ISO 27001 Information Security - Objectives and change management

Objectives

At the simplest level, an objective is a statement of a desired outcome. Most of us respond to a challenge and perform better when we have a target to aim for. Without having objectives to work towards, an organization - just like a person - may drift aimlessly.

To be of real value, there needs to be some structure and discipline around the planning of objectives, and the monitoring of progress towards them. An objective should include a description of who is responsible, what is the target, and when is it planned to be achieved - or the time period over which it is to be measured.

While not explicitly specified by ISO 27001, the concept of SMART objectives is a very useful guideline to follow. SMART is an acronym for Specific, Measurable, Attainable, Relevant, and Timed.

• S - Specific - The objective should be focused on only just one thing
• M - Measurable - It should be possible to measure whether or not you achieve the objective
• A - Attainable - The objective should be within your capabilities
• R - Relevant - The objective should be something of importance
• T - Timed - There should be a time scale or deadline for achievement of the objective

There are some possible variations on this theme. For example, the 'R' can be used to denote 'Realistic'. We consider that topic is already covered by 'Attainable', so prefer the definition listed above.

Objectives are required for relevant levels and functions within the organization. So, some may be corporate - with a business-wide application, whereas otherwise may be more localised or targeted (either from a geographic or organizational perspective). They are typically set at formal management review and business planning meetings. They may also be set or reset in the event of:

• An existing objective being achieved
• Time-expiry of an existing objective
• A new opportunity or threat being presented

Progress against the objectives may also be reviewed at those same reviews and meetings. On a more individual level, progress may also be considered at KPI or Performance Reviews. Some objectives may lend themselves to more frequent monitoring / progress reports - in which case, a suitable mechanism for doing that should be decided. Examples might include automated logging or manual checking with consideration at development, ,management, team, or project meetings.

Typically, objectives are specified in annual business plans, KPI's / individual development plans, or a specific spreadsheet or management system software application. Information security objectives do not have to be managed in isolation. The chosen methodology to manage them may be shared with other compliance and business objectives.  https://qudos-software.com/new-years-resolutions-for-your-management-system-50-sample-objectives/

ISO 27001 InfoSec Toolkit includes template documents that address the requirements of clause 6.2 Objectives (including model planning procedures and registers). It also contains a more in-depth explanation of the requirements referred to above and how to address them.

Qudos 3 IMS software is a great solution to efficiently and effectively meeting the requirements of clause 6.2 Objectives. It has a dedicated Objectives module with a detailed data entry form, automated register and reminders. Actions to achieve objectives may be automatically created, linked, reported on, and managed. The software has powerful categorisation options that allow it to be used across a range of compliance and risk management topics.

An earlier article posted on this site lists 50 sample objectives across multiple topics.