Validate that when setting the objectives, the organization has determined what needs to be done, when, and by whom, you need to review the planning and documentation processes, examine roles and responsibilities, and verify timelines and accountability measures. Here’s a structured approach to ensure that these elements are in place and properly documented:
Steps to Validate Objective Setting and Implementation Planning
Review ISMS Objectives Documentation
Detailed Objectives: Ensure that the ISMS objectives are clearly defined and detailed. Each objective should specify what needs to be achieved.
Action Plans: Look for accompanying action plans that break down the objectives into specific tasks and activities.
Examine Roles and Responsibilities
Responsibility Assignments: Verify that each task or activity associated with the objectives has a designated owner or responsible party. This can be documented in a Responsibility Assignment Matrix (RACI) or similar tool.
Job Descriptions: Check that relevant job descriptions include responsibilities related to achieving ISMS objectives.
Verify Timelines and Deadlines
Project Plans: Review project plans or timelines that outline when each task or activity needs to be completed.
Milestones: Ensure that there are clear milestones and deadlines for key activities and that these are documented.
Check for Monitoring and Reporting Mechanisms
Progress Tracking: Verify that there are mechanisms in place to track progress against the objectives. This could be in the form of status reports, dashboards, or regular meetings.
Performance Indicators: Look for defined Key Performance Indicators (KPIs) or metrics that are used to measure progress and success.
Conduct Interviews and Surveys
Interviews: Conduct interviews with key personnel, including objective owners and team members, to confirm their understanding of their roles, responsibilities, and deadlines.
Surveys: Distribute surveys or questionnaires to assess awareness and understanding of ISMS objectives and related tasks among employees.
Review Communication Evidence
Internal Memos and Emails: Check for internal communications that clearly outline what needs to be done, by whom, and by when.
Meeting Minutes: Look for meeting minutes where objectives, responsibilities, and timelines were discussed and assigned.
Audit and Review Findings
Internal Audits: Review internal audit reports that assess the objective-setting process and verify that roles, responsibilities, and timelines are clearly defined and documented.
Management Review Records: Examine records from management reviews that discuss the status of ISMS objectives and related tasks.
Examples of Evidence to Collect
ISMS Objectives Documentation
· Detailed ISMS objectives with specific tasks and activities outlined.
· Accompanying action plans specifying what needs to be done.
Roles and Responsibilities
· Responsibility Assignment Matrix (RACI) or similar tool.
· Job descriptions with ISMS-related responsibilities.
Timelines and Deadlines
· Project plans or Gantt charts showing timelines and deadlines.
· Documentation of milestones and key deliverables.
Monitoring and Reporting Mechanisms
· Status reports or progress dashboards.
· Defined KPIs or performance metrics used to track progress.
Interview and Survey Results
· Interview notes or transcripts confirming understanding of roles, responsibilities, and deadlines.
· Survey results showing awareness and understanding among employees.
Communication Evidence
· Internal memos, emails, or newsletters communicating tasks, responsibilities, and timelines.
· Meeting minutes documenting discussions and assignments related to ISMS objectives.
Audit and Review Findings
· Internal audit reports evaluating the objective-setting process.
· Management review meeting minutes discussing the status of objectives and tasks.
Example of Documentation Content
Action Plan for ISMS Objective
**Objective:** Reduce Information Security Incidents by 20% in 12 months
**Tasks and Activities:**
1. **Conduct Security Awareness Training**
– **What Needs to Be Done:** Develop and deliver security awareness training sessions.
– **When:** Q1 2024
– **By Whom:** IT Security Team, led by the Security Awareness Coordinator
2. **Implement Advanced Threat Detection Tools**
– **What Needs to Be Done:** Select, procure, and deploy advanced threat detection tools.
– **When:** Q2 2024
– **By Whom:** IT Infrastructure Team, managed by the IT Operations Manager
3. **Perform Regular Security Audits**
– **What Needs to Be Done:** Schedule and conduct monthly security audits.
– **When:** Monthly, starting January 2024
– **By Whom:** Internal Audit Team, supervised by the Chief Information Security Officer (CISO)
**Milestones:**
– **Q1 2024:** Complete security awareness training for all employees.
– **Q2 2024:** Deploy advanced threat detection tools across the network.
– **Ongoing:** Achieve zero critical findings in monthly security audits.
**KPIs:**
– Percentage of employees completing security awareness training.
– Number of incidents detected and mitigated by new threat detection tools.
– Number and severity of findings in monthly security audits.
By following these steps and collecting the appropriate evidence, you can validate that the organization has determined what needs to be done, when, and by whom when setting ISMS objectives. This ensures a structured approach to achieving the objectives and maintaining compliance with ISO/IEC 27001: 2022.
