Information Security Objectives and Planning to Achieve Them Part 1

00:01

listen four point in

00:03

information, security objectives and planning to achieve it.

00:10

In this video, we will cover

00:13

understanding the I. So 27,001 Close 6.2

00:18

Understanding what makes up a good objective

00:21

as well as the required documentation.

00:28

The I. So 27,000 and one close 6.2 somewhat vaguely calls for the organization to establish information security objectives and plans to achieve them. A drill, a vint functions and levels

00:41

I. So 27,000 and three is a great guidance document on the standard, which gives a bit more detail as to what the clause stipulations actually want to feel free to reference that during your implementation and maintenance processes.

01:00

So the information security objectives that your organization defines must be aligned to the stipulations in the eye. So 27,001 standard

01:10

these stipulations are

01:11

your objectives must be consistent with your information security policy.

01:17

They must be measurable.

01:19

There must be linked to your risk assessments and information security requirements.

01:23

They must be communicated to relevant parties

01:26

and there must be updated when required.

01:30

What these information security objectives, essentially all

01:34

its objectives and actions for the various departments within your organization to work towards achieving

01:41

and monitor the progress of doing so.

01:44

These objectives must obviously support the enforcement off confidentiality, integrity and the availability of information within your organization,

01:53

especially the information that falls directly within the scope of the ice mess.

01:59

Your business objectives, conservative base and your information security objectives could be there to support those business objectives.

02:07

Your information security policy

02:09

would have strategic information security objectives,

02:14

such as ensuring systems are kept operational and available to those that need it with minimal downtime.

02:21

As one of the key components for objective is measure ability

02:24

to make this actionable, it would be tailored to something more like

02:29

systems must be available for 95% of the time,

02:32

with any downtime being restored within a five hour window.

02:38

This can then be assigned to the relevant I T team and monitored on a monthly basis for compliance.

02:45

The subjective helps to satisfy and availability requirement off the organization

02:53

just to repeat that

02:55

a strategic information security objective

02:59

could be in sharing systems are kept operational and available to those that needed with minimal downtime

03:07

because an information security objective

03:10

as per the standard must be measurable.

03:14

They support actionable objective to support the strategic objective.

03:19

Would be

03:20

systems must be available for 95% of the time,

03:24

with any downtime being restored within a five hour window.

03:30

That's measurable.

03:36

So basically your information security objectives need to specify the following.

03:42

Firstly, what will be done?

03:44

Try and be as specific as possible here.

03:46

Make the objective and action that needs to be achieved.

03:52

You also need to specify the resource is required.

03:57

Will the objective require funding

03:59

additional personal time software?

04:02

External experts? What if the cases documented here so that

04:09

everyone involved can see what additional resource is will be required?

04:15

We also need to note and define who is responsible.

04:20

We need to ensure that the action,

04:24

the objective is action and looked after

04:27

someone must be designated responsible.

04:30

This responsible person does not necessarily have to do the action

04:34

and achievement off the object of themselves,

04:36

their arm or the ones that will be monitoring the objective and ensuring that it is action

04:43

and carried out by whatever team is associated with the responsible person.

04:50

Objectives can be actions that need to be completed

04:55

or implemented and then have ongoing maintenance or monitoring,

05:00

so specify whether or not it has a completion date. If it's something that needs to be implemented

05:04

and then indicate if it is an ongoing objective when it's in its monitoring phase,

05:11

you will also need to evaluate the results of the objective.

05:15

Each objective requires a measurable key performance indicator,

05:19

and as such you will need to have regular monitoring and reporting on the progress of achieving this objective.

05:29

So what is the required documentation?

05:32

All of the standard stipulates is to retain documented information on the information security objectives,

05:39

so you can decide how you want to document things in this clause.

05:43

But bear in mind that is important that the documents for monitoring progress and updates are not stagnant.

05:48

It should be evident.

05:50

But there is active monitoring, regular meetings and updates to the plans when required to meet objectives.

05:58

The details that we covered on the previous slide should also be documented,

06:03

so basically you're want a list of your information security objectives.

06:09

You want evident plans on how these objectives will be achieved, including the dates responsible people.

06:15

Resource is involved in many metrics that will be used to monitor

06:20

as well as the evidence of the metrics

06:24

reports, meeting minutes, updates to project trackers and so

06:30

to summarize, in this season, we covered what information security objectives are.

06:36

We looked at the information that you need to establish each objective,

06:42

and we also covered the mandatory documentation that is required by Isil 27,001