Setting information security objectives that drive continuous improvement
Security and resilience objectives help ensure your organisation is continually improving, aligned with strategic goals, and effectively managing risk. Whether you are working toward ISO 27001 or aligning with the Cyber Assessment Framework (CAF), objectives should be measurable, achievable, and regularly reviewed as part of your management system.
Below, you’ll find guidance for setting Information Security Objectives (ISO 27001). A new section at the end provides equivalent guidance for CAF-aligned objectives.
Information Security Objectives (ISO 27001)
Your information security objectives should align with your organisation's overall goals, address current and emerging threats, and focus on continuous improvement. It is good practise to set new objectives each year and expected if you are complying with standards including ISO 27001.
It is important that you have a clear plan of how you are going to achieve each objective and who is responsible for each step. Where necessary, Actions should be raised for the tasks required to achieve the objective.
The objectives should be approved by senior management and then reviewed on a regular basis to monitor progress.
It's good practice to have separate Key Performance Indicators (KPIs) for your annual information security objectives. Separate KPIs help you measure the progress and effectiveness of each objective individually, ensuring that you're on track to achieve your goals. They also provide clarity and focus for your team, allowing you to identify areas that may need more attention or resources. Review this article on creating and tracking KPI's.
Example Information Security Objectives:
Enhance Data Protection
Objective: Implement advanced encryption techniques across all data storage and transmission processes.
Target: Achieve 100% encryption of sensitive data by year-end.
Why: Ensures data confidentiality and integrity, reducing the risk of breaches.
Improve Incident Response Capabilities
Objective: Reduce incident detection and response time by 30%.
Target: Average time to detect and respond to incidents reduced from X hours to Y hours by Q4.
Why: Faster response times can mitigate the impact of security incidents.
Achieve Compliance with Industry Standards
Objective: Attain or maintain compliance with ISO 27001, SOC 2, GDPR, or other relevant standards.
Target: Successfully pass all compliance audits with zero critical findings by the end of the year.
Why: Compliance ensures that the organisation meets legal and regulatory requirements, protecting against legal risks.
Strengthen Employee Awareness and Training
Objective: Increase employee participation in security training programs.
Target: 100% of employees complete mandatory security training and at least one additional advanced training session by Q3.
Why: Educated employees are less likely to fall victim to phishing or other social engineering attacks.
Enhance Vulnerability Management
Objective: Reduce the number of high-risk vulnerabilities by 50%.
Target: High-risk vulnerabilities are reduced from X to Y by year-end through regular patch management and vulnerability scanning.
Why: Addressing vulnerabilities reduces the attack surface, minimising the likelihood of a breach.
Increase Security of Remote Work Environments
Objective: Implement and enforce security policies for remote work, including the use of VPNs and multi-factor authentication (MFA).
Target: 100% adoption of MFA and secure VPN usage by all remote employees by mid-year.
Why: Secures remote access points and reduces potential vulnerabilities in a distributed workforce.
Implement Continuous Monitoring
Objective: Deploy continuous monitoring tools to track and respond to security threats in real-time.
Target: Real-time monitoring implemented across 100% of critical systems by Q3.
Why: Continuous monitoring allows for quicker detection and response to security incidents.
Reduce Third-Party Risk
Objective: Strengthen third-party risk management by auditing key vendors and partners.
Target: Conduct security audits on all critical third-party vendors and address any identified risks by year-end.
Why: Ensures that third-party partners do not become a weak link in your security chain.
Enhance Identity and Access Management
Objective: Implement role-based access control (RBAC) across all systems.
Target: 100% of systems using RBAC by Q2, with regular reviews to ensure appropriate access levels.
Why: Limits access to sensitive information to only those who need it, reducing the risk of insider threats.
Increase Automation in Security Processes
Objective: Automate routine security tasks, such as log analysis and patch management.
Target: Automate 50% of security operations processes by year-end.
Why: Automation reduces human error and allows the security team to focus on more strategic initiatives.
These objectives should be tailored to your organisation's specific needs, risk profile, and regulatory environment. Additionally, they should be measurable, achievable, and revisited regularly to ensure they remain relevant and aligned with your evolving security landscape.
CAF Objectives (Cyber Assessment Framework)
If your organisation is using the Cyber Assessment Framework (CAF), your objectives should align with the four CAF security objectives (A–D) and support the achievement of their underlying principles and Indicators of Good Practice (IGPs). CAF objectives focus on strengthening the security and resilience of the systems supporting your essential functions.
CAF objectives should help your organisation improve how it:
A — Manages Security Risk: e.g., governance, risk management, asset management, supply chain
B — Protects Against Cyber Attack: e.g., secure system design, data protection, network resilience
C — Detects Cyber Security Events: e.g., monitoring, logging, alerting
D — Minimises the Impact of Incidents: e.g., response planning, recovery, lessons learned
CAF objectives should be measurable, evidence-driven and owned by appropriate individuals, with progress monitored through KPIs and management reviews.
Examples of CAF-Aligned Objectives
Strengthen Governance and Oversight (CAF Objective A)
Objective: Establish effective board-level governance for the security and resilience of essential functions.
Target: Hold quarterly CAF governance reviews and assign a board-level accountable individual in line with CAF A1.
Why: Ensures clear accountability, strategic oversight, and alignment with CAF governance requirements.
Improve Risk Management for Essential Functions (CAF Objective A)
Objective: Enhance identification, assessment and management of risks affecting systems that support essential functions.
Target: Complete risk assessments for all in-scope systems by Q3 and review them at least annually.
Why: Strengthens organisational understanding of threats and vulnerabilities, supporting compliance with CAF A2.
Enhance Monitoring and Detection Capabilities (CAF Objective C)
Objective: Reduce the time taken to detect cyber security events across systems supporting essential functions.
Target: Implement continuous monitoring across 100% of critical systems and reduce MTTD by 40% by year-end.
Why: Faster detection limits potential impact and supports CAF C1 and C2 outcomes.
Increase Organisational Resilience and Recovery Readiness (CAF Objective D)
Objective: Improve incident response and recovery capabilities for systems supporting essential functions.
Target: Conduct at least two incident response exercises per year and complete lessons-learned reviews within 30 days.
Why: Enhances preparedness, limits the impact of incidents, and supports CAF D1 and D2 requirements.
Strengthen System and Data Protection Measures (CAF Objective B)
Objective: Improve protective security controls for critical systems and data supporting essential functions.
Target: Apply secure configuration standards across all critical systems and remediate 100% of high-risk vulnerabilities within SLA by Q4.
Why: Reduces the likelihood and impact of cyber attacks and supports CAF B4 and B5.
Each CAF objective should have defined targets, clear ownership, and supporting evidence that demonstrates continual improvement and alignment with CAF principles.
Just as with ISO 27001, it is good practice to define Key Performance Indicators (KPIs) that measure progress against your CAF objectives. KPIs help you demonstrate the effectiveness of your security and resilience activities and provide clear evidence during a CAF assessment. Review this article on creating and tracking KPI's.