We are confused on this section, Decreasing or Increasing, what if we don't have any incidents for the year, we can't decrease it. We don't have ISO yet and haven't had issues with onboarding customers, would it help in increasing revenue?
I’m assuming you are referring to the Information Security Policy document.
Considering that, ISO 27001 is pretty flexible when it comes to defining your security objectives. In this case, when you didn’t have incidents in the year, you can set as an objective 0 incidents, or focus on other objectives.
This absence of incidents can in fact help to acquire new customers and increase revenue (potential customers will have more confidence to work with you), but please note that keep an objective of 0 incidents is a pretty hard one.
Normally 3 to 4 objectives allow an ISMS to support properly the business, for example:
one operational objective: system uptime
one financial objective: increased revenue
one business objective: entering a new market
one compliance objective: fulfillment of GDPR
This article will provide you a further explanation about information security objectives: