Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

ISO 27001 ISMS objectives

  Quote
Guest
Guest user Created:   Sep 04, 2019 Last commented:   Sep 04, 2019

ISO 27001 ISMS objectives

I am looking for a basic outline of what a board member of a multinational needs to use to monitor their company's compliance with 27001. It does not need to be a technical document; rather what are the 4-5 key areas that a board needs to monitor and what are 2-3 criteria for each area.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 04, 2019

Answer:

Examples of areas and criteria you can consider are:
- operational objectives: During 2020, achieve a minimum of 99,9% of information systems uptime (you can specify systems here)
- financial objectives: Increase revenue by 10% by businesses related to ISO 27001 certification (on the other hand you can consider decreasing losses due information security incidents)
- business objectives: Enter a new market in the next 12 months which requires ISO 27001 certificate (on the other hand you can define acquiring a new top customer because ISO 27001)
- compliance objectives: Comply with xyz law/regulation by December 31, 2020, using ISO 27001 methodology

These articles will provide you further explanation about information security objectives:
- ISO 2 7001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
- Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/
- Aligning information security with the strategic direction of a company according to ISO 27001 https://advisera.com/27001academy/blog/2017/02/20/strategic-direction-of-a-company-according-to-iso-27001/

Quote
0 0
Guest
diogenes1 Sep 04, 2019

Thanks, Rhand...very helpful for the business planning side! My question is more about what the Board needs to know to monitor the systems in place.

Quote
0 0
Guest
diogenes1 Sep 04, 2019

Rhand - in another area of compliance we follow a four step process: Organize, Formalize, Implement, and Monitor. Under each of these area we have 21 Principles and 72 criteria. I can see a similar pattern to the US NIST Cyber Framework: Identify, Protect, Detect,Respond, and Recover. The next level below is called "Categories": 'Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.” ' Thats ok, but what sort of information does the board need to know that substantiates that the CISO et al are following the process on an ongoing basis? The Board would use your suggestion re the planning side for setting the strategic goals; however, the Board needs know that progress is being made on the categories without getting bogged down in the technical side of the i ssues. They just want to sleep at night knowing that the CISO and his/her team continue to follow a due process. Does this make sense?

Quote
0 0
Expert
Rhand Leal Sep 05, 2019

Answer:

Considering your additional information, the information you are looking for are the inputs for the management review:
- status of actions from previous management reviews;
- changes in external and internal issues relevant to ISMS;
- feedback on the information security performance, considering nonconformities and corrective actions, results from monitoring and measurement, audit results, and results related to information security objectives;
- feedback from interested parties;
- results of risk assessment
- status of risk treatment plan
- identified opportunities for improvement.

These are high level information provided by the person responsible for the ISMS that can give top management a systemic view of the ISMS and its performance.

This article will provide you further explanation about management review:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Quote
0 1
Guest
diogenes1 Sep 05, 2019

Thank you! I will review and, if I may, ask more questions. We are building a board-level decision support system based on a combination of a bespoke DBMS and Bayesian Networks to help board members/trustees sleep at night knowing that they meet global fiduciary standards. While the application is not as complicated as managing the details of conformance home like to ISO 27001, it's use of AI puts us out on the new horizons territory!

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 04, 2019

Sep 05, 2019

Suggested Topics