Sufficient specifying of objectives

Organization's top management sets security objectives. Security objectives meet the following requirements:

• they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
• they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
• they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
• they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.

The organization shall document the information security requirements and the organisation's operating model for meeting them.

It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.

The organization must define the frameworks that are used as the basis of the management system. Requirements frameworks should address:

Internal reporting goals:

• Reports that support decision-making for management
• Reporting accuracy and details not related to financial reports

Requirement fulfillment goals:

• Fulfillment of laws and regulations
• Setting sub-goals so that the security, availability, processing integrity, confidentiality and privacy criteria support adequate reporting, the organization's operation and compliance with the requirements

Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.

The management review shall address and comment on at least the following:

• Status of improvements (or other actions) initiated as a result of previous management reviews
• Future changes relevant to the security management system
• Performance of the ISMS (problem areas, metering, audit results and fulfillment of management security objectives)
• Stakeholder feedback on data security
• Operation of the risk assessment and treatment process

Documented information on the execution and results of reviews must be maintained.

When setting the organization's information security objectives, external objectives must be taken into account. This means, for example:

• Externally set requirement frameworks, such as laws and regulations or requirements set by other external stakeholders
• The reporting takes into account a sufficient amount of detail in the reports to demonstrate the fulfillment of the external requirements