Defining and documenting security objectives

Critical
High
Normal
Low

Organization's top management sets security objectives. Security objectives meet the following requirements:

  • they shall take into account applicable data security and data protection requirements and the results of risk assessment and treatment
  • they are clearly communicated to key security and data protection personnel, staff and other relevant stakeholders
  • they are updated as necessary (e.g. when the risk landscape changes or periodically when the objectives are met)
  • they are documented and (if possible) measurable

In connection with the documentation of security objectives, the necessary top-level improvements and tasks, needed resources, responsible persons, due dates and methods for evaluating the results in order to achieve the objectives are also defined.

Connected other frameworks and requirements:
5.1.1: Policies for information security
ISO 27001
ID.BE-3: Organizational mission, objectives and activities
NIST CSF
ID.GV-1: Cybersecurity policy
NIST CSF
5.1: Leadership and commitment
ISO 27001
6.2: Information security objectives
ISO 27001

Security roles, responsibilities, and objectives derived from the organization's goals

Critical
High
Normal
Low

The organization has set priorities for its operations and goals. Based on these priorities, you need to be able to define security roles, responsibilities, and goals.

Connected other frameworks and requirements:
ID.BE-3: Organizational mission, objectives and activities
NIST CSF
No items found.