ISO 27001 Information Security - Objectives and change management

Clause 6.2 Objectives

Clause 6.2 Objectives

9 June 2022 - ISO 27001 Information Security in plain English - Blog post #9.

ISO 27001 - Clause 6.2 Objectives. Setting SMART Objectives to provide a focus to your management system, assigning, communicating, monitoring and measuring them.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.


At the simplest level, an objective is a statement of a desired outcome. Most of us respond to a challenge and perform better when we have a target to aim for. Without having objectives to work towards, an organization - just like a person - may drift aimlessly.

To be of real value, there needs to be some structure and discipline around the planning of objectives, and the monitoring of progress towards them. An objective should include a description of who is responsible, what is the target, and when is it planned to be achieved - or the time period over which it is to be measured.

While not explicitly specified by ISO 27001, the concept of SMART objectives is a very useful guideline to follow. SMART is an acronym for Specific, Measurable, Attainable, Relevant, and Timed.

  • S - Specific - The objective should be focused on only just one thing
  • M - Measurable - It should be possible to measure whether or not you achieve the objective
  • A - Attainable - The objective should be within your capabilities
  • R - Relevant - The objective should be something of importance
  • T - Timed - There should be a time scale or deadline for achievement of the objective

There are some possible variations on this theme. For example, the 'R' can be used to denote 'Realistic'. We consider that topic is already covered by 'Attainable', so prefer the definition listed above.

Objectives are required for relevant levels and functions within the organization. So, some may be corporate - with a business-wide application, whereas otherwise may be more localised or targeted (either from a geographic or organizational perspective). They are typically set at formal management review and business planning meetings. They may also be set or reset in the event of:

  • An existing objective being achieved
  • Time-expiry of an existing objective
  • A new opportunity or threat being presented

Progress against the objectives may also be reviewed at those same reviews and meetings. On a more individual level, progress may also be considered at KPI or Performance Reviews. Some objectives may lend themselves to more frequent monitoring / progress reports - in which case, a suitable mechanism for doing that should be decided. Examples might include automated logging or manual checking with consideration at development, ,management, team, or project meetings.

Typically, objectives are specified in annual business plans, KPI's / individual development plans, or a specific spreadsheet or management system software application. Information security objectives do not have to be managed in isolation. The chosen methodology to manage them may be shared with other compliance and business objectives.

ISO 27001 InfoSec Toolkit includes template documents that address the requirements of clause 6.2 Objectives (including model planning procedures and registers). It also contains a more in-depth explanation of the requirements referred to above and how to address them.

Qudos 3 IMS software is a great solution to efficiently and effectively meeting the requirements of clause 6.2 Objectives. It has a dedicated Objectives module with a detailed data entry form, automated register and reminders. Actions to achieve objectives may be automatically created, linked, reported on, and managed. The software has powerful categorisation options that allow it to be used across a range of compliance and risk management topics.

An earlier article posted on this site lists 50 sample objectives across multiple topics.

Clause 6.3 Planning of changes

This clause simply requires that changes to the management system should take place in a planned manner. It basically mirrors the same requirement in ISO 9001 Quality standard. We have a sneaky suspicion that it was a very late addition to ISO 27001:2022 as it doesn't appear in the Contents list of some editions. We may be wrong, but just raising the possibility. By the way, this clause may be most efficiently addressed alongside Annex A control 8.32 Change Management which refers to managing changes
to information systems and processing facilities.

As the context of an organization changes over time, there will be a need for many component parts of a management system to also change. This is necessary in order to adapt to new circumstances, maintain purpose, and viability. Changes may be triggered by any of the PESTEL factors that we considered in chapter 4 - political, economic, social, technological, environmental, or legal. Changes might include:

  • Something new
  • Something that is significantly changing or being updated
  • Something being outsourced or off-shored
  • Something being discontinued

Whatever the changes to your ISMS and its processes might be, they
need to happen in a controlled manner in order to best take
advantage of new opportunities, while managing any risks.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.

Ready to start your journey to ISO 27001?

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!