ISO 27001 CLAUSE 6.2 Information security objectives & planning | Infosavvy
Information security objectives and planning to achieve them
Required activity
The organization establishes information security objectives and plans to realize them at relevant functions and levels.
Implementation Guideline
Information security objectives help to implement strategic goals of a corporation also on implement the knowledge security policy. Thereby, objectives in an ISMS are the knowledge security objectives for confidentiality, integrity and availability of data. Information security objectives also help to specify and measure the performance of data security controls and processes, in accordance with the knowledge security policy.
The organization plans establishes and issues information security objectives to relevant functions and levels.
Requirements in ISO/IEC 27001 concerning information security objectives apply to all or any information security objectives. If the knowledge security policy contains objectives, then those objectives are required to satisfy the standards. If the policy contains a framework for setting objectives, then the objectives produced by that framework are required to that can be satisfy .
Requirements to be taken under consideration when establishing objectives are those determined when understanding the organization and its context also because the needs and expectations of interested parties.
The results from risk assessments and risk treatments are used as input to the on-going review of objectives to make sure that they continue to be appropriate to the circumstances of a corporation Information security objectives are inputs for risk assessment: risk acceptance criteria and criteria for performing information security risk assessments take under consideration these security objectives and thus make sure that levels of risk are aligned with them.
Information security objectives as per ISO/IEC 27001 are:
- According to the knowledge security policy;
- Measurable if practicable; this suggests that it’s important to be ready to determine whether or not an objective has been met;
- Connected to applicable information security requirements, and results from risk assessment and risk treatment;
- communicated;
- Updated as appropriate;
The organization retains documented information on the knowledge security objectives.
When planning the way to achieve its information security objectives, the organization determines:
- What is going to be done;
- What resources are going to be required;
- Who are going to be responsible;
- When it’ll be completed;
- How the results are going to be evaluated;
The above requirement concerning planning is generic and applicable to other plans required by ISO/IEC 27001. Plans to think about for an ISMS include:
- Plans for improving the ISMS;
- Plans for treating identified risks;
- The other plans that are found necessary for effective operation (e.g. plans for developing competence and increasing awareness, communication, performance evaluation, internal audits and management reviews).
The information security policy should state the knowledge security objectives or provide a framework for setting the objectives. Security objectives are often expressed in various ways. The expression should be suitable to satisfy the need of being measurable (if practicable) (ISO/IEC 27001:2013, ).
For example, information security objectives are often expressed in terms of:
- Numerical values with their limits, e.g. “not re-evaluate a particular limit”, and “reach level 4”;
- The targets for measurements of data security performance;
- The targets for measurements of the effectiveness of the ISMS;
- Compliance with ISO/IEC 27001;
- Compliance with ISMS procedures;
- The necessity to finish actions and plans;
- Risk criteria to be met.
The following guidance applies to the bullets addressed within the explanation:
- The knowledge security policy specifies the wants for information security in a corporation. All other specific requirements set for relevant functions and levels should be according to them. If the knowledge security policy has information security objectives, then the other specific information security objective should be linked to those within the information security policy. If the knowledge security policy only provides the framework for setting objectives, then that framework should be followed and will make sure that more specific objectives are linked to the more generic ones;
- Not every objectives are often measurable, but making objectives measurable supports achievement and improvement. it’s highly desirable to be ready to describe, qualitatively or quantitatively, the degree to which an objective has been met. for instance, to guide priorities for extra effort if objectives aren’t met, or to supply insights into opportunities for improved effectiveness if objectives are exceeded. It should be possible to know whether or not they are achieved or not, how achievement of objectives is decided, and whether it’s possible to work out the degree of accomplishment of objectives using quantitative measurements. Quantitative descriptions of objective attainment should specify how associated measurement is completed. it’s going to not be possible to quantitatively determine the degree of attainment of all objectives. ISO/IEC 27001 requires objectives to be measurable if practicable;
- Information security objectives should be aligned with information security needs; for this reason, risk assessment and treatment results should be used as inputs when setting information security objectives;
- Information security objectives should be communicated to relevant internal interested parties of the organization. they’ll even be communicated to external interested parties, e.g. customers, stakeholders, to the extent they have to understand and are suffering from the knowledge security objectives;
Get to know more- https://www.info-savvy.com/iso-27001-clause-6-2-information-security-objectives-and-planning-to-achieve-them/
--------------------------------------------------------------------------------------------------------------------------------
This Blog Article is posted by
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
Well, it’s time to start, Thank you :)
ReplyDeleteISO Certification Chennai
very useful.
ReplyDeleteiso 27001 anforderungen
Nice post
ReplyDeleteISO 27001 Certification
Amazing details given. Thanks for sharing such a great blog Keep posting..
ReplyDeleteiso 27001 indonesia