Information security objectives and planning to achieve them

Clause 6.2 mandates that organizations establish specific, measurable goals to track the performance and effectiveness of their Information Security Management System (ISMS).

Use the SMART framework: Specific, Measurable, Achievable, Relevant, and Time-bound. For example, 'Reduce the average time to patch critical vulnerabilities to 48 hours by Q4.'

Examples include: 'Achieve 100% completion of security awareness training', 'Maintain 99.9% system availability', 'Reduce critical vulnerabilities by 20%', or 'Obtain ISO 27001 certification by year-end'.

Review the high-level commitments in your Information Security Policy (Clause 5.2) and ensure every objective supports those commitments (e.g., if policy says 'comply with laws', an objective could be 'zero regulatory fines').

Measurable means you can track it with data. SMART is a broader framework ensuring the objective is also specific, achievable, relevant to the business, and has a deadline.

For each objective, determine: what will be done (actions), what resources are needed (budget/tools), who is responsible (owner), when it will be completed (deadline), and how results will be evaluated. In practice, it helps to keep these plans auditable by linking actions to owners, metrics, and evidence; for example, WatchDog Security's Compliance Center can associate objectives with control activities and the artifacts you'll show during audits.

The three core objectives are Confidentiality, Integrity, and Availability (the CIA triad). ISO 27001 requires you to set specific performance goals to support these core concepts.

Progress is measured by collecting data (metrics) related to the objective—such as logs, ticket closure rates, or audit scores—and comparing them against the target value defined in your plan. Where metrics come from multiple systems, centralizing them with a clear audit trail reduces gaps; for example, WatchDog Security's Compliance Center can track objective status, related evidence, and management review notes over time.

Security objectives often fail when they live in a slide deck with no owner, cadence, or evidence trail, making it hard to prove monitoring and updates during an audit. A GRC platform helps by assigning owners, linking objectives to controls and evidence, and maintaining an auditable history of targets, status, and review notes. For example, WatchDog Security's Compliance Center can track objectives alongside related controls, evidence collection, and management review outcomes in one place.

Objectives like 'improve security culture' are hard to measure unless you define completion targets, role coverage, and behavior indicators (e.g., quiz results or repeat gaps). A structured training program helps by mapping course assignments to job functions and producing completion records for audits. For example, WatchDog Security's Security Awareness Training can assign role-based micro-courses and track completion and results against your defined clause 6.2 objectives.