Guest user Created: Jul 14, 2021 Last commented: Jul 14, 2021

Operational Security Objectives

We are confused on this section, Decreasing or Increasing, what if we don't have any incidents for the year, we can't decrease it. We don't have ISO yet and haven't had issues with onboarding customers, would it help in increasing revenue?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jul 14, 2021

I’m assuming you are referring to the Information Security Policy document.

Considering that, ISO 27001 is pretty flexible when it comes to defining your security objectives. In this case, when you didn’t have incidents in the year, you can set as an objective 0 incidents, or focus on other objectives.

This absence of incidents can in fact help to acquire new customers and increase revenue (potential customers will have more confidence to work with you), but please note that keep an objective of 0 incidents is a pretty hard one.

Normally 3 to 4 objectives allow an ISMS to support properly the business, for example:

one operational objective: system uptime
one financial objective: increased revenue
one business objective: entering a new market
one compliance objective: fulfillment of GDPR

This article will provide you a further explanation about information security objectives:

ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

In this free online training, you'll find detailed guidance on setting the objectives:

ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 14, 2021

Expert Advice Community