Skip to main content
CENEDRIL MANUAL
Open Cenedril
ISMS Assistant · Objectives & Implementation

Security objectives & implementation

Updated on 5 min Pro plan Open in Cenedril

Goal Turn the control decisions from the Statement of Applicability into a risk treatment plan with leads and target dates, define measurable information security objectives, and break the implementation down into tasks.

In the ISMS Assistant you open the Objectives & Planning chapter to turn the control decisions from the Statement of Applicability into a risk treatment plan, define measurable information security objectives, and then work through the execution criteria of each planned control in the Implementation chapter. On the first page you set an implementation status with a responsible lead and target date for every applicable control, on the second you define objectives at programme, risk and control level, and in the following chapter you break the planned controls down into assignable tasks.

Build the risk treatment plan

Open the Objectives & Planning chapter

Open the ISMS Assistant and switch to the Objectives & Planning chapter. The intro page shows two topic cards: Risk Treatment Plan and Information Security Objectives. Start with the treatment plan.

The Objectives & Planning chapter intro with the “Risk Treatment Plan” and “Information Security Objectives” cards.

Set an implementation status per control

The Risk Treatment Plan page lists every applicable control from the Statement of Applicability, grouped by theme: organisational, people, physical and technological. In the Status field, set one of four values per control: Implemented, Planned, Deferred or Not started. Start with the already-operational controls and set them to Implemented so the summary cards at the top show a realistic baseline.

For each applicable control you set an implementation status; the cards at the top count the controls per status.

Add leads, dates and justifications

Selecting Planned reveals the Lead and Target date fields. Fill in both immediately so a planned control stays clearly distinguishable from a deferred one. Selecting Deferred reveals a justification field; enter the reason there, such as a pending budget approval or a dependency on another project. Clicking a control’s risk-context row expands the assigned scenarios with their before/after risk levels, which helps you judge urgency.

Capture risk owner approval

In the Risk Owner Approval section, record that the risk owners have approved the treatment plan and accepted the remaining risks via Accept all residual risks. ISO 27001 explicitly requires this approval (Clause 6.1.3 f). Save with Save & Continue.

Result: every applicable control carries an implementation status, planned controls have a responsible lead and target date, deferred ones have a justification, and the risk owner approval is documented.

Define security objectives

Create objectives at three levels

The Information Security Objectives page is split into three tabs: Program Objectives (strategic ISMS maturity), Risk-Level Objectives (effectiveness of the risk treatment), and Control-Level Objectives (operational, tied to individual controls). Cenedril suggests objectives for each tab, grouped into five template sets: ISMS maturity, control KPIs, protection needs of key assets, stakeholder requirements, and the measures of ISO/IEC 27004. Adopt the templates that fit or create your own via Add objective.

The three tabs “Program Objectives”, “Risk-Level Objectives” and “Control-Level Objectives” with the templates below.

Make every objective measurable

For each objective, record what will be done, who is responsible, the target date and how the results are evaluated. Under Measurement type, choose between Binary (yes/no), KPI (measurable target) and Periodic review. For a KPI, add the target value and unit plus the traffic-light thresholds for green and yellow; the bar below the fields shows the zones visually.

Save the objectives and move on to Implementation

Use Save as Draft to keep interim states and Save & Continue to complete the Objectives & Planning chapter. The assistant then leads into the Implementation chapter.

Result: the ISMS becomes measurable. Each objective records what will be done, who is responsible, by when, which data source feeds the measurement, and where the traffic-light thresholds sit.

Implement the controls

Break planned controls into work packages

In the Implementation chapter, open the Execution Criteria Planning page. It shows every control marked Planned in the treatment plan, grouped by theme. Each control expands into groups of execution criteria from ISO 27002, where each group is a logical work package. Start with the controls whose target date is nearest; it appears in the header of each control card.

An expanded control with its criteria groups and the button to create a group task.

Tick off criteria and create tasks

Tick off the individual criteria of a group as you work through them, and use Create task for this group to create one task per work package in the Cenedril task system. The small chevron next to a criterion expands its implementation details: how-to, subtasks, RACI and estimated effort. A Cenedril badge on a criterion indicates that it is implemented through an existing platform artefact, such as a policy, a register or the management review. Check the linked artefact before creating a new task.

Result: every planned control is broken down into work packages, the criteria are ticked off, and the tasks for the operational work sit in the system. The next chapter, Performance Evaluation, measures whether the implementation achieves the objectives you set.

Frequently asked questions

How does the risk treatment plan differ from the Statement of Applicability?

The Statement of Applicability records which controls are applicable and why. The treatment plan is its operational counterpart: it records who implements which control by when, and what status it is in. ISO 27001 requires this plan to be approved by the risk owners (Clause 6.1.3 f).

What do the four implementation statuses mean?

“Implemented” means the control is fully operational and evidence exists. “Planned” means the control is committed and has a responsible lead and a target date. “Deferred” means implementation is deliberately postponed, and the justification field is audit-relevant. “Not started” is the default state.

Does every security objective have to be measurable?

ISO 27001 requires measurable objectives where practicable. Each objective carries a measurement type: binary (yes/no), KPI with target value and unit, or periodic review. KPI objectives can additionally hold traffic-light thresholds for green, yellow and red.

Where do the objective templates come from?

Cenedril derives suggestions from the treatment plan, the risk assessment, and the measures of ISO/IEC 27004. The templates are grouped into five sets: ISMS maturity, control KPIs, protection needs of key assets, stakeholder requirements, and the 27004 measures. You adopt what fits and add your own objectives.

Which controls appear on the implementation page?

Only the controls marked “Planned” in the treatment plan. For each, the execution criteria from ISO 27002 are broken down into work packages (groups) that you can tick off and turn into a task per group.

Information Security Assistant

Anwendbarkeitserklärung (SoA) & Risikobehandlung

So wählen Sie im ISMS-Assistenten für jedes Risiko eine Behandlungsoption, aktivieren die passenden Kontrollen aus Anhang A und erzeugen daraus die Anwendbarkeitserklärung.

Information Security Assistant

RACI, Business Continuity, Lieferantenmanagement

So weisen Sie im ISMS-Assistenten Rollen über die RACI-Matrix zu, planen Business Continuity und führen das Lieferantenregister mit Bewertung und Richtlinie.