ISO/IEC 27001•

ISO 27001 Requirement 6.2 – Information Security Objectives & Planning to Achieve Them

See it in action
By Mark Sharron | Updated 14 December 2023

You probably know why you want to implement your ISMS and have some top line organisation goals around what success looks like. Clause 6.2 starts to make this more measurable and relevant to the activities around information security in particular for protecting confidentiality, integrity and availability (CIA) of the information assets in scope.

Jump to topic


What does Clause 6.2 involve?

In tackling this requirement it’s important to have already understood the organisation and its context (4.1), determined the requirements of interested parties (4.2), established your scope (4.3) and at least started to carry out your risk assessment and treatment (6.1).

The exact requirement for 6.2 is:

“Establish applicable (and if practicable, measurable) information security objectives, taking into account the information security requirements, results from risk assessment and treatment. Determine what will be done, what resources are required, who will be responsible, when they will be completed and how results will be evaluated.”

So this clause 6.2 of the standard essentially boils down to the question; ‘How do you know if your information security management system is working as intended?’


How to set objectives for 6.2

In considering the objectives you want from your information security management system, make sure that they are business focused and are things that will help you run a (more) secure, better-performing organisation rather than just tick boxes and look nice on a page. Think about what the interested parties will want to see measured and monitored as well.

For example, why are customers buying from you and what would they be worried about going wrong from an information security perspective? What level of information assurance, what measures and monitoring would be important for them if they looked closely at your ISMS?

Concentrate on developing meaningful objectives, not just lots of measures or targets that will mean you spend all your time on administration and no value add for the organisation.

You may well already be measuring and monitoring your objectives so remember to consider what you are already doing as well as what might need more effort. ISO are not trying to catch anyone out on the measurement side, they just want to be sure you are measuring what matters and many smart businesses will already be doing that implicitly if not more explicitly.

Tie your work here tightly with the management reviews in 9.3 and put your evidence of the results inside your management review board workspace, or link to it for ease in specific review meetings and audits.

You can demonstrate the results of your performance measurement in various ways, from using exports of your operations systems, harnessing the automated reporting across ISMS.online (e.g. for incidents) and if relevant using simple KPIs added within the management review workspace.

At Alliantist, the software and services company behind ISMS.online, we came up with about 7 information security objectives with one being:

“Delivery of a secure, reliable cloud service for users (and other interested parties) who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information.”

When you break just that one objective down, it’s clear that there are a number of measurable, actionable areas that spring from it. For example:

  • Secure – what does that mean in terms of confidentiality and integrity?
  • Reliable – what does that mean in terms of availability of the secure cloud software service?

How to make information security objectives measurable & actionable

Building on the above, one measure of reliability success for Alliantist is in the availability of systems like ISMS.online for customers to use. So we have the objective (reliability of the service), a measure (uptime) then can set an uptime target, in this case of minimum 99.5% availability (which we continually achieve 100% against).

Then we considered the frequency of measurement, the owner responsible, and where the source of the data for measurement would come from for the evidence. We then added that into ISMS.online as a KPI that gets addressed as part of the management reviews, and of course because it is a fundamental metric for our software service success is also continuously monitored operationally too.

The source of that data is from the uptime logs. Some other more strategic metrics e.g. customer, auditor and stakeholder confidence in our ISMS overall are less frequently measured, more subjective in some respects but nonetheless important as part of the broader ISMS performance.

This is a great opportunity to develop metrics that matter for your organisation if not already done so. We encourage a fewer and better managed instead of lots and poorly managed approach. If your organisation has departments and specific areas of the business impacted differently with the confidentiality, integrity and availability (CIA) that would justify breaking down measures for each area, ISO would expect to see that breakdown as well as the high level more strategic metrics.

Other metrics that are also helpful for demonstrating CIA are also pretty obvious from some of the requirements set by ISO 27001 around managing incidents, risk assessments/reviews, improvements and corrective actions etc. In ISMS.online we have a number of tools that automatically provide performance statistics that are helpful in demonstrating effective performance of the ISMS.

These include incident management tracking, improvements and corrective actions and a host of others too that make much of the objectives management a zero effort exercise instead of wasting time with spreadsheets and powerpoint.


How to define process & responsibilities for evaluation of information security objectives

Once you have defined your objectives, determined your measures, and their frequency for measurement, it’s necessary to show how you will set about evaluating the results then take action for any required changes or improvements to your ISMS.

At Alliantist we put together a team of representatives from the senior management team to form the ISMS Board. The ISMS Board is responsible for setting the targets for each of the measures. Our Operations Director owns the objectives that affect the ISMS from a production and operations perspective.

The source data is delegated to relevant members of staff to evidence, all of which is pulled from existing systems and simply summarised into KPIs and statistics reporting that form a part of the regular management reviews in line with clause 9.3.

Compliance doesn’t have to be complicated.

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


Streamline your workflow with our new Jira integration! Learn more here.