Question: Are organizational objectives for information risk management defined, measurable, and aligned with corporate goals?
Objective — Why This Matters
Clear, measurable objectives keep the program focused and defendable. They connect security work to business outcomes (uptime, trust, compliance).
Maturity Levels (0–5)
0 — Unaware
No objectives defined.
No objectives defined.
1 — Ad Hoc
Generic objectives without measures.
Generic objectives without measures.
2 — Defined
SMART objectives exist with owners.
SMART objectives exist with owners.
3 — Managed
KPIs tracked quarterly; linked to risk register.
KPIs tracked quarterly; linked to risk register.
4 — Integrated
Objectives appear in OKRs/enterprise scorecards.
Objectives appear in OKRs/enterprise scorecards.
5 — Optimized
Objectives refined via lessons learned and benchmarking.
Objectives refined via lessons learned and benchmarking.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Draft 3-5 SMART objectives (e.g., “MFA coverage ≥95%”). |
| 1 → 2 | Assign owners/dates; publish on a shared page. |
| 2 → 3 | Build a KPI tracker; review quarterly; tie to risks. |
| 3 → 4 | Integrate with corporate OKRs; include in leadership deck. |
| 4 → 5 | Compare with peers; raise targets annually. |
People / Process / Technology Enablers
- People: Security lead; data/analytics partner.
- Process: Quarterly KPI review.
- Technology: Spreadsheet + dashboard; ticketing for actions.
Evidence Required
- Objective list with owners/dates.
- Last two KPI review notes.
- Risk linkage (IDs) for each objective.
Metrics / KPIs
- % objectives on track.
- Variance vs target (by KPI).
- Number of improvements raised from reviews.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| KPI tracker | Google Sheets | Conditional formatting for status. |
| OKRs | Notion / Markdown | Lightweight goal setting. |
| Dashboards | Metabase | Read from Sheets/CSV. |
Common Pitfalls
- Too many objectives; none measured.
- KPIs that don’t influence decisions.
- Targets without owners.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | 6.2 objectives |
| NIRMATA Scoring | GL-Q06 requires measurable, owner-assigned objectives. |