According to ISO/IEC 27001, Clause 6.2, information security objectives must be established at relevant functions and levels. A key requirement is that these objectives "shall be consistent with the information security policy." This ensures that the specific, measurable goals set by the organization directly support and align with the overall intentions and direction regarding information security, as formally expressed by top management in the policy. The policy provides the high-level framework, and the objectives provide the concrete targets to be achieved within that framework.

B. They shall all be measurable

The standard states objectives shall be measurable "if practicable," acknowledging that some qualitative objectives may be valid even if not easily quantifiable.

C. They shall be contractually transferred to third parties

While security requirements for suppliers are addressed, the standard does not mandate that an organization's internal security objectives be contractually transferred to third parties.

D. They shall be reviewed at least annually

The standard requires objectives to be monitored and updated "as appropriate," but does not prescribe a specific "at least annually" review frequency within Clause 6.2.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

Section 6.2, "Information security objectives and planning to achieve them": This clause explicitly states that "The information security objectives shall: a) be consistent with the information security policy; b) be measurable (if practicable); ... e) be communicated; and f) be updated as appropriate." This directly supports answer A and refutes B and D.

2. Calder, A., & Watkins, S. (2019). IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002 (7th ed.). Kogan Page Publishers.

Chapter 11, "Clause 6: Planning": This chapter explains that the information security policy (Clause 5.2) sets the overall direction, and the objectives (Clause 6.2) must be established in line with that policy to provide clear goals for the ISMS.

3. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House.

Page 51, "6.2 Information security objectives and planning to achieve them": The text clarifies the linkage: "The objectives must be consistent with the policy... The policy sets out what you want to achieve in broad terms; the objectives are the specific things you need to do to get there." This reinforces the correctness of option A.