ISO 27001 does not specify which objectives to use, but generally, there are two categories of security objectives:
- Top-level objectives – for the overall Information Security Management System (ISMS), and
- Operational objectives – that are relevant for only one part of ISMS.

There are a few types of operational objectives:
- For an area of a company (e.g., Finance, HR, R&D, etc.)
- For groups of controls (e.g., incident management controls, software development controls, supplier management controls, etc.)
- For individual controls (A.5.15 Access control, 7.2 Physical entry, 8.1 User end point devices, etc.)

Typically, smaller companies will set top-level objectives and some operational objectives. It is not required to have all three types of operational objectives – a company might select only objectives for an area of the company, or only for groups of controls.

Setting security objectives for particular controls is not common for smaller companies; however, smaller companies might set an objective for a particular control if this control is of great importance to the company.

Examples:
Here are examples of different types of security objectives:
- Top-level security objective: Decrease the number of security incidents in the next year by 20%.
- An objective for an area of the company (for the engineering department that manages production servers): The average monthly availability of the production servers in the next 24 months should be, at a minimum, 99.98%.
- An objective for a group of controls (for A.7 Physical controls): Bring the number of unauthorized entries to secure areas down to zero during the next year.
- An objective related to a particular control (for A.8.33 Test information): Eliminate the usage of personal data from software testing by the end of 2024 at the latest.