The requirements for Information Security objectives are found in ISO/IEC 27001:2022, clause 6.2:

Top management shall ensure that information security objectives are established.

Objectives must:

Be consistent with the information security policy.

Be measurable (if practicable).

Take into account applicable information security requirements, and results from risk assessments and risk treatment.

Be communicated.

Be monitored.

Be updated as appropriate.

When planning how to achieve objectives, organisations must determine:

What will be done.

What resources will be required.

Who will be responsible.

When it will be completed.

How the results will be evaluated.

Analysis of each option:

A. Reviewed at all management reviews → Concern.ISO 27001 clause 9.3 (Management review) requires that the status of objectives is reviewed, but not at all management reviews — only at scheduled ones. Mandating every review is incorrect.

B. Communication → Correct.Clause 6.2 requires objectives to be communicated. This is valid.

C. Completion date → Correct.Clause 6.2 requires organisations to determine when it will be completed. Valid.

D. Measurable → Correct.Clause 6.2 explicitly says objectives must be measurable (if practicable). Valid.

E. Distributed to all staff → Concern.Clause 6.2 requires objectives to be communicated to those who need to be aware, not all staff. This is overreach and not aligned with the standard.

F. Budget/resources → Correct.Clause 6.2 requires determining what resources will be required. Valid.

G. Process to revisit → Correct.Clause 6.2 requires objectives to be updated as appropriate. Valid.

H. Top management determine annually → Concern.Clause 6.2 requires top management to ensure objectives are established, but there is no requirement for an annual cycle. This could cause mis-audit findings.

ISO/IEC 27001:2022, Clause 6.2 (Information security objectives and planning to achieve them)