M2.3.5 - INFORMATION SECURITY OBJECTIVITIES Implementation Guidance
The entity shall establish information security objectives at relevant to its functions and levels.
Back to M2.3.5 - P2 - INFORMATION SECURITY OBJECTIVITIES
Based on the business objectives for information security and the results of the information security risk assessment and risk treatment process, information security objectives should be identified. The entity can consider high level objectives, such as:
- A. Maintaining the confidentially of sensitive entity information
- B. Successful management of the information security risks
- C. Efficient management of information security in the entity
- D. Compliance with sector or national requirements
These high level information security objectives are often directly derived from the business objectives, and other, lower level objectives, can be identified to support their fulfillment. The lower level information security objectives can be identified based on the results of the information security risk assessment and risk treatment process, and can also be identified by considering the following questions:
- A. What third party relationships and agreements exist, and what are associated information security requirements?
- B. Are there any services that have been outsourced?
- C. What kind of protection is needed, and against what threats?
- D. What are the distinct categories of information that require protection?
- E. What are the distinct types of information activities that need to be protected?
- F. What are the minimum market requirements for information security?
- G. What additional information security controls should provide a competitive advantage for the entity?
- H. What are the critical business processes, and how long can the entity tolerate interruptions to each critical business process?
When planning how to achieve the information security objectives, it can be helpful to develop an equivalent of the risk treatment plan, i.e. a plan that details the actions, resources, responsibilities, time frames and methods of evaluating whether the objectives have been achieved.
When planning how to achieve its information security objectives, the entity shall determine:
- A. What will be done
- B. What resources will be required
- C. Who will be responsible
- D. When it will be completed
- E. How the results will be evaluated
