ISO 27001 ISMS objectives

Answer:

Examples of areas and criteria you can consider are:
- operational objectives: During 2020, achieve a minimum of 99,9% of information systems uptime (you can specify systems here)
- financial objectives: Increase revenue by 10% by businesses related to ISO 27001 certification (on the other hand you can consider decreasing losses due information security incidents)
- business objectives: Enter a new market in the next 12 months which requires ISO 27001 certificate (on the other hand you can define acquiring a new top customer because ISO 27001)
- compliance objectives: Comply with xyz law/regulation by December 31, 2020, using ISO 27001 methodology

These articles will provide you further explanation about information security objectives:
- ISO 2 7001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

Thanks, Rhand...very helpful for the business planning side! My question is more about what the Board needs to know to monitor the systems in place.

Rhand - in another area of compliance we follow a four step process: Organize, Formalize, Implement, and Monitor. Under each of these area we have 21 Principles and 72 criteria. I can see a similar pattern to the US NIST Cyber Framework: Identify, Protect, Detect,Respond, and Recover. The next level below is called "Categories": 'Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.” ' Thats ok, but what sort of information does the board need to know that substantiates that the CISO et al are following the process on an ongoing basis? The Board would use your suggestion re the planning side for setting the strategic goals; however, the Board needs know that progress is being made on the categories without getting bogged down in the technical side of the i ssues. They just want to sleep at night knowing that the CISO and his/her team continue to follow a due process. Does this make sense?

Answer:

Considering your additional information, the information you are looking for are the inputs for the management review:
- status of actions from previous management reviews;
- changes in external and internal issues relevant to ISMS;
- feedback on the information security performance, considering nonconformities and corrective actions, results from monitoring and measurement, audit results, and results related to information security objectives;
- feedback from interested parties;
- results of risk assessment
- status of risk treatment plan
- identified opportunities for improvement.

These are high level information provided by the person responsible for the ISMS that can give top management a systemic view of the ISMS and its performance.

This article will provide you further explanation about management review:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Thank you! I will review and, if I may, ask more questions. We are building a board-level decision support system based on a combination of a bespoke DBMS and Bayesian Networks to help board members/trustees sleep at night knowing that they meet global fiduciary standards. While the application is not as complicated as managing the details of conformance home like to ISO 27001, it's use of AI puts us out on the new horizons territory!