ISO 27001 controls

The main rules here are:

• you need to have clear objectives for the controls
• the controls' objectives need to support relevant business objectives
• responsibilities must be clearly defined (usually through policies and procedures)
• people must have the proper competencies (usually through awareness, training, and education)

With clear control objectives, you will know which resources you need, where to apply them, who needs to be involved, and when adjustments are needed, avoiding low performance and waste. However, this is only half of the way.

With clear links between control objectives and business objectives, you can easily demonstrate to top management that the information security effort is paying off.

With clear responsibilities people will know what is expected from them, focusing on activities that add value to the business, and avoiding unrelated activities.

Finally, with proper competencies, the personnel will be more engaged with information security (they will know why is important to do what they have to do and how to perform such tasks)

These articles will provide you a further explanation about security objectives:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/