Security objectives describe what your company wants to achieve with security and enable you to measure how strong your security is. Setting and measuring security expectations is the core of security management, and it is crucial when presenting security results to the top management because it provides a feeling of what is and is not acceptable.
Security objectives are documented in the Security Objectives module.
Adding Security Objectives
Follow these steps to add top-level or operational objectives and generate the List of Security Objectives document:
1. In the Conformio menu, click Registers and Modules.
2. Click the Go To Module button in the Security Objectives module.
3. On the Security Objectives screen, choose from the predefined top-level objectives or add a new objective:
- Conformio automatically suggests 8 top-level objectives (see Objectives), and you can add additional top-level or operational objectives (see Type);
- Set your own targets and deadlines (see Measurements), and assign responsibilities to individual members of your team (see Responsible Person).
- You can check the status of the security objective under the Status column.
- You can also see the documents available for download in the Security Objectives register. By hovering on them with your cursor, the information when they become available is displayed in a pop-up.
Adding Predefined Security Objectives
To edit a predefined top-level objective, click on the arrow of the objective to expand it.
Then fill in the required information:
- Objective status (Accepted or Draft);
- Target;
- First due date for measurement;
- Responsible for achieving the objective – The person who has the most authority and knowledge to achieve this objective;
- How often to measure;
- First due date for measurement;
- Responsible for measurement – The person responsible for recording the measurement in Conformio and has access to data;
- Responsible for analyzing and evaluating the results – A decision maker who can interpret the results and make appropriate decisions.
By clicking the Update button, the edited security objective will be saved.
People responsible for specific objectives are automatically assigned tasks to measure progress at set intervals (for example, every quarter). During the management review, the Objectives Fulfillment Report document is automatically generated to help decide if corrective actions are needed.
Adding New Security Objectives
To add a new objective, click the Add new objective button.
Then fill in the required information:
- Objective name;
- Objective type – Choose between a top-level or an operational objective;
- Target type – Choose a percentage or index based on the type of measurements you expect;
- Target (numerical value);
- Responsible for achieving the objective – The person who has the most authority and knowledge to achieve this objective;
- How often to measure;
- First due date for measurement;
- Responsible for measurement – The person responsible for recording the measurement in Conformio and has access to data;
- Responsible for analyzing and evaluating the results – A decision maker who can interpret the results and make appropriate decisions.
To leave the Add New Objective, click outside the box or click Cancel.
When all of the required data has been input, click the Submit button to submit the custom objective.
Accepting Security Objectives
Once all security objectives are added, they need to be accepted and confirmed to generate the new documents.
Only people with the following Conformio Roles can accept security objectives:
- The Project Manager;
- The Owner of the Security Objectives module;
- The Admin of the account.
To accept objectives, click the arrow button for each objective you want to accept.
Then change the objective status to “Accepted” and click the Update button.
The status of the objective will change directly to green, which designates an objective that is now accepted.
If you do not have permission to accept objectives, you will not be able to edit anything in the security objectives screen.
You do have the ability to see specific data for each security objective by clicking on the arrow button.
Confirming Security Objectives
Once all objectives are accepted, you need to confirm them to generate the List of Security Objectives document.
To confirm security objectives, do the following:
- Click Confirm objectives;
- Click the Confirm button.
After confirming security objectives, the List of Security Objectives document is generated, and everyone you assigned to be notified will receive a link to see the document.
You can also directly access the document from the Security Objectives module by clicking on the document link under the title of the register.
Making Changes in Security Objectives
You can make changes, such as adding a new objective or changing the target of the objective whenever needed.
Whenever you change your security objectives, click the Confirm Objectives button to generate an up-to-date version of the List of Security Objectives document.
You can access all of the document’s previous versions in the “Document Explorer” module.
Accessing List of Security Objectives Document
You can access the List of Security Objectives in 2 ways in Conformio:
- In the Security Objectives module by clicking the document at the top of the module;
- Through the Document Explorer module inside the List Reports Statements and Plans folder;
Frequently Asked Questions:
1. How to plan to achieve security objectives?
Usually, companies define their plan for achieving the security objectives through the Risk Treatment Plan. This document describes what kinds of security activities need to be implemented, and these activities will lead toward the fulfillment of information security objectives.
2. Is a document about security objectives mandatory, and what should it include?
ISO 27001 requires security objectives to be documented. This document would typically include:
- A list of security objectives that also includes their targets.
- If required, an explanation of why particular objectives were set.
- A date when the document was approved or from when the security objectives are valid.
3. What kind of security objectives should we use?
ISO 27001 does not specify which objectives to use, but generally, there are two categories of security objectives:
- Top-level objectives – for the overall Information Security Management System (ISMS) and
- Operational objectives – that are relevant for only one part of ISMS.
There are a few types of operational objectives:
- For an area of a company
- For groups of controls
- For individual controls
Typically, smaller companies will set top-level objectives and some operational objectives. It is not required to have all three types of operational objectives – a company might select only objectives for an area of the company or only for groups of controls.
Setting security objectives for particular controls is not common for smaller companies; however, smaller companies might set an objective for a particular control if this control is of great importance to the company.