Information Security Objectives & KPI
Classification: ISMS Core Document
ISO 27001 Reference: Clause 6.2 — Information security objectives and planning to achieve them
Effective Period: FY2026 (February 2026 – January 2027)
Owner: Lucas Shin — Security Director
Approved By: Richard — CISO
Review Cycle: Annually (with quarterly KPI check-in)
1. Purpose
This document defines Cybercraft's annual information security objectives and associated Key Performance Indicators (KPIs) in accordance with ISO/IEC 27001:2022 Clause 6.2.
All objectives are aligned with:
- The Information Security Policy (L1) and its "Platform = Policy" principle
- Cybercraft's operational reality as a 3–5 person SMB on Microsoft 365
- The COM Profile security posture (BYOD-first, gateway/policy-centric controls)
2. Objectives & KPIs
2.1 Shadow IT Elimination
Objective: All SaaS tools used for Cybercraft business are on the Approved SaaS Register — zero unapproved tools in use.
| Item | Detail |
|---|---|
| KPI | Number of unapproved SaaS tools detected per quarter = 0 |
| Measurement | Quarterly SaaS audit via Entra ID sign-in logs and Defender for Cloud Apps (where available) |
| Owner | Security Director |
| Actions | Maintain Approved SaaS Register; conduct quarterly audit; enforce Managed Edge as default SaaS access path |
| Target | 0 unapproved tools per quarter |
2.2 MFA Coverage
Objective: Multi-Factor Authentication is enforced on 100% of Entra ID accounts — no exceptions.
| Item | Detail |
|---|---|
| KPI | Percentage of Entra ID accounts with MFA enforced = 100% |
| Measurement | Monthly Entra ID authentication methods report |
| Owner | Security Director |
| Actions | Security Defaults enabled for all accounts; Premium users additionally covered by Conditional Access MFA policies |
| Target | 100% — sustained monthly |
2.3 Guest Account Hygiene
Objective: No stale or orphaned guest accounts remain in Entra ID — all guest accounts are active, justified, and reviewed.
| Item | Detail |
|---|---|
| KPI | Number of stale guest accounts (no sign-in > 90 days, no active engagement) = 0 |
| Measurement | Quarterly guest account review (Entra ID sign-in logs + Teams membership audit) |
| Owner | Security Director |
| Actions | Quarterly review per Supplier & Third-Party Security Policy §4.2; disable/remove accounts for completed engagements |
| Target | 0 stale accounts at each quarterly review |
2.4 BYOD Policy Compliance
Objective: All personnel with device-based M365 access comply with applicable BYOD controls and attestation requirements.
| Item | Detail |
|---|---|
| KPI | Minimum Viable Controls (MVC) attestation completion rate = 100% |
| Measurement | Annual attestation cycle (or on personnel change); Intune compliance dashboard for Premium users (weekly) |
| Owner | Security Director |
| Actions | Issue MVC attestation forms to Level 2 users annually; monitor Intune compliance for Level 1 Premium users weekly |
| Target | 100% attestation within 30 days of cycle start |
2.5 Incident Response Readiness
Objective: Security incidents are detected and responded to within defined timeframes.
| Item | Detail |
|---|---|
| KPI | Time from incident detection to initial response ≤ 24 hours |
| Measurement | Per-incident tracking; annual summary in management review |
| Owner | Security Director + CISO |
| Actions | Maintain incident response procedure (BYOD-PROC-04); configure Entra ID anomaly alerts; weekly sign-in log review |
| Target | 100% of incidents responded to within 24h |
2.6 ISMS Documentation Completeness
Objective: All mandatory ISMS documentation required for ISO 27001 certification readiness is drafted, reviewed, and approved.
| Item | Detail |
|---|---|
| KPI | Percentage of ISMS documentation sections completed (non-blank, reviewed) = 100% |
| Measurement | Quarterly progress review against ISMS Documentation index |
| Owner | Security Director |
| Actions | Complete remaining scaffolds: Scope Statement, Risk Register, Asset Register, SoA population, HR Security records |
| Target | 100% by end of FY2026 (January 2027) |
3. Monitoring & Reporting
| Activity | Frequency | Owner | Output |
|---|---|---|---|
| KPI data collection | Monthly (MFA) / Quarterly (others) | Security Director | KPI dashboard / summary report |
| Quarterly KPI review | Quarterly | Security Director + CISO | Quarterly security objectives status report |
| Annual management review | Annually | CEO + CISO + Security Director | Management review minutes with objective achievement summary |
| Objective revision (if needed) | Annually or ad-hoc | CISO | Updated objectives document (new version) |
4. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-02-23 | Lucas Shin | Initial release — 6 objectives aligned to Cybercraft COM Profile and M365 platform controls |
Review Schedule
- Quarterly: KPI check-in and status update
- Annually: Full objectives review, target adjustment, new objectives consideration
- Ad-hoc: Upon significant organisational changes, incidents, or ISMS scope changes
[End of Document]