Information Security Objectives
Version: 2.2
Status: Approved
Last modified: January 2025
Next Review Date: July 2025
ISO Statement
oboloo is actively preparing for ISO/IEC 27001 certification and has established these Information Security Objectives in alignment with clause 6.2 of the ISO/IEC 27001:2022 standard. These objectives support the continual improvement of oboloo’s Information Security Management System (ISMS) and the protection of information assets.
Purpose
The purpose of this document is to define oboloo’s measurable information security objectives and align them with broader business goals, risk treatment priorities, and legal/regulatory requirements.
Summary
These objectives are reviewed bi-annually by the management team and tracked as part of oboloo’s ISMS. Progress is monitored and reported during internal audits, management reviews, and continuous improvement cycles.
Scope
These objectives apply to all departments, systems, employees, and third-party partners that interact with oboloo’s data and infrastructure.
Current Information Security Objectives
| Objective ID | Objective Description | Target Metric / KPI | |
|---|---|---|---|
|
OBJ-001
|
Ensure 100% of new users complete security awareness training within 7 days of start
|
≥ 100% completion rate within 7 days
|
|
|
OBJ-002
|
Maintain Multi-Factor Authentication (MFA) across all internal systems
|
100% MFA enforced for all users and tools
|
|
|
OBJ-003
|
Ensure critical patches are applied within SLA on production systems
|
≥ 95% patch compliance within 14 days
|
|
|
OBJ-004
|
Maintain zero unresolved high-risk items in the risk register for more than 30 days
|
0 outstanding high-risk risks aged > 30 days
|
|
Alignment with Risk and Compliance Priorities
Each objective is tied to a control area within ISO/IEC 27001, a risk treatment priority, or a regulatory obligation such as GDPR or CCPA. Where possible, automation and dashboard tracking are used to monitor progress.
ISO/IEC 27001 Annex A Mapping
| Objective Area | ISO/IEC 27001 Control Ref | Description | |
|---|---|---|---|
|
Awareness Training
|
A.7.2.2
|
User education and awareness
|
|
|
MFA and Authentication
|
A.9.4
|
Access control and authentication
|
|
|
Patch Management
|
A.12.6.1
|
Technical vulnerability management
|
|
|
Risk Remediation
|
A.6.1.2 / A.6.1.3
|
Risk assessment and treatment
|
|
Review and Update of the Methodology
Bi-Annual Review: Information security objectives are reviewed every 6 months during scheduled management review meetings.
Updates: If significant risks, compliance requirements, or operational changes arise, objectives are adjusted accordingly and documented here.
Document Control
Version: 2.2
Date: January 2025
Description: Updated KPIs and mapped to ISO/IEC 27001:2022 controls
Previous Versions:
-
Version 2.1 (June 2024): Refined phishing and patching targets
-
Version 2.0 (January 2024): Reorganised for better KPI tracking
-
Version 1.0 (June 2023): Initial publication of security objectives