Organization's top management sets security objectives. Security objectives meet the following requirements:
- they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
- they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
- they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
- they are documented and (if possible) measurable
In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.