I disagree but when you think that It will be valuable you might have a far more certain goal and established a timescale on it. Most likely This may be an goal that is one thing about variety of incidents to get less than X by December 2024. Roles and Obligations (section three) The area on roles and obligations is just not necessary for ISO27001