Confusing objective management and performance management processes, which is a common situation in management system audits, almost makes people forget the truth. I have been conducting audits in standards such as information security and business continuity for years, but I do not think that if you count the companies that have managed these two issues properly, I do not think that your fingers can be counted.
To give an example from the ISO/IEC 27001:2013 information security management system standard, when I say that I want to see the information security objectives of the organization within the scope of article 6.2 of the standard, the objectives table opens. Again, when I want to see the records regarding the performance evaluation process within the scope of article 9.1 of the same standard, the objectives table opens again. In many audits, “if the cat is here, where is the liver? If the liver is here, where is the cat?” I remember what I said.
If we look at the information security objectives discussed in article 6.2, it should be ensured that the objectives to be determined here support the objectives of the Information Security management system of the organization. E.g; Let’s assume that one of the purposes of establishing ISMS of the organization is to keep the information security necessary to protect the information assets of the organization. How can you support this cause? With the awareness of employees/users. The high level of information security awareness of its employees is a supportive factor for the organization to reach its objective. You can set a goal to increase employee awareness and plan activities for it.
But when it comes to performance management, there is a need for a systematic that can measure the performance of the operating processes of the management system. Let’s explain like this; The information security management system has its own processes. What are these? This list goes on with processes such as Documentation management, Risk management, Awareness training management, Internal Audit management. We have given examples of activities aimed at raising awareness regarding the targets above. Here, you can evaluate the performance of the “Awareness Training” process within the scope of activities carried out to increase awareness. Or you can set performance criteria for “Management of objectives”.
In summary, objectives are not a performance criterion, but we can say that the management of objectives is a performance criterion.
Be First to Comment