ISO 27001 – Clause 6.2 – Objective – How to measure the objectives of a security program

Setting a goal is the best way to achieve it, otherwise how do we know when we’ve succeeded?

By defining your information security objectives, you can clearly determine what you want to achieve. to achieve to protect the company’s systems and data against internal and external threats.

What do we want to achieve, what is the goal?

Nothing exists without being clearly expressed!

Objective criteria

There are several criteria for measuring a goal, but one of the most commonly used is the SMART model:

• Specific : the objective must be clearly defined and describe precisely what we’re trying to achieve.
• Measurable : the objective must be quantifiable so that progress can be tracked.
• Achievable : the objective must be achievable with the resources available.
• Relevant : the objective must be linked to the company’s overall objectives.
• Temporal : the objective must have a deadline so that progress can be assessed.

There are also other criteria that can be used to measure objectives, such as quality or performance criteria.

The quality criterion verifies that the objective has been achieved to the required standard, while the performance criterion quantifies the results obtained in relation to the objectives set.

Performance indicators (KPIs)

It should be noted that to measure objectives effectively, it is necessary to define key performance indicators (KPIs) that enable progress towards the objective to be tracked.

The results can be used to identify areas for improvement, and to take appropriate action to achieve the organization’s objectives.

Organizations already have indicators, some of which are well known, others not yet. That’s why I suggest taking a tour of information systems, ticketing systems, etc., to find out what can be measured quickly.

Here are some examples of key performance indicators (KPIs) that can be used to measure information security objectives:

1. Number of security incidents: the number of security incidents that occur during a given period.
2. Incident recovery time: the time required to recover systems and data following a security incident.
3. Percentage of vulnerabilities patched: the percentage of security vulnerabilities that have been patched in systems.
4. Percentage of employees aware of best safety practices: employees who have received safety training.
5. Regulatory compliance rate: the percentage of compliance with information security regulations minus the number of non-compliances discovered during audits.
6. Number of intrusion attempts detected: the number of intrusion attempts detected by security monitoring systems.
7. Mean time to fix a vulnerability: the time it takes to fix a security vulnerability once it has been detected.
8. Encryption rate for sensitive data: the percentage of sensitive data that is encrypted to protect it.
9. Anomaly detection rate: the percentage of safety anomalies detected by monitoring systems.
10. Password rotation rate: the frequency with which user passwords are changed to reinforce security.

Once we can measure certain things, then let’s define what we want to improve by turning our measurements into objectives.

Example of objective

Here are ten examples of information security objectives:

1. Reduce the number of user-related security incidents by 50% by the end of the year by implementing a continuous security training program for employees.
2. Improve recovery time after a security incident by 75% by the end of the year by implementing an effective disaster recovery plan.
3. Implement a data security policy that meets regulatory requirements by next quarter.
4. Correct 95% of security vulnerabilities identified in systems by the end of the year using vulnerability management tools.
5. Make 95% of employees aware of best safety practices by the end of the year by organizing safety training sessions.
6. Use data encryption solutions to protect sensitive corporate data by next quarter.
7. Implement a security monitoring system to detect security incidents by next quarter.
8. Develop an effective security incident management plan by the end of the year to quickly deal with security incidents.
9. Use access management tools to control access authorizations to sensitive data by next quarter.
10. Implement regular system monitoring to detect security anomalies by the end of the year.

Once you’ve defined your objectives, it’s important to put in place the means to achieve them. This may include setting up security policies and procedures, training employees in security best practices, using security software, etc. It’s also important to regularly monitor your systems to detect any security incidents and deal with them promptly.

You can only improve what you measure!

Success criteria

To determine whether we have met clause 6.2 of ISO27001, here are some questions an auditor might ask:

• Show your objectives for this year.
• How do you measure whether a goal has been achieved?
• When and how were these objectives communicated to stakeholders?
• Present your documentation that tells me what will be done, by whom and when.
• Have you determined your success criteria and the technique for evaluating your results?