One thing which we get asked for clarification of during audits, and can cause some confusion with clients surrounds objectives of an ISMS. So, we have decided to post this blog on tips for determining appropriate objectives which are relevant to your organisation.
How to create effective ISMS objectives
When developing objectives for your Information Security Management System (ISMS), the first step is to ensure they align with your organisation's risks, business goals, and operational processes. Your objectives should focus on the areas that are most important to your organisation, taking into account your risk profile, regulatory obligations, and overall business strategy. Well-chosen objectives help ensure that your ISMS delivers measurable value rather than becoming a compliance exercise.
It can be tempting to create objectives for every aspect of information security, but too many objectives often make it difficult to prioritise effort and demonstrate meaningful progress. Instead, focus on a small number of high-level objectives that address your most significant risks and strategic priorities. Each objective can then be supported by specific targets, initiatives, and performance measures that make progress easier to monitor and manage.
When defining your ISMS objectives, ensure they satisfy the requirements of ISO 27001 by being:
- Measurable – Progress can be quantified using metrics, KPIs, or other objective evidence.
- Monitored – Performance is reviewed regularly to determine whether the objective is being achieved.
- Communicated – Relevant employees and stakeholders understand the objectives and their role in achieving them.
- Aligned with business goals and information security risks – Objectives should support both organisational strategy and the treatment of identified risks.
- Supported by targets, indicators, and evidence – Each objective should have clear success criteria and documented evidence demonstrating ongoing progress.
Once the objectives have been approved by top management, they should be communicated throughout the organisation so that everyone understands the desired outcomes and their responsibilities. From there, the organisation can implement the necessary actions, allocate appropriate resources, and regularly review progress to ensure the objectives remain relevant and continue to support the effectiveness and continual improvement of the ISMS.
Sample Objectives
The following examples illustrate common ISMS objectives that organisations use to support their ISO 27001 implementation. Adapt these examples to suit your own business risks, strategic objectives, and compliance requirements rather than copying them as they are written here.
1. Information security governance and compliance
Objective: Maintain full compliance with ISO 27001 and all applicable regulatory and contractual requirements.
Targets:
- Zero overdue corrective actions from internal or external audits.
- Completion of all planned internal audits each year.
- All policy reviews completed before their due dates.
KPIs:
- Percentage of implemented audit actions.
- Percentage of policies reviewed on time.
- Percentage of compliant high risk suppliers.
2. Risk reduction and risk treatment effectiveness
Objective: Reduce information security risk for all medium and high risk areas.
Targets:
- All risk treatments implemented by their stated due dates.
- Residual risk levels reduced or maintained at acceptable levels.
KPIs:
- Percentage of overdue risk treatments.
- Number of high residual risks accepted by management.
- Risk register review completed each quarter.
3. Incident management performance
Objective: Improve the effectiveness of security incident detection and response.
Targets:
- All incidents triaged within one hour of identification.
- Major incidents closed within agreed response times.
- Lessons learned completed for all major incidents.
KPIs:
- Mean time to detect.
- Mean time to respond.
- Percentage of incidents with completed lessons learned.
4. Business continuity and resilience
Objective: Ensure continuity of essential services following a disruption.
Targets:
- All critical systems recovered within the stated RTO and RPO.
- Annual business continuity testing completed with positive results.
KPIs:
- Test success rate.
- Actual recovery time versus planned recovery time.
5. Access control and privilege management
Objective: Strengthen access control for critical systems and data.
Targets:
- User access reviews completed for all critical systems twice per year.
- Privileged access approvals completed before access is granted.
- Zero orphan accounts after each access review.
KPIs:
- Percentage of completed access reviews.
- Number of violations of privileged access process.
6. Security awareness and human risk reduction
Objective: Increase staff security awareness and reduce human related security incidents.
Targets:
- Mandatory training completed by all staff each year.
- Phishing test failure rate below a defined threshold.
- Zero repeat offenders after two rounds of awareness training.
KPIs:
- Training completion rate.
- Phishing simulation metrics.
- Number of human related incidents.
7. Supplier and third party security
Objective: Ensure that supplier risks are identified, monitored and controlled.
Targets:
- All critical suppliers assessed before onboarding.
- Annual supplier reviews completed for high risk suppliers.
KPIs:
- Percentage of suppliers with completed security assessments.
- Number of supplier related incidents.
8. Technical security controls
Objective: Improve the effectiveness of technical controls for critical information assets.
Targets:
- Patch compliance at or above 95 percent for critical systems.
- All vulnerabilities rated high or critical remediated within defined SLA.
- Endpoint protection coverage at 100 percent.
KPIs:
- Patch compliance percentage.
- Vulnerability remediation time.
- Endpoint protection coverage rate.
9. Data protection and privacy
Objective: Protect personal and sensitive data from unauthorised disclosure or misuse.
Targets:
- Privacy impact assessments completed for all new projects.
- Zero data breaches caused by preventable control failures.
KPIs:
- PIA completion rate.
- Number of privacy related incidents.
10. Continuous improvement
Objective: Demonstrate measurable improvement of the ISMS year on year.
Targets:
- Reduction of information security incidents by a defined percentage.
- Reduction in average risk level across top ten risks.
- Increased maturity rating in key ISMS domains.
KPIs:
- Incident trend over twelve months.
- Risk trend reporting.
- Maturity assessments.
So, to summarise, you don’t need to set a large number of objectives for your ISMS. Objectives should be supported by measurable targets and KPIs which are actionable to give the best framework to ensure that they objectives can be met. Most importantly, when defining objectives for your ISMS, or any other management system, is to focus it on the largest risk areas and areas which will give the greatest benefit for your business.