ISO 27001 CLAUSE 6.2 Information security objectives & planning | Infosavvy

-
Information security objectives and planning to achieve them


Required activity

The organization establishes information security objectives and plans to realize them at relevant functions and levels.

Implementation Guideline

Information security objectives help to implement strategic goals of a corporation also on implement the knowledge security policy. Thereby, objectives in an ISMS are the knowledge security objectives for confidentiality, integrity and availability of data. Information security objectives also help to specify and measure the performance of data security controls and processes, in accordance with the knowledge security policy.
The organization plans establishes and issues information security objectives to relevant functions and levels.
Requirements in ISO/IEC 27001 concerning information security objectives apply to all or any information security objectives. If the knowledge security policy contains objectives, then those objectives are required to satisfy the standards. If the policy contains a framework for setting objectives, then the objectives produced by that framework are required to that can be satisfy .
Requirements to be taken under consideration when establishing objectives are those determined when understanding the organization and its context also because the needs and expectations of interested parties.
The results from risk assessments and risk treatments are used as input to the on-going review of objectives to make sure that they continue to be appropriate to the circumstances of a corporation Information security objectives are inputs for risk assessment: risk acceptance criteria and criteria for performing information security risk assessments take under consideration these security objectives and thus make sure that levels of risk are aligned with them.
Information security objectives as per ISO/IEC 27001 are:
  • According to the knowledge security policy;
  • Measurable if practicable; this suggests that it’s important to be ready to determine whether or not an objective has been met;
  • Connected to applicable information security requirements, and results from risk assessment and risk treatment;
  • communicated;
  • Updated as appropriate;
    The organization retains documented information on the knowledge security objectives.
When planning the way to achieve its information security objectives, the organization determines:
  • What is going to be done;
  • What resources are going to be required;
  • Who are going to be responsible;
  • When it’ll be completed;
  • How the results are going to be evaluated;
The above requirement concerning planning is generic and applicable to other plans required by ISO/IEC 27001. Plans to think about for an ISMS include:
  • Plans for improving the ISMS;
  • Plans for treating identified risks;
  • The other plans that are found necessary for effective operation (e.g. plans for developing competence and increasing awareness, communication, performance evaluation, internal audits and management reviews).
The information security policy should state the knowledge security objectives or provide a framework for setting the objectives. Security objectives are often expressed in various ways. The expression should be suitable to satisfy the need of being measurable (if practicable) (ISO/IEC 27001:2013, ).
For example, information security objectives are often expressed in terms of:
  • Numerical values with their limits, e.g. “not re-evaluate a particular limit”, and “reach level 4”;
  • The targets for measurements of data security performance;
  • The targets for measurements of the effectiveness of the ISMS;
  • Compliance with ISO/IEC 27001;
  • Compliance with ISMS procedures;
  • The necessity to finish actions and plans;
  • Risk criteria to be met.
The following guidance applies to the bullets addressed within the explanation:
  • The knowledge security policy specifies the wants for information security in a corporation. All other specific requirements set for relevant functions and levels should be according to them. If the knowledge security policy has information security objectives, then the other specific information security objective should be linked to those within the information security policy. If the knowledge security policy only provides the framework for setting objectives, then that framework should be followed and will make sure that more specific objectives are linked to the more generic ones;
  • Not every objectives are often measurable, but making objectives measurable supports achievement and improvement. it’s highly desirable to be ready to describe, qualitatively or quantitatively, the degree to which an objective has been met. for instance, to guide priorities for extra effort if objectives aren’t met, or to supply insights into opportunities for improved effectiveness if objectives are exceeded. It should be possible to know whether or not they are achieved or not, how achievement of objectives is decided, and whether it’s possible to work out the degree of accomplishment of objectives using quantitative measurements. Quantitative descriptions of objective attainment should specify how associated measurement is completed. it’s going to not be possible to quantitatively determine the degree of attainment of all objectives. ISO/IEC 27001 requires objectives to be measurable if practicable;
  • Information security objectives should be aligned with information security needs; for this reason, risk assessment and treatment results should be used as inputs when setting information security objectives;
  • Information security objectives should be communicated to relevant internal interested parties of the organization. they’ll even be communicated to external interested parties, e.g. customers, stakeholders, to the extent they have to understand and are suffering from the knowledge security objectives;

--------------------------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

Comments

Post a Comment

Popular posts from this blog

ISO 27001 Annex : A.5 Information Security Policies

-
Image
5. 1  Management direction for information security ISO 27001 Annex : A.5 Information Security Policies, Its objective is to provide management guidance and  information security  assistance in accordance with business requirements and relevant laws and regulations. 5.1.1 Policies for Information Security Control-   A set of information security policies should be established, managed accepted, published and communicated to the employees and related external parties. Implementation Guidance-  At the very least companies need to identify a management-approved “information security strategy,” which outlines the organization’s approach to managing its information security goals. Information security policies should meet criteria that have been created by: Business strategy; Regulations, legislation and contracts; The present and projected  information security threat  environment Related Product :   ISO 27001 Lead Auditor Training And Certification ISMS The informa
Read more

Top 5 Key Elements of an Information Security

-
Image
Top 5 Key Elements of an Information Security and its critical elements, including systems and hardware that use, store, and transmit that information. Necessary tools: policy, awareness, training, education, technology etc. IS is the application of measures to ensure the safety and privacy of data by managing its storage and distribution. Information security has both technical and also social implications. Information security system is the process of protecting and securing the data from unauthorized access, disclosure, destruction or disruption. An organization that attempt to compose a operating ISP must have well-defined objectives regarding  security  And strategy. On that management have reached an agreement. Any existing dissonances during this context could render the data security policy project dysfunctional. The foremost necessary factor that a security skilled should bear in mind is that his knowing. The protection management practices would allow him to include t
Read more

10 Secrets You Will Never Know About Cyber Security And Its Important

-
Image
Know about Cyber Security Whether you’re a techie or not, there’s a good chance that your life is very reliant on the net and its wonders. Your social media accounts are likely humming, and you recognize your way round the IOT devices you employ . All of those devices connect you to the cyber world in a method or another. Here are 12 things to understand about  cyber security . And once you are sharing such a lot of your data online daily, you may also care about your cyber security.  If you’ve always thought cyber security are a few things only big companies got to care about change your mind, now. Cyber security is as critical on a private level, because it is on a company’s level. Besides, there’s hardly any job or profession, that’s not supported technology. With  jobs or a career in mind , you need to understand what threatens your security online and what you’ll be able to do to stay your data secure. 1  You’re a target to hackers Don’t ever say “It won’t happen t
Read more