Information Security Objectives
Document ID: DPWAT-ISMS-GOV-005
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-08-18
Next review: 2027-02-01 (during management review, or on major change)
1. Purpose
Define DP WAT’s measurable information security objectives and how progress is monitored (ISO 27001 clause 6.2).
2. Company-level objectives
| Objective | Metric / KPI | Target | Frequency | Owner |
|---|---|---|---|---|
| Enforce strong authentication | % of in-scope systems with MFA enforced | 100% | Quarterly | Administrator |
| Passkey adoption | % of personnel using passkeys for primary accounts (Google, GitHub) | >90% | Quarterly | CISO |
| Password manager adoption | % of personnel using approved password manager | 100% | Quarterly | CISO |
| Reduce access sprawl | % of access requests recorded and approved | 100% | Monthly | CISO |
| Maintain incident readiness | Time to triage security reports | < 1 business day | Per incident | CISO |
| Improve secure delivery | % of "high-risk" changes with review/scanning | 100% | Quarterly | Process Owners |
| Supplier visibility | % of critical suppliers reviewed | 100% | Annually | CISO |
| Device management coverage | % of company devices enrolled in MDM | 100% | Quarterly | Administrator |
| Security awareness | % of personnel completing annual security refresher | 100% | Annually | CISO |
| Zero security incidents caused by policy violations | Count of incidents attributable to policy non-compliance | 0 | Annually | CISO |
| Customer trust | Security-related customer complaints | 0 | Annually | Administrator |
| Maintain certification | Pass surveillance/recertification audits | Pass | Per audit cycle | CISO |
3. Monitoring and evaluation (ISO 27001 clause 9.1)
- Collection: Each metric owner collects data from relevant systems/registers at the stated frequency.
- Analysis: The CISO reviews metrics before each management review (at least annually).
- Evaluation: Trends and deviations are evaluated in management review; actions are recorded if targets are not met.
- Evidence: Metric data and analysis are documented in management review minutes or supporting records in
07-records/.