What are security objectives from the perspective of ISO 27001?
Anyone who introduces an information security management system (ISMS) in the company not only has to identify risks and endangered assets! You also have to set security goals and give them measurable characteristics. The ISO 27001 standard has defined the following 3 elementary information security objectives:
- confidentiality
- integrity
- Availability
Have we clearly defined our safety goals, documented them in an understandable way, formulated them in a measurable way and communicated them to the workforce in an understandable way? Safety goals are only met if they guide the behavior of every person in everyday operations. The ISO 27001 standard expects us to set clear goals in the ISMS and reflect them in a measurable way.
For better understanding, these 3 goals can be defined as follows:
Security objective - confidentiality
Our goal is to protect the confidentiality of the data of our customers, partners, suppliers, employees and company. We make this goal measurable using a key figure: “If an incident occurs a maximum of once per year, we have achieved our goal”
Security objective - Integrity
We want to ensure that the integrity of the stored data is guaranteed. We can make it measurable with a key figure: “If no customer complains about the data stored in our data center, we have met our goal of data integrity.”
Security objective - Availability
We want to ensure 99.9% availability of our systems so that our customers can access their systems and data at any time. We can set the following key figure: “If we document a system failure in our ticket system at most 1 in 1000 systems and manage to restore availability within 2 hours, we have achieved our goal.”