Security Objectives Register

Q: What does Clause 6.2 specifically require?

Information security objectives must be consistent with the information security policy, measurable (where practicable), take into account the results of the risk assessment, be communicated, and be updated regularly. You must also document what will be done, what resources are needed, who is responsible, when the objectives should be achieved, and how results will be evaluated.

Q: How many security objectives do I need?

No fixed number. Five to ten well-formulated objectives are a solid starting point for most organisations. More important than quantity: each objective must be measurable and linked to a responsible person. Ten vague statements of intent are less useful than three precise, measurable objectives.

Q: Do all objectives need to be quantitative?

Clause 6.2 says 'where practicable'. An objective like 'ERP system availability ≥ 99.5%' is quantitatively measurable. An objective like 'All employees complete awareness training by Q3' is also measurable — as yes/no. The key is that you can assess the degree of fulfilment.

Clause 6.2 requires your ISMS to have documented information security objectives — and a plan for how to achieve them. The security objectives register is where objective, metric, responsibility, and deadline converge. Without this register, information security remains an intention without direction.

What does it contain?

The template maps the requirements of Clause 6.2 directly into columns:

Objective — what should be achieved? (e.g. reduce mean time to recovery to < 4 hours)
Policy reference — which principle of the information security policy does this objective support?
Metric / KPI — how is progress measured? (e.g. MTTR in hours, training completion rate in percent)
Target value — what value should be reached?
Responsible person — who drives achievement of the objective?
Resources — what is needed? (budget, personnel, tools)
Deadline — by when should the objective be achieved?
Status — current degree of fulfilment

How to use the template

1. Formulate objectives. Derive them from three sources: the information security policy (Clause 5.2), the risk assessment (Clause 6.1), and stakeholder requirements (Clause 4.2). Each objective should have a clear link to at least one of these sources.

2. Define metrics. For each objective: which KPI shows progress? Availability percentage, number of security incidents, mean response time, training completion rate, patch cycle time. Choose metrics you can actually collect — with the data available to you.

3. Set responsibilities and deadlines. An objective without a responsible person and a deadline is a wish. Every row in the register needs both.

4. Present in the management review. Clause 9.3 requires that the results of security objectives are addressed in the management review. The register is the basis for this discussion — bring it up to date.

5. Adjust annually. Objectives that have been met are replaced by new ones. Objectives that were missed are analysed: was it resources, the target value, or the implementation? This analysis belongs in the management review minutes.

ID	Ziel	Verknüpfte ISO-Klausel / Risiko	Verantwortlich	Messgröße	Baseline (Jahresanfang)	Zielwert	Messfrequenz	Aktueller Wert	Status	Prüfdatum	Verknüpfte Maßnahme
OBJ-2026-01	Phishing-Simulations-Klickrate unter 5 % senken	ISO 6.2 + R-002	ISB	% Mitarbeitende	die simuliertes Phishing anklicken	5	8 % (2025-12)	<5 % bis 2026-12-31	Quartalsweise	4	2 % (2026-Q1)
OBJ-2026-02	100 % phishing-resistente MFA für alle Admin-Konten erreichen	ISO 6.2 + R-001 + R-002	ISB	% Admin-Konten mit FIDO2	0 % (2025-12)	100 % bis 2026-06-30	Monatlich	48 % (2026-04)	Auf Kurs	2026-06-30	RTP-001
OBJ-2026-03	FIDO2 für alle Mitarbeitenden ausrollen	ISO 6.2 + R-002	ISB	% Mitarbeitende mit FIDO2 ausgestattet	0 % (2025-12)	100 % bis 2026-09-30	Monatlich	12 % (2026-04)	Auf Kurs	2026-09-30	RTP-004
OBJ-2026-04	Alle kritischen und hohen Schwachstellen in zwei aufeinanderfolgenden Quartalen innerhalb SLA schließen	ISO 6.2 + A.8.8	IT-Betriebsleitung	% Schwachstellen innerhalb SLA geschlossen	89 % (2025-Q4)	100 % in 2026-Q3 und Q4	Monatlich	92 % (2026-Q1)	Hinter Plan	2026-09-30	CAPA-2026-004
OBJ-2026-05	Externes Überwachungsaudit ohne schwerwiegende Feststellungen bestehen	ISO 9.2 + 9.3	ISB	Anzahl schwerwiegender Feststellungen	1 (Audit 2025)	0 in 2026	Jährlich	Audit ausstehend	Ausstehend	2026-05-18
OBJ-2026-06	Awareness-Schulungs-Abschlussquote auf über 95 % erhöhen	A.6.3	HR-Leitung	% Mitarbeitende	die jährliches Awareness-Training abschließen	93 % (2025)	>95 % bis 2026-12-31	Quartalsweise	96 % (2026-Q1)	Erreicht	2026-12-31
OBJ-2026-07	Mean Time to Detect (MTTD) für Sicherheitsvorfälle unter 2 Stunden senken	ISO 6.2 + A.5.25	ISB	Stunden vom Vorfall bis zur Erkennung (Median)	2 h 45 min (2025)	<2 h bis 2026-12-31	Quartalsweise	1 h 35 min (2026-Q1)	Erreicht	2026-12-31
OBJ-2026-08	Zweiten Logistik-SaaS-Anbieter als Standby qualifizieren	R-004 + A.5.30	Einkauf	Anbieter qualifiziert (ja/nein)	Nein	Ja bis 2026-12-31	Quartalsweise	Anbieter-Shortlist vereinbart	Auf Kurs	2026-12-31	RTP-008
OBJ-2026-09	100 % Lieferanten-Sicherheitsprüfung für kritische Lieferanten erreichen	A.5.22	Einkauf	% kritische Lieferanten innerhalb 12 Monaten geprüft	80 % (2025)	100 % bis 2026-12-31	Quartalsweise	92 % (2026-Q1)	Auf Kurs	2026-12-31
OBJ-2026-10	Zwei BCM-Übungen pro Jahr für kritische Prozesse durchführen	A.5.29 + A.5.30	BCM-Leitung	Anzahl Übungen pro Jahr	1 (2025)	2 bis 2026-12-31	Jährlich	1 abgeschlossen (2026-Q2)	Auf Kurs	2026-12-31

ID	Objective	Linked ISO Clause / Risk	Owner	Metric	Baseline (start of year)	Target	Measurement Frequency	Current Value	Status	Review Date	Linked Action
OBJ-2026-01	Reduce phishing simulation click rate below 5%	ISO 6.2 + R-002	ISO	% of users clicking simulated phishing	5.8% (2025-12)	<5% by 2026-12-31	Quarterly	4.2% (2026-Q1)	On track	2026-06-30	RTP-005
OBJ-2026-02	Achieve 100% phishing-resistant MFA for all admin accounts	ISO 6.2 + R-001 + R-002	ISO	% of admin accounts on FIDO2	0% (2025-12)	100% by 2026-06-30	Monthly	48% (2026-04)	On track	2026-06-30	RTP-001
OBJ-2026-03	Roll out FIDO2 to all staff	ISO 6.2 + R-002	ISO	% of users with FIDO2 enrolled	0% (2025-12)	100% by 2026-09-30	Monthly	12% (2026-04)	On track	2026-09-30	RTP-004
OBJ-2026-04	Close all critical and high vulnerabilities within SLA for two consecutive quarters	ISO 6.2 + A.8.8	IT Operations Lead	% of vulns closed within SLA	89% (2025-Q4)	100% in 2026-Q3 and Q4	Monthly	92% (2026-Q1)	Behind	2026-09-30	CAPA-2026-004
OBJ-2026-05	Pass external surveillance audit with no major findings	ISO 9.2 + 9.3	ISO	Number of major findings	1 (2025 audit)	0 in 2026	Annual	Pending audit	Pending	2026-05-18
OBJ-2026-06	Increase awareness training completion above 95%	A.6.3	HR Lead	% of staff completing annual awareness training	93% (2025)	>95% by 2026-12-31	Quarterly	96% (2026-Q1)	Achieved	2026-12-31
OBJ-2026-07	Reduce mean time to detect (MTTD) for security incidents below 2 hours	ISO 6.2 + A.5.25	ISO	Hours from incident occurrence to detection (median)	2h 45min (2025)	<2h by 2026-12-31	Quarterly	1h 35min (2026-Q1)	Achieved	2026-12-31
OBJ-2026-08	Qualify a second logistics SaaS provider as standby	R-004 + A.5.30	Procurement	Provider qualified (yes/no)	No	Yes by 2026-12-31	Quarterly	Vendor shortlist agreed	On track	2026-12-31	RTP-008
OBJ-2026-09	Achieve 100% supplier security review coverage for critical suppliers	A.5.22	Procurement	% of critical suppliers reviewed within 12 months	80% (2025)	100% by 2026-12-31	Quarterly	92% (2026-Q1)	On track	2026-12-31
OBJ-2026-10	Run two BCM exercises per year for critical processes	A.5.29 + A.5.30	BCM Lead	Number of exercises per year	1 (2025)	2 by 2026-12-31	Annual	1 completed (2026-Q2)	On track	2026-12-31

Sources

ISO/IEC 27001:2022 Clause 6.2 — Information security objectives and planning to achieve them
ISO/IEC 27001:2022 Clause 9.3 — Management review

Frequently asked questions

What does Clause 6.2 specifically require?