Expert Advice Community

Guest

How to establish new ISMS Objectives

  Quote
Guest
Bills Created:   Jan 05, 2020 Last commented:   Jan 07, 2020

How to establish new ISMS Objectives

Hi, I have implemented ISMS in my company 2 years before and all the objectives which I have proposed during the implementation are already completed. I need to establish new ISMS objectives for the next 2 years at least. I have below doubts in mind:
  1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?
  2. What will happen to my objectives which have been completed?
  3. Do I need to keep a record for them for management review in the future?
  4. Do I need to make any implementation plan for the new objectives and how they will be achieved?
Please advise Thanks

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 07, 2020

1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?

The answer to these three questions is that you can use the same process and factors you used for the creation of the first ISMS objectives to create the new ones. Regarding factors to be considered, you can add factors that are now relevant, or exclude factors that are not relevant. Examples to be considered are:

Internal factors: you need to make sure that your information security objectives are aligned with the business strategy, perform the risk assessment, determine resources, information security roles, and responsibilities, capabilities, etc.
External issues: you simply need to identify interested parties and their requirements (interested parties can be employees, clients, suppliers, and partners, etc)

For further information, see:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

2. What will happen to my objectives which have been completed?

You can exclude them from your current objectives if after a management review your organization defined there is no need to pursue them anymore.

3. Do I need to keep a record for them for management review in the future?

ISO 27001 requires the results of management review to be documented (e.g. the decision of which objectives were defined, and the achieved results), but is also a good practice to keep the history of previous objectives to be used as input for future organizational planning.

For further information, see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

4. Do I need to make any implementation plan for the new objectives and how they will be achieved?

You have to procedure the same way you did for the first cycle of your ISMS, so you also need to define how objectives will be achieved.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 05, 2020

Jan 07, 2020