How to establish new ISMS Objectives
- How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?
- What will happen to my objectives which have been completed?
- Do I need to keep a record for them for management review in the future?
- Do I need to make any implementation plan for the new objectives and how they will be achieved?
Assign topic to the user
1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?
The answer to these three questions is that you can use the same process and factors you used for the creation of the first ISMS objectives to create the new ones. Regarding factors to be considered, you can add factors that are now relevant, or exclude factors that are not relevant. Examples to be considered are:
Internal factors: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles, and responsibilities, capabilities, etc.
External issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers, and partners, etc)
For further information, see:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
2. What will happen to my objectives which have been completed?
You can exclude them from your current objectives if after a management review your organization defined there is no need to pursue them anymore.
3. Do I need to keep a record for them for management review in the future?
ISO 27001 requires the results of management review to be documented (e.g. the decision of which objectives were defined, and the achieved results), but is also a good practice to keep the history of previous objectives to be used as input for future organizational planning.
For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/
4. Do I need to make any implementation plan for the new objectives and how they will be achieved?
You have to procedure the same way you did for the first cycle of your ISMS, so you also need to define how objectives will be achieved.
Comment as guest or Sign in
Jan 07, 2020