ISO 27001: How to set and document your information security objectives

As part of your ISO 27001 certification project, your organisation needs to prove its compliance with appropriate documentation. Having created an information security policy, risk assessment procedure and risk treatment plan, you will be ready to set and document your information security objectives.

Make your objectives measurable

Clause 6.2 of ISO 27001 outlines the requirements organisations need to meet when creating information security objectives. One of these requirements is to make your objectives measurable wherever possible.

Measurable objectives mean you avoid a situation where it is up to individuals to decide whether targets are being met. Individual judgement will lead to inaccurate reporting and possibly even bias – either from those who want greater investment in information security or those who claim that the existing measures are effective.

But what exactly should you be measuring, and how do you measure it? recommends that organisations keep the three key principles of ISO 27001 in mind: confidentiality, integrity and availability.

It writes: “[A] key measure of success for us is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.”

Other monthly objectives that it lists include having no failures in backups and no need to perform corrective actions.

The objectives you choose will vary depending on your industry and the maturity of your information security management system. They will probably also develop over time, which is why it’s important to keep track. If you are consistently meeting an objective, you should update it accordingly or focus on other areas.

Get help documenting your objectives

Creating measurable objectives is only one requirement of Clause 6.2 of the Standard. There are ten requirements in total, most of which focus on the organisation’s ability to communicate the objectives to staff and plan and implement changes as problems arise.

You can get help meeting each of these requirements with our ISO 27001 ISMS Documentation Toolkit.

This toolkit includes an annotated template that shows you exactly how to document your compliance with the Standard, thus speeding up what would otherwise be a time-consuming activity.

ISO 27001 Documentation - Information Security Objectives Template

Our annotated template takes the hassle out of documenting your information security objectives.


Our toolkit also provides advice on the other documentation you need to complete to comply with ISO 27001. It includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

View the full contents of the toolkit >>

Find out how the documents and tools can help with your ISO 27001 project >>