Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?

You are an experienced ISMS auditor, currently providing support to an ISMS auditor in training who is carrying out her first initial certification audit. She asks you what she should be verifying when auditing an organisation’s Information Security objectives. You ask her what she has included in her audit checklist and she provides the following replies.

Which three of these responses would you cause you concern in relation to conformity with ISO/IEC 27001:2022?
A . I am going to check how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved
B . I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed
C . I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved
D . I am going to check that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this
E . I am going to check that a completion date has been set for each objective and that there are no objectives with missing ‘achieve by’ dates
F . I am going to check that the necessary budget, manpower and materials to achieve each objective has been determined
G . I am going to check that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them

Answer: B, C, E

Explanation:

According to ISO/IEC 27001:2022, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS), clause 6.2 requires an organization to establish information security objectives at relevant functions and levels1. The objectives should be consistent with the information security policy; measurable (if practicable) or capable of being evaluated; monitored; communicated; updated as appropriate1. Therefore, when auditing an organization’s information security objectives, an ISMS auditor should verify these aspects in accordance with the audit criteria.

Three responses from the ISMS auditor in training that would cause concern in relation to conformity with ISO/IEC 27001:2022 are:

I am going to check that top management have determined the Information Security objectives for the current year. If not, I will check that this task has been programmed to be completed: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives at relevant functions and levels, not just at the top management level. It also implies that the auditor in training is willing to accept a delay or postponement in determining the information security objectives, which may affect the ISMS performance and effectiveness.

I am going to check that the Information Security objectives are written down on paper so that everyone is clear on what needs to be achieved, how it will be achieved, and by when it will be achieved: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are measurable (if practicable) or capable of being evaluated, not just written down on paper. It also implies that the auditor in training is not aware of the flexibility and suitability of different media or formats for documenting and communicating information security objectives, such as electronic or digital records, posters, newsletters, etc.

I am going to check that a completion date has been set for each objective and that there are no objectives with missing ‘achieve by’ dates: This response would cause concern because it implies that the auditor in training is not aware of the requirement to establish information security objectives that are monitored, not just completed by a certain date. It also implies that the auditor in training is not aware of the possibility and necessity of updating information security objectives as appropriate, such as when changes occur in the internal or external context of the organization, or when new risks or opportunities arise.

The other responses from the ISMS auditor in training are acceptable and do not cause concern in relation to conformity with ISO/IEC 27001:2022. For example, checking how each Information Security objective has been communicated to those who need to be aware of it in order for the objective to be achieved is relevant to verifying the communication aspect of clause 6.2; checking that there is a process in place to periodically revisit Information Security objectives, with a view to amending or cancelling them if circumstances necessitate this is relevant to verifying the updating aspect of clause 6.2; checking that the necessary budget, manpower and materials to achieve each objective has been determined is relevant to verifying the planning aspect of clause 6.2; checking that all the Information Security objectives are measurable. If they are not measurable the organisation will not be able to track progress against them is relevant to verifying the measurability aspect of clause 6.2.

Reference: ISO/IEC 27001:2022 – Information technology C Security techniques C Information security management systems C Requirements