Should information security objectives be measurable?
Assign topic to the user
Or shall the Top level IS Policy include more specific, measurable objectives too?
Answer: It is true that ISO 27001 does not clearly distinguish between two levels of objectives, therefore it allows you to define any levels you feel are appropriate.
However, ISO 27001 very clearly says in clause 6.2 b) "[information security objectives sha ll] be measurable (if practicable)" - therefore, no matter what kind of security objective you have, if possible it should be measurable.
Thank you for the answer Dejan. So judging by your answer it means that in a top level IS policy which is a quite general document referring to the entire ISMS, we need to include the measurable objectives that are quite topic specific. That's what in fact doesn't seem to be right to me. Wouldn't it be more logical to include the general objectives in the top level policy and the measurable objectives in the topic specific policies?
This is what ISO 27001 requires of you - to have measurable objectives.
Besides, these top-level objectives are crucial for your top management to judge whether the investment in ISMS paid of - if these objectives were not measurable, they would not be able to conclude whether the ISMS made sense.
This whole relationship to the top management is explained in detail in my book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
yes I completely agree Dejan that the Objectives must be measurable, otherwise its impossible to evaluate the results after the implementation of the ISMS. This is very well understood. The only thing I wanted to validate is if we can keep the measurable results in the topic specific policies instead of Top level IS policy. But If I understand it right, the conclusion is that the best way is to keep the measurable objectives in the top level security policy.
I'm not sure if we understood each other:
1) No matter for which level you have the information security objectives, they have to be measurable - both for the top-level ISMS, for departments, for groups of controls or for individual controls.
2) You can document the objectives in policies, or in some separate documents.
3) You do not have to document all the objectives in a single document - in most cases, these objectives will be written in several documents.
Again, I would really recommend my book because it explains the whole concept - Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Thanks, Dejan and Diorela for your blueprint conversation herein. It has proved such a savior for me too when I raised similar questions earlier. Although Diorela has a point, Dejan politely reminds him every now and then when he gets lost in his own train of thought trying to process Dejan's answers-series and by extension us to go by what the standard requires no matter how logical our reasoning may seem, given it is a very strict standard. Besides, inasmuch IS policy is indeed a top-level document within the overall ISMS document and documentation landscape, the other topic-specific or departmental or functional or task-based policies and procedures by no means cede ground to middle-level position. They are what implement the IS policy statement. Hence in that sense, they occupy the same level of the hierarchy. In turn, the controls and control objectives from Annex A, any other source, etc. implement the specific controls and control areas listed out within the statement of applicability which is a framework for documenting these control-specific objectives. To maintain this ISMS at two levels, Diolera would have to count both the IS policy and the topic-specific policies on the one hand, on the same level as ISMS general objectives which require to be measurable as per the Standard and the control specific objectives on the other hand on the same level on their own. Alternatively, Diolera could also segment the IS policy and topic-specific policy into separate levels with the former being at the ISMS general objectives and the latter being at departmental objectives. This though is not mandatory since minimum requirement is to leave both the top level and topic-specific policy objectives as well as the control specific objectives as the two level of setting objectives requirements needs for the ISO 27001:2013 Standard
Please note that your last phrase is not true (“This though is not mandatory since minimum requirement is to leave… “). ISO 27001 does not prescribe the use of two-level setting objectives, neither the use of top-level, topic-specific, and control-specific objectives. It requires only that objectives are defined at relevant functions and levels. This leaves organizations free to adopt objectives that better suit theirs needs.
Considering that, both of your proposed approaches are ok if they fulfill standard’s requirements, but you need to understand that you are defining them this way because you consider they suit your needs the way they are, not because of any standard´s requirement.
For example, you can have:
- a single set of organizational-wide information security objectives, linked to no specific control (in this case you will measure only final organizational results against defined objectives).
- a two-level set of information security objectives, composed of organizational-wide objectives and departments/processes objectives, the last ones defining how each department/process contribute to the organizational objectives
- a three-level set of information security objectives, composed of organizational-wide objectives, departmental/processes objectives, and role/function/control objectives, the last ones defining how specific roles/functions/controls contribute to the departments/processes objectives, and how each department/process contributes for the organizational objectives.
Note that as you increase the number of levels you increase the complexity, cost, and administrative effort, but also you have more detailed information to identify where potential problem points are. So, you need to evaluate the better scenario for you, remembering that you do not need to define objectives for all departments/processes/controls in your scope. You can start with a single level, then include the most critical departments/processes/controls later, and increase coverage as you gain more experience and maturity managing the objectives.
Comment as guest or Sign in
Mar 23, 2021