Information Security Objectives — Clause 6.2 — ISO 27001

Clause 6.2 of ISO/IEC 27001:2022 requires organisations to establish information security objectives at relevant functions and levels. These objectives must be consistent with the information security policy, be measurable (if practicable), take into account applicable information security requirements and risk assessment results, be monitored, be communicated, and be updated as appropriate. Well-defined objectives translate your security policy into concrete, actionable goals that drive continuous improvement.

ℹ️

Certification auditors will check that your objectives are genuinely measurable and that you can demonstrate progress towards achieving them. Vague objectives like "improve security" will result in audit findings. Each objective must have a clear target, a measurement method, and evidence of monitoring.

What the Standard Requires

Clause 6.2 specifies that when planning how to achieve information security objectives, the organisation shall determine:

What will be done
What resources will be required
Who will be responsible
When it will be completed
How the results will be evaluated

The objectives must be retained as documented information — the Objectives page in Venvera fulfils this requirement automatically by persisting all objective data.

Objectives Page in Venvera

The Information Security Objectives page (ISO 27001 > Objectives) displays the heading Information Security Objectives with the subtitle "Clause 6.2 — Measurable objectives with plans to achieve them". A Add Objective button opens the creation form.

Objective Cards

Each objective is displayed as a card showing:

A colour-coded status badge (Active, Achieved, Not Achieved, or Cancelled)
An optional Clause/Control Reference linking the objective to a specific ISO 27001 clause or Annex A control
The title and optional description
Key metrics: Target (measurable target), Method (measurement method), Current (current value), Responsible (person/team), and Target Date

You can change the status of any objective directly from the card using the dropdown, or delete an objective using the trash icon.

Status Options

Status	Colour	Description
Active	Blue (primary)	Objective is currently being worked towards. This is the default status for new objectives.
Achieved	Green	The measurable target has been met. The objective is complete.
Not Achieved	Red	The target date has passed and the objective was not met. Requires review and possible corrective action.
Cancelled	Grey	The objective has been cancelled, typically because it is no longer relevant due to changes in scope or priorities.

Creating an Objective

Click Add Objective to open the form. The following fields are available:

Field	Type	Required	Description
Title	Text input	Required	A concise title for the objective (e.g., "Reduce incident response time")
Clause/Control Ref	Text input	Optional	Reference to the ISO 27001 clause or Annex A control this objective supports (e.g., A.5.24, Clause 7.2)
Description	Text area (2 rows)	Optional	Additional context explaining the objective, its importance, and how it relates to the security policy
Measurable Target	Text input	Required	The specific, measurable target to achieve (e.g., "Average incident response time below 4 hours")
Measurement Method	Text input	Optional	How progress will be measured (e.g., "Monthly analysis of incident management system data")
Responsible	Text input	Optional	The person or team responsible for achieving the objective
Target Date	Date picker	Optional	The date by which the objective should be achieved

⚠️

Both Title and Measurable Target are required fields. You cannot save an objective without providing both. The measurable target is what distinguishes a genuine objective from a vague aspiration.

Writing SMART Objectives

The most effective information security objectives follow the SMART framework:

SMART Element	Meaning	How to Apply
Specific	Clearly defined, not vague	State exactly what will be achieved. "Reduce phishing click rate" not "Improve email security"
Measurable	Quantifiable with a numeric target or clear criterion	Use the Measurable Target field to define the metric. "Click rate below 5%" not "low click rate"
Achievable	Realistic given resources and constraints	Consider current baselines and available resources. If current click rate is 25%, targeting 5% in one month is unrealistic
Relevant	Aligned with security policy and risk treatment	Use the Clause/Control Ref to link to the policy area or risk the objective addresses
Time-bound	Has a defined deadline	Use the Target Date field to set a clear completion date

Example Objectives

The following practical examples demonstrate effective information security objectives across common areas:

Title	Measurable Target	Clause/Control	Method
Reduce incident response time	Average P1 incident response time below 4 hours	A.5.24, A.5.26	Monthly analysis of incident tickets
Achieve 100% security awareness training	All staff complete annual security training by Q4	Clause 7.2, 7.3	LMS completion reports
Implement MFA across all critical systems	100% of critical systems protected by MFA	A.8.5	Quarterly access control review
Reduce phishing susceptibility	Phishing simulation click rate below 5%	A.6.3	Bi-monthly simulated phishing campaigns
Patch critical vulnerabilities within SLA	95% of critical patches applied within 14 days	A.8.8	Monthly vulnerability scan reports
Close all major nonconformities	Zero open major NCs older than 90 days	Clause 10.1	Monthly NC register review
Conduct scheduled internal audits	100% of planned audits completed on schedule	Clause 9.2	Audit programme completion tracking
Improve supplier security compliance	All critical suppliers assessed annually	A.5.19, A.5.22	Supplier assessment register

Linking Objectives to Other ISMS Elements

Information security objectives do not exist in isolation. They connect to multiple other elements of the ISMS:

Information Security Policy: Objectives must be consistent with the policy. Each objective should be traceable to a policy statement or commitment.
Risk Treatment Plan: Objectives often arise from risk treatment decisions. For example, if a risk treatment requires implementing MFA, an objective to "achieve 100% MFA coverage" tracks that implementation.
Management Reviews: Objective progress is a required input to management reviews (Clause 9.3). Present the status of all objectives, highlighting any that are at risk or not achieved.
Internal Audits: Auditors verify that objectives are being monitored and that measurement data exists. Objectives that show no progress or have no measurement evidence will be flagged.
Continual Improvement: Objectives that are not achieved provide input to the continual improvement process (Clause 10.2). Analyse why targets were missed and adjust the approach.

Step-by-Step: Setting Up Objectives

Step 1 — Review Your Security Policy

Before creating objectives, review your information security policy to identify the commitments and strategic direction that objectives should support. Each objective should clearly support one or more policy statements.

Step 2 — Review Risk Treatment Outputs

Examine your risk treatment plan for treatment actions that can be expressed as measurable objectives. For example, a treatment requiring encryption of data at rest translates into an objective with a target of 100% coverage.

Step 3 — Create Objectives

Click Add Objective for each objective. Enter the title, measurable target, and link it to the relevant clause or control reference. Ensure each objective follows the SMART framework.

Step 4 — Assign Responsibility and Dates

Set the Responsible person or team and the Target Date for each objective. Ensure the responsible party has the authority and resources to achieve the target.

Step 5 — Define Measurement Methods

For each objective, specify how progress will be measured. This might involve system reports, manual reviews, surveys, or audit results. Record this in the Measurement Method field.

Step 6 — Monitor and Update

Regularly review each objective and update the status as progress is made. Use the status dropdown to move objectives from Active to Achieved, or to Not Achieved if the target date passes without meeting the target. Present objective status at each management review.

Monitoring and Reporting

Effective monitoring of objectives involves:

Regular measurement: Collect measurement data at the frequency specified in the measurement method (monthly, quarterly, etc.)
Trend analysis: Track whether you are trending towards or away from the target. Early warning enables corrective action before the target date.
Management review input: Clause 9.3 requires consideration of the degree to which objectives have been achieved. Prepare a summary showing: total objectives, achieved, active (on track), active (at risk), not achieved, and cancelled.
Corrective action: For objectives marked Not Achieved, investigate the root cause and either revise the objective with new targets or create corrective actions through the nonconformity process.

💡

Set a mix of short-term and long-term objectives. Short-term objectives (3–6 months) demonstrate quick wins and maintain momentum. Long-term objectives (12+ months) address strategic security improvements. Aim for 5–10 active objectives at any time — too many dilutes focus, too few suggests insufficient ambition.