Embarking on the ISO 27001 certification journey is a significant strategic decision. At its core lies Clause 7.1: Resources, a mandatory requirement that compels an organisation to determine and provide the assets, people, and budget needed for a successful Information Security Management System (ISMS).
Think of Clause 7.1 as the bedrock of your security posture. Without adequate resources—personnel, budget, tools, and infrastructure—even the most robust security plans will fail. This checklist provides a practical, step-by-step guide to satisfying ISO 27001 requirements and preparing for a successful audit.
Table of contents
- 1. Secure Senior Management Buy-In and Budget
- 2. Acquire a Foundational ISMS Toolkit
- 3. Define Organisational Roles and Responsibilities
- 4. Develop a Comprehensive Accountability Matrix
- 5. Assess and Document Team Competency
- 6. Leverage Specialist Resources Strategically
- 7. Address Small Organisation Constraints
- 8. Verify and Maintain Infrastructure Provision
- 9. Institute a Regular Review of Resource Needs
- 10. Prepare for the Clause 7.1 Audit
1. Secure Senior Management Buy-In and Budget
The first and most critical step for ISO 27001 compliance is securing unwavering commitment from the top. Auditors look for evidence that senior leadership is actively providing resources. This involves:
- Leadership Support: The CEO and leadership team are considered mandatory ISMS resources.
- Financial Allocation: Secure a formal budget covering the full ISMS lifecycle: establishment, implementation, maintenance, and continual improvement.
2. Acquire a Foundational ISMS Toolkit
Rather than starting from scratch, a structured ISO 27001 toolkit serves as a primary resource to accelerate your project. An effective toolkit—like the High Table ISO 27001 Toolkit—provides policy templates, audit checklists, and video walkthroughs to ensure your system is built efficiently and correctly.
DO IT YOURSELF
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
3. Define Organisational Roles and Responsibilities
Clearly defining “who does what” is a cornerstone of an effective ISMS. You should use a best-practice roles and responsibilities document to assign mandatory positions, including:
- Information Security Manager
- Information Security Management Leadership
- The Management Review Team
4. Develop a Comprehensive Accountability Matrix
Document who is accountable for every specific requirement of the ISO 27001 standard. Using an ISO 27001 Accountability Matrix or a RACI matrix (Responsible, Accountable, Consulted, Informed) ensures that there are no gaps in ownership across the ISMS clauses and Annex A controls.
5. Assess and Document Team Competency
Clause 7.2 (linked closely to 7.1) requires proof that staff are competent. A Competency Matrix allows you to:
- Identify skills required for specific ISMS roles.
- Demonstrate existing qualifications and experience.
- Highlight and address competency gaps through targeted training.
6. Leverage Specialist Resources Strategically
External specialists can accelerate certification. A strategic approach involves blending internal and external expertise:
- Implementation: Use specialists for deep technical knowledge to move faster.
- Maintenance: Transition to internal staff for daily operations while using external consultants for objective internal audits.
7. Address Small Organisation Constraints
In smaller teams, one person can hold multiple roles. However, you must maintain Segregation of Duties. Ensure that the person requesting an action (e.g., a system change) is not the same person authorised to approve it. This prevents conflicts of interest and maintains audit integrity.
8. Verify and Maintain Infrastructure Provision
Resources extend to technology and physical environments. To satisfy Clause 7.1, you must:
- Verify hardware, software, and facilities support the ISMS.
- Maintain accurate asset inventories and infrastructure diagrams.
- Review capacity planning to ensure resources scale with business growth.
9. Institute a Regular Review of Resource Needs
Resource planning is not a “one and done” task. Your ISMS must evolve. Ensure that resource allocation is a formal agenda item in Management Review Meetings. Recorded meeting minutes serve as vital evidence for auditors that leadership is monitoring resource adequacy.
10. Prepare for the Clause 7.1 Audit
To pass the audit, you must present documented evidence. The auditor will focus on:
- ISMS Owner Competence: Proof that the manager has the necessary knowledge.
- Competency Records: The matrix showing your team is qualified.
- Evidence of Allocation: Proof that budget and time have been assigned to all declared controls in your Statement of Applicability (SoA).
About the author
Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management.
Holding an MSc in Software and Systems Security, Stuart combines academic rigor with extensive operational experience. His background includes over a decade leading Data Governance for General Electric (GE) across Europe, as well as founding and exiting a successful cyber security consultancy.
As a qualified ISO 27001 Lead Auditor and Lead Implementer, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. He has successfully guided hundreds of organizations – from high-growth technology startups to enterprise financial institutions – through the audit lifecycle.
His toolkits represents the distillation of that field experience into a standardised framework. They move beyond theoretical compliance, providing a pragmatic, auditor-verified methodology designed to satisfy ISO/IEC 27001:2022 while minimising operational friction.
