Navigating ISO 27001

ISO 27001 Clause 6.2: Information security objectives & planning to achieve them

ISO 27001 made easy: A comprehensive guide to understanding the standard 

Get your free guide


Get your free guide

Understanding ISO 27001 Clause 6.2: Information Security Objectives & Planning to Achieve Them

Clause 6.2 of ISO 27001, titled "Information Security Objectives and Planning," is a crucial aspect of information security management. In simple terms, it's all about setting clear goals to protect your valuable data and devising a plan to achieve them. 

Easy ISO - Challenges and best practices for ISMS

External Content: YouTube Video

In order to be able to play the desired video, you agree that a connection to the servers of YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA is established. This transmits personal data (device and browser information (in particular the IP address and operating system) to the operator of the portal for usage analysis.

You can find more information about the handling of your personal data in our privacy policy.

What does clause 6.2 require?

This clause asks organisations to do the following:

  1. Define relevant objectives: Organisations must identify and document specific information security objectives that match their business needs. These objectives should be in line with the organisation's overall goals and designed to safeguard its most vital information.

  2. Align with risk appetite: The objectives should also align with the organisation's risk tolerance. In other words, don't set goals that require resources or efforts beyond what you're willing to commit to protect your data.

  3. Make them measurable and achievable: Objectives should be clear and attainable. You should be able to measure your progress towards these goals and be confident in your ability to accomplish them.

  4. Develop a plan: Once you have your objectives, it's crucial to create a plan. This plan should outline the necessary resources, timelines, responsibilities, and methods for achieving your security objectives.


Key Elements of Clause 6.2

Now, let's look at the key components of this clause:

  • Relevance: Objectives must align with your business's needs and protect your critical data.

  • Risk Alignment: Ensure your objectives match your risk tolerance and available resources.

  • Measurability: Objectives should be quantifiable and feasible.

  • Planning: Develop a comprehensive plan with resources, timelines, responsibilities, and methods.

What Changed in ISO 27001: 2022?

The 2022 update of ISO 27001 brought some clarifications and enhancements to Clause 6.2:

  • Documentation: It clarified the need to document objectives.

  • Measurability and achievability: It strengthened the requirement for objectives to be measurable and achievable.

  • Planning details: The update added specifics, requiring the plan to include needed resources, timelines, responsibilities, and methods.

Get ready for the ISO 27001 audit with up to 75% less workload.

100% first-try pass rate in external audits on ISO 27001 

Book a demo
DG Seal ISO 27001

Why is clause 6.2 important?

Clause 6.2 holds significant importance because it ensures organisations understand how to safeguard their information assets. By setting measurable objectives and creating a solid plan, organisations can reduce the risk of security breaches.


How to meet the requirements of clause 6.2

Here are some practical steps to fulfil the requirements of Clause 6.2:

  1. Identify important assets: Start by pinpointing your organisation's critical information assets.

  2. Assess risks: Evaluate the risks to these assets – this can be done through reviewing what risk scenario(s) could affect such assets.

  3. Set aligned objectives: Create security objectives that match your risk tolerance and mitigate identified risks.

  4. Document objectives: Put your objectives in writing.

  5. Develop a plan: Create a detailed plan that outlines resources, timelines, responsibilities, and methods.

  6. Implementation: Put your plan into action.

  7. Monitor and review: Regularly monitor and review your plan to ensure it remains effective. If it is found to no longer be effective, then repeat steps 5 – 7 to improve your objectives and how they best protect your organisation’s assets.

By following these steps, you'll help your organisation meet the requirements of Clause 6.2 and enhance its overall information security posture. 

Save Money with ISO 27001

up to 50%

Cheaper than external consultants


up to 300%

Increase your opt-in rate with Consent & Preference Management

Scale Fast with ISO 27001

3 months

Get audit-ready in as little as three months

ISO 27001 Certificate


First-try pass rate in external audits on ISO 27001 and TISAX®

ISO 27001 certification to reduce Workload

Saves up to 100 hours

of manual work to get ISO 27001 certified or TISAX® labels

ISO 27001 Certification creates trust

Customers trust us

Get in touch




External DPO
Audit and risk analysis
Data Subject Requests
Online training courses
Cookie & Preference manager
Business advice from experts



Prepare for ISO 27001
Build an ISMS
Cyber security
Asset management
Risk mitigation
Internal audit



Digital whistleblowing system
Whistleblowing support
Compliance audit
Risk mitigation
Online training courses

Trusted and used by companies

Canon-4 The Cheeky Panda Burger King Unicef UK-1 Free Now

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

All data provided is for information only, based on internal estimates. This information is not indicative of KPIs, and is not given with any warranties or guarantees, expressly stated or implied in relation to accuracy and reliability.