Chat with Experta

Please help me sample examples of information security goals that can be easily measured. Thank you so much!
ISO 27001 does not specify which objectives to use, but generally, there are two categories of security objectives:
- Top-level objectives – for the overall Information Security Management System (ISMS), and
- Operational objectives – that are relevant for only one part of ISMS.

There are a few types of operational objectives:
- For an area of a company (e.g., Finance, HR, R&D, etc.)
- For groups of controls (e.g., incident management controls, software development controls, supplier management controls, etc.)
- For individual controls (A.5.15 Access control, 7.2 Physical entry, 8.1 User end point devices, etc.)

Typically, smaller companies will set top-level objectives and some operational objectives. It is not required to have all three types of operational objectives – a company might select only objectives for an area of the company, or only for groups of controls.

Setting security objectives for particular controls is not common for smaller companies; however, smaller companies might set an objective for a particular control if this control is of great importance to the company.

Here are examples of different types of security objectives:
- Top-level security objective: Decrease the number of security incidents in the next year by 20%.
- An objective for an area of the company (for the engineering department that manages production servers): The average monthly availability of the production servers in the next 24 months should be, at a minimum, 99.98%.
- An objective for a group of controls (for A.7 Physical controls): Bring the number of unauthorized entries to secure areas down to zero during the next year.
- An objective related to a particular control (for A.8.33 Test information): Eliminate the usage of personal data from software testing by the end of 2024 at the latest.