Building Strong ISMS Objectives with Examples

When determining objectives for your ISMS it is important to select objectives which are aligned with the risks, goals and processes in your business. This translates to selecting objectives around areas which are most relevant to your business and your risk appetite.

It is better to select a smaller number of higher level objectives which can then be tracked and broken down into actions to achieve them tends to lead to better outcomes for businesses. Having too large a number of objectives can lead to issues with prioritising your objectives.

When trying to identify objectives for your ISMS, it is important to keep mind that they are the fulfill the following criteria. They should be:

1.       Measurable

2.       Monitored

3.       Communicated

4.       Aligned with risks and business goals

5.       Supported by indicators , targets and evidence of progress.

This allows the objectives selected to be broken down into targets that can be defined to achieve them, with measurable target KPIs identified to meet these targets.

Of course, after the objectives have been agreed on by top management, they need to be communicated to the rest of the business so that they can work on the implementation of actions to ensure that they can meet the objectives.

This can be seen in some of the below sample objectives for different aspects of an ISMS can be:

1. Information security governance and compliance

Objective: Maintain full compliance with ISO 27001 and all applicable regulatory and contractual requirements.

Targets:

• Zero overdue corrective actions from internal or external audits.
• Completion of all planned internal audits each year.
• All policy reviews completed before their due dates.

KPIs:

• Percentage of implemented audit actions.
• Percentage of policies reviewed on time.
• Percentage of compliant high risk suppliers.

2. Risk reduction and risk treatment effectiveness

Objective: Reduce information security risk for all medium and high risk areas.

Targets:

• All risk treatments implemented by their stated due dates.
• Residual risk levels reduced or maintained at acceptable levels.

KPIs:

• Percentage of overdue risk treatments.
• Number of high residual risks accepted by management.
• Risk register review completed each quarter.

3. Incident management performance

Objective: Improve the effectiveness of security incident detection and response.

Targets:

• All incidents triaged within one hour of identification.
• Major incidents closed within agreed response times.
• Lessons learned completed for all major incidents.

KPIs:

• Mean time to detect.
• Mean time to respond.
• Percentage of incidents with completed lessons learned.

4. Business continuity and resilience

Objective: Ensure continuity of essential services following a disruption.

Targets:

• All critical systems recovered within the stated RTO and RPO.
• Annual business continuity testing completed with positive results.

KPIs:

• Test success rate.
• Actual recovery time versus planned recovery time.

5. Access control and privilege management

Objective: Strengthen access control for critical systems and data.

Targets:

• User access reviews completed for all critical systems twice per year.
• Privileged access approvals completed before access is granted.
• Zero orphan accounts after each access review.

KPIs:

• Percentage of completed access reviews.
• Number of violations of privileged access process.

6. Security awareness and human risk reduction

Objective: Increase staff security awareness and reduce human related security incidents.

Targets:

• Mandatory training completed by all staff each year.
• Phishing test failure rate below a defined threshold.
• Zero repeat offenders after two rounds of awareness training.

KPIs:

• Training completion rate.
• Phishing simulation metrics.
• Number of human related incidents.

7. Supplier and third party security

Objective: Ensure that supplier risks are identified, monitored and controlled.

Targets:

• All critical suppliers assessed before onboarding.
• Annual supplier reviews completed for high risk suppliers.

KPIs:

• Percentage of suppliers with completed security assessments.
• Number of supplier related incidents.

8. Technical security controls

Objective: Improve the effectiveness of technical controls for critical information assets.

Targets:

• Patch compliance at or above 95 percent for critical systems.
• All vulnerabilities rated high or critical remediated within defined SLA.
• Endpoint protection coverage at 100 percent.

KPIs:

• Patch compliance percentage.
• Vulnerability remediation time.
• Endpoint protection coverage rate.

9. Data protection and privacy

Objective: Protect personal and sensitive data from unauthorised disclosure or misuse.

Targets:

• Privacy impact assessments completed for all new projects.
• Zero data breaches caused by preventable control failures.

KPIs:

• PIA completion rate.
• Number of privacy related incidents.

10. Continuous improvement

Objective: Demonstrate measurable improvement of the ISMS year on year.

Targets:

• Reduction of information security incidents by a defined percentage.
• Reduction in average risk level across top ten risks.
• Increased maturity rating in key ISMS domains.

KPIs:

• Incident trend over twelve months.
• Risk trend reporting.
• Maturity assessments.

So, to summarise, you don’t need to set a large number of objectives for your ISMS. Objectives should be supported by measurable targets and KPIs which are actionable to give the best framework to ensure that they objectives can be met. Most importantly, when defining objectives for your ISMS, or any other management system, is to focus it on the largest risk areas and areas which will give the greatest benefit for your business.