Guest
Information Security Objective and how to measure it?
Based on ISO 27001 clause 6.2
The organization shall establish information security objectives at relevant functions and levels.
From point a to j.
Do you have example to suggest about objective on implementating information security, because on toolkit its only 1 line example of objective.
thank you
Assign topic to the user
Expert
Rhand Leal
Feb 16, 2017
I suggest you to take a look at the article ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
It has many examples that can help you cover points a to j from ISO 27001 clause 6.2. Here is one example presented according them:
Objective: We want to decrease the number of information security incidents by 50% in the next year.
a) Consistency with the information security policy: reduction of information security incidents is appropriate for the purpose of any organization, as demanded by information security policy requirements.
b) Measurable: It is possible to count the number of security incidents.
c) take into account information security requirements, and results from risk assessment and risk treatment: the reduction of 50% in the number of information security inbcidents can be related to the residual risk, one of the results of risk treatment plan.
d) Communication: From the text you can expect that at least at the end of the next year the results should be communicated for evaluation.
e) be updated as appropriate: this is more related to the inclusion of the objective evaluation at management review, so you should verify if the management procedure review included security objectives as one of its inputs
Other items from f to j are more related to performance measurement, something you can solve with a simple 5W2H model.
This article will provide you further explanation about security objectives:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding security objectives:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
It has many examples that can help you cover points a to j from ISO 27001 clause 6.2. Here is one example presented according them:
Objective: We want to decrease the number of information security incidents by 50% in the next year.
a) Consistency with the information security policy: reduction of information security incidents is appropriate for the purpose of any organization, as demanded by information security policy requirements.
b) Measurable: It is possible to count the number of security incidents.
c) take into account information security requirements, and results from risk assessment and risk treatment: the reduction of 50% in the number of information security inbcidents can be related to the residual risk, one of the results of risk treatment plan.
d) Communication: From the text you can expect that at least at the end of the next year the results should be communicated for evaluation.
e) be updated as appropriate: this is more related to the inclusion of the objective evaluation at management review, so you should verify if the management procedure review included security objectives as one of its inputs
Other items from f to j are more related to performance measurement, something you can solve with a simple 5W2H model.
This article will provide you further explanation about security objectives:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
These materials will also help you regarding security objectives:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 14, 2017
Feb 16, 2017
Feb 16, 2017