ISO 27001 made easy: A comprehensive guide to understanding the standard

Understanding ISO 27001 Clause 6.2: Information Security Objectives & Planning to Achieve Them

Clause 6.2 of ISO 27001, titled "Information Security Objectives and Planning," is a crucial aspect of information security management. In simple terms, it's all about setting clear goals to protect your valuable data and devising a plan to achieve them. 

Easy ISO - Challenges and best practices for ISMS

External Content: YouTube Video

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.

You can find more information about the handling of your personal data in our privacy policy.

What does clause 6.2 require?

This clause asks organizations to do the following:

  1. Define relevant objectives: Organizations must identify and document specific information security objectives that match their business needs. These objectives should be in line with the organization's overall goals and designed to safeguard its most vital information.

  2. Align with risk appetite: The objectives should also align with the organization's risk tolerance. In other words, don't set goals that require resources or efforts beyond what you're willing to commit to protect your data.

  3. Make them measurable and achievable: Objectives should be clear and attainable. You should be able to measure your progress towards these goals and be confident in your ability to accomplish them.

  4. Develop a plan: Once you have your objectives, it's crucial to create a plan. This plan should outline the necessary resources, timelines, responsibilities, and methods for achieving your security objectives.

 

Key elements of clause 6.2

Now, let's look at the key components of this clause:

  • Relevance: Objectives must align with your business's needs and protect your critical data.

  • Risk Alignment: Ensure your objectives match your risk tolerance and available resources.

  • Measurability: Objectives should be quantifiable and feasible.

  • Planning: Develop a comprehensive plan with resources, timelines, responsibilities, and methods.

What changed in ISO 27001: 2022?

The 2022 update of ISO 27001 brought some clarifications and enhancements to Clause 6.2:

  • Documentation: It clarified the need to document objectives.

  • Measurability and achievability: It strengthened the requirement for objectives to be measurable and achievable.

  • Planning details: The update added specifics, requiring the plan to include needed resources, timelines, responsibilities, and methods.

Get ready for the ISO 27001 audit with up to 75% less workload.

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

Why is clause 6.2 important?

Clause 6.2 holds significant importance because it ensures organizations understand how to safeguard their information assets. By setting measurable objectives and creating a solid plan, organizations can reduce the risk of security breaches.

 

How to meet the requirements of clause 6.2

Here are some practical steps to fulfil the requirements of Clause 6.2:

  1. Identify important assets: Start by pinpointing your organization's critical information assets.

  2. Assess risks: Evaluate the risks to these assets – this can be done through reviewing what risk scenario(s) could affect such assets.

  3. Set aligned objectives: Create security objectives that match your risk tolerance and mitigate identified risks.

  4. Document objectives: Put your objectives in writing.

  5. Develop a plan: Create a detailed plan that outlines resources, timelines, responsibilities, and methods.

  6. Implementation: Put your plan into action.

  7. Monitor and review: Regularly monitor and review your plan to ensure it remains effective. If it is found to no longer be effective, then repeat steps 5 – 7 to improve your objectives and how they best protect your organization’s assets.

By following these steps, you'll help your organization meet the requirements of clause 6.2 and enhance its overall information security posture. 

Get in touch

ISO 27001:2022 requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information security policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Nonconformity and corrective action

10.2 Continual improvement

 

ISO 27001 Annex A

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.