SPRING DISCOUNT
Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:
SPRING30

Expert Advice Community

Guest

ISMS objectives

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

ISMS objectives

 
0 0

Assign topic to the user

ISO 27001 FOUNDATIONS COURSE

Everything you need to know about ISO 27001.

ISO 27001 FOUNDATIONS COURSE

Everything you need to know about ISO 27001.

Guest
AntonioS Jan 12, 2016

I had a few questions regarding ISMS Objectives. so our company recently completed Stage I audit for ISO 27000. and the auditor pointed out that in our objectives, we need to include Solution Development and BCP
and I'm really not getting how we would be able to include those..could you help me out a bit ?and also he pointed out that e need to provide appropriate objectives for CIA
 

Answer:

Usually, the objectives are set at two levels: 1) General ISMS level, and 2) Security controls. For the point 1) you can use an Information Security Policy. And for the point 2), because it is related to the security controls, you can use the Statement of Applicability. You can see a free version of this document clicking on “Free Demo” tab here “Statement of Applicability” : https://advisera.com/27001academy/documentation/statement-of-applicability/
And from my point of view, objectives need to be established by the organization, the auditor can only make you a recommendation. 
Regarding the Solution Development, I am not sure what it means, but objectives need to be related to the information security, and if the development is in the scope of the ISMS (if not, it makes no sense), you can define as an objective, for example, the implementation of a code of best practices to improve the secure coding (point 2, because it is related to controls). You can see our Secure Development Policy here (remember that you can see a free version clicking on “Free Demo” tab) “Secure Development Policy” : https://advisera.com/27001academy/documentation/secure-development-policy/
Regarding the BCP (Business Continuity Plan), you can include as an objective (point 2) “Improve and reduce times to recover the IT infrastructure” (I assume that you have a BCP or a DRP in your business)
Regarding to the CIA, you can define as an objective (point 1, because it is related to the general ISMS level) “improve the confidentiality of the interchange of information, increase the availability of the information and ensure the integrity of the information"
Finally, this article can be interesting for you “ISO 27001 control objectives – Why are they important?” : https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics