Information Security Objectives
Version: 2.2
Status: Approved
Last modified: January 2025
Next Review Date: July 2025
ISO Statement
oboloo Limited is actively preparing for ISO/IEC 27001 certification and has established this Information Security Objectives Policy in alignment with Clause 6.2 of the ISO/IEC 27001:2022 standard. This policy supports the continual improvement of oboloo’s Information Security Management System (ISMS) and the protection of information assets.
Introduction
oboloo Limited is committed to protecting the confidentiality, integrity, and availability of its information assets and those entrusted by customers, suppliers, employees, and third parties. This policy defines measurable information security objectives and outlines how they are implemented, monitored, and reviewed to support compliance with legal, regulatory, and contractual requirements.
Who We Are and How to Contact Us
Company Name: oboloo Limited
Company Number: 12420854
Trading Address: 7 Bell Yard, London, England, WC2A 2JR
Contact Email: hello@oboloo.com
Acceptance of Terms
By operating within the scope of oboloo Limited’s ISMS, all employees, contractors, and partners are deemed to accept the terms of this policy and are responsible for supporting its execution
Changes to This Policy
This policy may be updated to reflect changes in risk, compliance obligations, or operational requirements. The current version will be made available internally, and any changes will be communicated to affected parties.
Related Policies
This policy should be read in conjunction with:
Information Security Policy
Access Control Policy
Risk Management Framework
Staff Cyber Awareness Policy
Purpose
The purpose of this policy is to define information security objectives that are:
Aligned with business strategy and risk treatment priorities
Compliant with ISO/IEC 27001 and other applicable obligations
Supported by measurable KPIs to enable tracking and continuous improvement
Scope
This policy applies to:
All oboloo departments, systems, employees, and contractors
Third-party partners that process or access oboloo data
Any processes or systems under the ISMS scope
The policy is aimed at those maintaining the ISMS and all staff participating in ISMS-related activities.
Current Information Security Objectives
| Objective ID | Objective Description | Target Metric / KPI | |
|---|---|---|---|
|
OBJ-001
|
Ensure 100% of new users complete security awareness training within 7 days of start
|
≥ 100% completion rate within 7 days
|
|
|
OBJ-002
|
Maintain Multi-Factor Authentication (MFA) across all internal systems
|
100% MFA enforced for all users and tools
|
|
|
OBJ-003
|
Ensure critical patches are applied within SLA on production systems
|
≥ 95% patch compliance within 14 days
|
|
|
OBJ-004
|
Maintain zero unresolved high-risk items in the risk register for more than 30 days
|
0 outstanding high-risk risks aged > 30 days
|
|
Alignment with Risk and Compliance Priorities
Each objective maps to ISO/IEC 27001 Annex A control areas, risk treatment actions, and regulatory frameworks such as GDPR. Progress is monitored via automation and dashboards where possible, and reviewed in ISMS management meetings.
ISO/IEC 27001 Annex A Mapping
| Objective Area | ISO/IEC 27001 Control Ref | Description | |
|---|---|---|---|
|
Awareness Training
|
A.7.2.2
|
User education and awareness
|
|
|
MFA and Authentication
|
A.9.4
|
Access control and authentication
|
|
|
Patch Management
|
A.12.6.1
|
Technical vulnerability management
|
|
|
Risk Remediation
|
A.6.1.2 / A.6.1.3
|
Risk assessment and treatment
|
|
Review and Update of the Methodology
Bi-Annual Review: Objectives are reviewed every 6 months during management review meetings.
Updates: Changes due to compliance, risks, or operations will be documented and version-controlled.
Document Control
Version: 2.2
Date: January 2025
Description: Updated KPIs and mapped to ISO/IEC 27001:2022 controls
Previous Versions:
-
Version 2.1 (June 2024): Refined phishing and patching targets
-
Version 2.0 (January 2024): Reorganised for better KPI tracking
-
Version 1.0 (June 2023): Initial publication of security objectives