By /

ISO 27001 Clause 6.2

Establishing clear information security objectives is essential for a successful ISMS. Clause 6.2 of ISO 27001:2022 focuses on setting measurable objectives and planning how to achieve them. This ensures your organisation has a structured approach to improving information security over time.

To get customised support specific to your organisation, please get in touch with us.

What is ISO 27001 Clause 6.2?

Clause 6.2 requires organisations to:

  • Establish information security objectives that are consistent with the ISMS policy and the organisation’s strategic direction.
  • Make objectives measurable wherever practicable.
  • Plan actions to achieve objectives, including identifying responsibilities, resources, and timelines.
  • Monitor and evaluate progress toward achieving these objectives.

This clause links strategic planning with operational implementation, ensuring that goals are actionable and measurable.

Why It Matters

Clear objectives:

  • Provide direction for improving information security.
  • Enable organisations to measure progress and performance.
  • Support continual improvement and compliance with ISO 27001.
  • Help allocate resources effectively to meet security goals.

Without defined objectives, organisations may lack focus, and efforts to improve information security can be inconsistent or ineffective.

How to Address Clause 6.2

To comply with Clause 6.2, organisations should:

  1. Define objectives that are specific, measurable, achievable, relevant, and time-bound (SMART).
  2. Assign responsibilities to individuals or teams to achieve each objective.
  3. Allocate necessary resources, such as personnel, technology, or budget.
  4. Establish performance indicators to monitor progress.
  5. Review and update objectives regularly to reflect changes in risks, business priorities, or regulatory requirements.

Example

An e-commerce company might set the following objectives:

  • Reduce the number of security incidents caused by phishing by 50% within 12 months.
  • Ensure 100% of staff complete mandatory information security training each year.
  • Implement encryption for all customer data in transit within six months.

Each objective includes a measurable target, a timeline, and assigned responsibilities, making progress trackable and actionable.

Final Thoughts

Clause 6.2 ensures that your ISMS has clear, measurable objectives aligned with your organisation’s security policy and strategic goals. Proper planning and monitoring of objectives drive continual improvement and strengthen your overall security posture.

Need help setting and achieving ISO 27001-compliant information security objectives? Candy Management Consultants can assist in defining practical, measurable goals and planning effective actions to meet them.

Request a call back today


Get A FREE Quote Now!
close slider

Scroll to Top