Information security objectives
I have this example on my Information security policy, but I think this objetive it is not S.M.A.R.T., please tell me, am I wrong?
objective:
"Define and establish the general guidelines of information security in the company, which will guide the personal and professional behavior of all employees and third parties who interact regularly or occasionally with the information and information assets associated with it in the development of their functions."
Thank you for your help.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Let´s evaluate it considering S.M.A.R.T. concepts:
- Specific (target a specific area for improvement): This aspect is covered by the text “Define and establish the general guidelines of information security in the company,…”
- Measurable (quantify or at least suggest an indicator of progress): it is not clear how it can be measured (e.g.: Define and establish how many guidelines?). Here you can use, for example, “Define and establish the general guidelines of information security in the company based on ISO 27001 standard,…”, because by using the standard as a reference you will be able to measure progress (e.g., how many items were covered?)
- Achievable (state what results can realistically be achieved, given available resources): This one cannot be properly evaluated without knowing your context (this is a subjective evaluation by your top management, normally considering the measurable objective and the proposed deadline).
- Relevant (how it impacts the business): It is not clear how this objective can benefit the organization (e.g., a decrease of quantity and/or impact of incidents, increase in productivity or competitiveness, etc.).
- Time-related (specify when the result(s) can be achieved: It is not clear when the objective must be achieved (e.g., by the end of the year, by the end of the semester, etc.)
These articles will provide you a further explanation about Objectives in ISO 27001:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
These materials will also help you regarding Objectives in ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 17, 2021