| Document ID | ISMS-OBJ-001 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Managing Director |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | Annually, and at every management review |
| Mandatory under | ISO/IEC 27001:2022 clause 6.2 |
This document records the information-security objectives BackupExperts
commits the ISMS to achieve, and the Key Performance Indicators (KPIs)
by which they are measured.
ISO/IEC 27001:2022 clause 6.2 requires that objectives:
The Information Security Policy §3
states five strategic objectives: confidentiality, integrity,
availability, compliance, and continual improvement. Each numbered
objective below maps to one or more of those.
| # | Objective | KPI | Target | Cadence | Owner |
|---|---|---|---|---|---|
| O-1 | No customer data loss caused by BackupExperts. | Number of confirmed customer-data-loss incidents attributable to BackupExperts. | 0 per year. | Continuous; reviewed quarterly. | MD |
| O-2 | Tested restorability for every customer backup target. | % of scheduled restore tests in the Backup Policy §7 executed and recorded in the backup test log within their stated window. | ≥ 95%. | Quarterly. | ISO |
| O-3 | Restore tests pass. | % of restore tests producing the verification outcomes required by Restore Procedure §7. Failures must either be remediated or logged as a nonconformity. | ≥ 95% pass on first attempt; 100% remediated or formally accepted within 30 days. | Quarterly. | ISO |
| O-4 | Customer notification commitment met. | % of confirmed incidents where the customer is notified within the commitment in Incident Response Policy §7.2 ("without undue delay" with internal severity-driven targets, once defined). | 100%. | Per incident; rolled up quarterly. | MD |
| O-5 | Backup immutability enforced. | % of MinIO buckets used by Veeam offload that have S3 Object Lock enabled with appropriate retention. | 100% by the next management review (closes R-011). | Continuous; verified at every quarterly review. | ISO |
| O-6 | Access reviewed and pruned. | % of quarterly access reviews completed and recorded in the access review log within the quarter. | 100%. | Quarterly. | ISO |
| O-7 | Awareness training kept current. | % of in-scope personnel with valid annual information-security training recorded in the training log. For the sole proprietor: external course completed and self-attestation lodged. | 100%. | Annually. | ISO |
| O-8 | No unmitigated high-severity risk. | Number of Risk Register entries scoring 12 or above that are open without an in-progress treatment plan and a target date. | 0. | Quarterly review. | MD |
| O-9 | Supplier security posture reviewed. | % of material suppliers in the Sub-processor Register with a current security attestation reviewed within the last 12 months. | 100%. | Annually. | ISO |
| O-10 | Internal audit coverage. | Internal audit programme covers every ISMS clause and every applicable Annex A control over the certification cycle (3 years). | 100% coverage by year 3. | Annual audit. | ISO |
| O-11 | Management review held. | Management review meeting held in line with Management Review Procedure (planned) with the agenda required by Cl. 9.3. | At least annually. | Annual minimum (recommend semi-annual during certification run-up). | MD |
| O-12 | Nonconformities closed. | % of nonconformities raised in any 12-month rolling window that are closed within their target date. | ≥ 90%. | Continuous; reported at management review. | ISO |
| O-13 | Patch hygiene on hypervisor and management endpoints. | % of in-scope security updates applied within the cadence stated in the patching procedure (to be drafted). | ≥ 95% within 14 days; 100% within 30 days for critical CVEs. | Continuous; reported quarterly. | ISO |
| O-14 | DR exercise completed. | Annual disaster-recovery / continuity exercise per BCP §7 executed and outcomes logged. | At least once per year, with all findings closed within the year. | Annual. | MD |
These objectives are:
This list is reviewed:
Adjustments are recorded in §8 (revision history). Targets may move
both up and down — adjusting downward requires written justification
in the revision history (e.g. "target lowered from 100% to 95% because
a 100% target was found to drive false-passing rather than honest
recording").
(populated quarterly — see Records section)
| KPI | Target | Last value | Period |
|---|---|---|---|
| O-1 | 0 / yr | to record | to record |
| O-2 | ≥ 95% | to record | to record |
| ... | ... | ... | ... |
| Version | Date | Notes |
|---|---|---|
| 0.1 | issue date | Initial issue. |