Information Security Objectives and Planning to Achieve Them Part 2

00:01

listen four point in

00:03

information, security objectives and planning to achieve it.

00:10

In this video, we will cover

00:13

understanding the I. So 27,001 Close 6.2

00:18

Understanding what makes up a good objective

00:21

as well as the required documentation.

00:28

The I. So 27,000 and one close 6.2 somewhat vaguely calls for the organization to establish information security objectives and plans to achieve them. A drill, a vint functions and levels

00:41

I. So 27,000 and three is a great guidance document on the standard, which gives a bit more detail as to what the clause stipulations actually want to feel free to reference that during your implementation and maintenance processes.

01:00

So the information security objectives that your organization defines must be aligned to the stipulations in the eye. So 27,001 standard

01:10

these stipulations are

01:11

your objectives must be consistent with your information security policy.

01:17

They must be measurable.

01:19

There must be linked to your risk assessments and information security requirements.

01:23

They must be communicated to relevant parties

01:26

and there must be updated when required.

01:30

What these information security objectives, essentially all

01:34

its objectives and actions for the various departments within your organization to work towards achieving

01:41

and monitor the progress of doing so.

01:44

These objectives must obviously support the enforcement off confidentiality, integrity and the availability of information within your organization,

01:53

especially the information that falls directly within the scope of the ice mess.

01:59

Your business objectives, conservative base and your information security objectives could be there to support those business objectives.

02:07

Your information security policy

02:09

would have strategic information security objectives,

02:14

such as ensuring systems are kept operational and available to those that need it with minimal downtime.

02:21

As one of the key components for objective is measure ability

02:24

to make this actionable, it would be tailored to something more like

02:29

systems must be available for 95% of the time,

02:32

with any downtime being restored within a five hour window.

02:38

This can then be assigned to the relevant I T team and monitored on a monthly basis for compliance.

02:45

The subjective helps to satisfy and availability requirement off the organization

02:53

just to repeat that

02:55

a strategic information security objective

02:59

could be in sharing systems are kept operational and available to those that needed with minimal downtime

03:07

because an information security objective

03:10

as per the standard must be measurable.

03:14

They support an actionable objective to support the strategic objective.

03:19

Would be

03:20

systems must be available for 95% of the time,

03:24

with any downtime being restored within a five hour window.