Expert Advice Community

Guest

Information security objectives

  Quote
Guest
Lajvar Created:   Feb 14, 2021 Last commented:   Feb 17, 2021

Information security objectives

I have this example on my Information security policy, but I think this objetive it is not S.M.A.R.T., please tell me, am I wrong?
objective:

"Define and establish the general guidelines of information security in the company, which will guide the personal and professional behavior of all employees and third parties who interact regularly or occasionally with the information and information assets associated with it in the development of their functions."

Thank you for your help.

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 17, 2021

Let´s evaluate it considering S.M.A.R.T. concepts:

  • Specific (target a specific area for improvement): This aspect is covered by the text “Define and establish the general guidelines of information security in the company,…”
  • Measurable (quantify or at least suggest an indicator of progress): it is not clear how it can be measured (e.g.: Define and establish how many guidelines?). Here you can use, for example, “Define and establish the general guidelines of information security in the company based on ISO 27001 standard,…”, because by using the standard as a reference you will be able to measure progress (e.g., how many items were covered?)
  • Achievable (state what results can realistically be achieved, given available resources): This one cannot be properly evaluated without knowing your context (this is a subjective evaluation by your top management, normally considering the measurable objective and the proposed deadline).
  • Relevant (how it impacts the business): It is not clear how this objective can benefit the organization (e.g., a decrease of quantity and/or impact of incidents, increase in productivity or competitiveness, etc.).
  • Time-related (specify when the result(s) can be achieved: It is not clear when the objective must be achieved (e.g., by the end of the year, by the end of the semester, etc.)

These articles will provide you a further explanation about Objectives in ISO 27001:

These materials will also help you regarding Objectives in ISO 27001:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 14, 2021

Feb 17, 2021