risk Mgmt
    • IT Governance
    • ITIL®
      • ITIL® Foundation
      • ITIL® Managing Professional
      • ITIL® Strategic Leader
      • ITIL® Practitioner
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
      • NIS 2 Foundation
    • NIST Privacy
      • NIST Privacy Foundation
    • OpenSM™
      • OpenSM Foundation
    • PM2®
      • PM2 Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2® Agile
    • SW Testing
  • Courses
    • AgilePM
      • AgilePM® Foundation
      • AgilePM® Practitioner
    • Agile Scrum
      • Agile Scrum Master
    • Cloud Management
    • Design Thinking
      • DT Method® Foundation
    • DORA Cybersecurity
    • FitSM
      • FitSM Foundation
    • ISO/IEC 20000
      • ISO 20000 Foundation
      • ISO 20000 Auditor
      • ISO 20000 Practitioner
      • ISO 20000 Lead Auditor
    • ISO 22301 Continuity
      • ISO 22301 Foundation
    • ISO/IEC 27000
      • ISO 27001 Foundation
      • ISO 27001 Auditor
      • ISO 27001 Practitioner
      • ISO 27001 Lead Auditor
      • ISO 27032 Foundation
      • ISO 27035 Foundation
    • ISO 31000 Risk Mgmt
      • ISO 31000 Foundation
    • ITIL® 4
      • ITIL® 4 Foundation
      • ITIL® 4 Managing Professional
        • ITIL® 4 CDS
        • ITIL® 4 DSV
        • ITIL® 4 HVIT
        • ITIL® 4 DPI
      • ITIL® 4 Strategic Leader
        • ITIL® 4 DPI
        • ITIL® 4 DITS
      • ITIL® 4 Practitioner
        • ITIL® 4 Monitoring and Event Management
        • ITIL® 4 Incident Management
        • ITIL® 4 Problem Management
        • ITIL® 4 Service Desk
        • ITIL® 4 Service Request Management
    • Lean Six Sigma
      • LSS Yellow Belt
      • LSS Green Belt
      • LSS Black Belt
    • NIS 2 Cybersecurity
    • OpenSM
      • OpenSM Foundation
    • PM2 EU Project
      • PM2® Foundation
    • PRINCE2®
      • PRINCE2® Foundation
      • PRINCE2® Practitioner
    • PRINCE2 Agile®
      • PRINCE2 Agile® Foundation
      • PRINCE2 Agile® Practitioner
    • Privacy
      • ISO 27701 Privacy Foundation
      • NIST Privacy Foundation
    • SW Testing
      • SW Testing Foundation
    • TOGAF®
      • TOGAF® EA Foundation
      • TOGAF® EA Practitioner
  • Resources
    • Academy
    • Examination Institute
      • APMG
      • Axelos
        • CPD Requirements
      • EXIN
      • GoToCertify
      • ISACA
      • PECB
      • Peoplecert
        • How to access eBook
        • How to book an Exam
        • How to renew ITIL certification
      • PMI
        • PDU to maintain PMI® certifications
        • Earn Education PDUs
      • The Open Group
        • Test Center
        • Online exam
    • Learning Delivery Methods
      • Online courses
      • Distant courses
      • In-house courses
      • ONE-to-ONE courses
      • Blended courses
      • Fully tailored courses
    • Exam Glossary
    • Exam Proctor
    • Tutor / Trainer
    • Download
    • Webinar
  • Blog
    • Learn
      • Agile
        • Agile History
        • Manifesto Agile
        • AgilePM
          • About AgilePM
          • Choosing DSDM
      • Design Thinking
        • Background
        • About Design Thinking
        • What is Design Thinking
        • Design Thinking Process
      • Enterprise Architecture
        • About TOGAF® Standard, 10th Edition
        • Structure of TOGAF® Standard, 10th Edition
        • Migration TOGAF® EA certification
      • ISO 27001
        • ISO 27001 Requirements
          • Clause 4
            • Requirements 4.1
            • Requirements 4.2
            • Requirements 4.3
            • Requirements 4.4
          • Clause 5
            • Requirements 5.1
            • Requirements 5.2
            • Requirements 5.3
          • Clause 6
            • Requirements 6.1
            • Requirements 6.2
          • Clause 7
            • Requirements 7.1
            • Requirements 7.2
            • Requirements 7.3
            • Requirements 7.4
            • Requirements 7.5
          • Clause 8
            • Requirements 8.1
            • Requirements 8.2
            • Requirements 8.3
          • Clause 9
            • Requirements 9.1
            • Requirements 9.2
            • Requirements 9.3
          • Clause 10
            • Requirements 10.1
            • Requirements 10.2
      • Lean Six Sigma
        • LSS Define Phase
          • The Basics of Six Sigma
            • Meanings of Six Sigma
            • History of Six Sigma
            • LSS Project Deliverables
            • y= f(x)
            • Voice of Customer
            • Six Sigma Teams
        • LSS Measure Phase
        • LSS Analyze Phase
        • LSS Improve Phase
        • LSS Control Phase
      • Project Management
        • PM2
      • Service Management
        • ISO/IEC 20000
          • ISO20k vs Practices
        • ITIL® 4
          • ITIL® 4 Roles based
          • ITIL® 4 Practices based
          • ITIL® 4 Certification guide
          • ITIL® 4 DITS Practical Assignments
    • News
      • Agile Scrum
      • Design Thinking
      • Enterprise Architecture
      • Examination Institute
      • Information Security
      • Project Management
      • Service Management
  • About Us
    • Why ExamSimul
    • Accreditations
    • Partner Program
    • Corporate Training
      • Training Points
    • Terms of Use
    • Privacy Policy
    • Contact Us
  0  - 0.00‎€
Your shopping cart is empty!
USD EUR GBP
Top

Sample Paper on Google

100% OFF Exam Simulator 

Immediate access to realistic exam sample questions

Rewarding Your Excellence in ITIL 4
Get Free ITIL4 Practitioner Exam Voucher
ONE-TIME ONLY OFFER
Get our Mock Exam for just 3 €uro/USD for the ISO 27001 Foundation!
Yes, I want... No thanks, I don't want...
This is the only time you will see this offer.
Course Catalogue Corporate Training Course Calendar Contact Us