ISO 27001 Implementation Guidance: Using Objectives
Updated: Nov 29, 2019
While it seems obvious to state that your Information Security Management System (ISMS) should be in a good state before any certification visit, this desire for 'perfection' can be a major cause of unnecessary delay.
While it's true that auditors don't like to see too much 'work in progress', there is a mechanism within the standard that allows you to formally capture those unfinished controls within a formal programme. Formalising work-in-progress using Information Security Objectives is the way to do this.
As an example, an organisation has looked at the ISO27001:2013 standard, and chosen to document a new policy which will ensure that suppliers will be assessed, risks identified, and appropriate controls put in place with each high and medium risk supplier identified. The organisation does an initial assessment and identifies 50+ suppliers requiring new controls, amended contracts, data processing agreements etc. Rather than wait until this work is completed before seeking certification, the organisation can capture this as a fixed-term ISMS objective e.g. All high and medium risk suppliers will have appropriate agreements in place by Q2 2020, with progress on this objective tracked at a quarterly ISMS steering meeting.
In addition to the example provided, areas commonly covered by objectives include labelling information, embedding security within the development lifecycle and provision of training for all staff. But the model can be used for any activities you have that are taking longer than you would like.
It is important to stress that this approach is only possible for the Annex A controls of ISO270011:2013. The clauses are mandatory, you cannot exclude any, and you must have completed them before a certification visit will be successful.