ISMS Objectives
Document ID: ISO-005
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Approved: March 2026
Next review: March 2027
Framework: ISO 27001 (6.2) | SOC 2 (CC1.2)
1. Purpose
ISO 27001 Clause 6.2 requires the organisation to establish measurable information security objectives at relevant functions and levels. These objectives drive continual improvement of the ISMS and provide the basis for performance monitoring.
OBJ-01: Incident Response Time
Field
Detail
Objective Respond to all security incidents within 12 hours of detection
Metric Mean time to respond (MTTR) for all classified incidents
Target MTTR ≤ 12 hours
Measurement Incident register — response timestamp vs detection timestamp
Frequency Per incident; reviewed at management review
Owner Jan Marc Castlunger (ISO)
Status ✅ Active
OBJ-02: MFA Compliance
Field
Detail
Objective Enforce multi-factor authentication on 100% of user accounts across all systems
Metric Percentage of accounts with MFA enabled (Azure, GitHub, Google Workspace)
Target 100%
Measurement Quarterly access review — Azure AD / Google Admin / GitHub admin consoles
Frequency Quarterly
Owner Jan Marc Castlunger (ISO)
Status ✅ Active — currently at 100%
OBJ-03: Service Availability
Field
Detail
Objective Maintain Quick-ID API availability at or above 99.9% uptime
Metric Monthly uptime percentage (excluding planned maintenance)
Target ≥ 99.9%
Measurement Azure Monitor / status page monitoring; monthly uptime reports
Frequency Monthly
Owner Sebastian Windeck (CTO)
Status ✅ Active
OBJ-04: Security Training Completion
Field
Detail
Objective Ensure 100% of staff complete annual security awareness training
Metric Percentage of staff who completed training within the calendar year
Target 100%
Measurement Training completion records (Google Drive > Security > Training)
Frequency Annually; checked quarterly
Owner Jan Marc Castlunger (ISO)
Status ✅ Active — 2026 training completed
OBJ-05: Zero Major Audit Findings
Field
Detail
Objective Achieve zero outstanding major nonconformities from internal and external audits
Metric Number of open major nonconformities
Target 0
Measurement Audit finding log; corrective action register
Frequency Per audit; reviewed at management review
Owner Jan Marc Castlunger (ISO)
Status ✅ Active
OBJ-06: Risk Treatment Completion
Field
Detail
Objective Complete all risk treatment actions for residual Medium/High risks by their target dates
Metric Percentage of risk treatment actions completed on time
Target 100% on-time completion
Measurement Risk register open actions (R03, R07, R10, R12, R13, R14)
Frequency Quarterly
Owner Jan Marc Castlunger (ISO)
Status 🔄 In Progress — 6 open actions
OBJ-07: Zero Security Incidents (P1/P2)
Field
Detail
Objective Maintain zero Priority 1 and Priority 2 security incidents
Metric Number of P1/P2 incidents per year
Target 0
Measurement Incident register
Frequency Continuous; reviewed at management review
Owner Jan Marc Castlunger (ISO)
Status ✅ Active — 0 incidents to date
OBJ-08: Backup Restore Success
Field
Detail
Objective Achieve 100% success rate on backup restore tests
Metric Percentage of backup restore tests that succeed within RTO
Target 100%
Measurement Backup restore test records (semi-annual)
Frequency Semi-annually
Owner Sebastian Windeck (CTO)
Status ✅ Active
3. Objectives Summary Dashboard
ID
Objective
Target
Current
Status
OBJ-01
Incident response time
≤ 12 hours
N/A (no incidents)
✅ On track
OBJ-02
MFA compliance
100%
100%
✅ Met
OBJ-03
Service availability
≥ 99.9%
Monitoring active
✅ On track
OBJ-04
Training completion
100%
100% (2026)
✅ Met
OBJ-05
Zero major audit findings
0
0
✅ Met
OBJ-06
Risk treatment on time
100%
0/6 complete
🔄 In Progress
OBJ-07
Zero P1/P2 incidents
0
0
✅ Met
OBJ-08
Backup restore success
100%
Last test passed
✅ On track
4. How Objectives Are Achieved
Objective
Resources & Actions
OBJ-01
Incident Response Plan; emergency contact tree; Azure Monitor alerts
OBJ-02
Azure AD conditional access; Google Workspace MFA enforcement; quarterly access review
OBJ-03
AKS auto-scaling; geo-redundant backups; BCP with 4-hour RTO
OBJ-04
Annual security awareness programme; onboarding training for new hires
OBJ-05
Internal audit programme; corrective action procedure; pre-certification gap analysis
OBJ-06
Risk register with assigned owners and target dates; quarterly progress review
OBJ-07
Defence-in-depth controls; vulnerability scanning; security training
OBJ-08
Automated Azure backups; semi-annual restore testing; documented test procedures
5. Review
Objectives are reviewed:
Annually at the management review (Clause 9.3)When material changes occur to the ISMS, infrastructure, or risk profileFollowing any security incident that impacts objective performance
Progress is reported at each management review using the summary dashboard above.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH
Date: March 2026
March 9, 2026
March 9, 2026