I’m assuming you are referring to the Information Security Policy document.
Considering that, ISO 27001 is pretty flexible when it comes to defining your security objectives. In this case, when you didn’t have incidents in the year, you can set as an objective 0 incidents, or focus on other objectives.
This absence of incidents can in fact help to acquire new customers and increase revenue (potential customers will have more confidence to work with you), but please note that keep an objective of 0 incidents is a pretty hard one.
Normally 3 to 4 objectives allow an ISMS to support properly the business, for example:
- one operational objective: system uptime
- one financial objective: increased revenue
- one business objective: entering a new market
- one compliance objective: fulfillment of GDPR
This article will provide you a further explanation about information security objectives:
In this free online training, you'll find detailed guidance on setting the objectives: