ISO 27001:2022 Clause 7.1 Resources: The Lead Auditor’s Guide.

ISO 27001 Clause 7.1 Resources is a security control that mandates organisations to identify and provide the necessary assets for establishing, maintaining, and improving the ISMS. It ensures the Availability of Human, Financial, and Technical Resources to meet security objectives, delivering the Business Benefit of sustainable compliance and operational resilience.

In this guide, I will show you exactly how to implement ISO 27001 Clause 7.1 and ensure you pass your audit. You will get a complete walkthrough of the control, practical implementation examples, and access to the ISO 27001 templates and toolkit that make compliance easy.

I am Stuart Barker, an ISO 27001 Lead Auditor with over 30 years of experience conducting hundreds of audits. I will cut through the jargon to show you exactly what changed in the 2022 update and provide you with plain-English advice to get you certified.

Key Takeaways

• Mandatory Requirement: Clause 7.1 is a mandatory part of the ISO 27001 standard that requires organisations to identify and provide the necessary resources to establish, maintain, and continually improve their Information Security Management System (ISMS).
• Senior Management Responsibility: The ultimate responsibility for ensuring these resources are in place lies with senior management.
• Comprehensive Resource Planning: Resources include more than just a budget. They encompass people, an ISMS (like a toolkit), and other tools needed for the entire lifecycle of the ISMS, not just the initial certification.
• Internal and External Options: Organisations can use a mix of internal staff and external consultants to fulfill the resource requirements for their ISMS.

What is ISO 27001 Clause 7.1?

ISO 27001 Clause 7.1 is resources and it requires an organisation to provide the resources needed to establish, implement, maintain and continually improve the information security management system.

The ISO 27001 standard for ISO 27001 certification wants you to have the right people available for running ISO 27001.

Purpose and Definition

The purpose of ISO 27001 clause 7.1 Resources is to make sure you have the resources you need for an effective information security management system (ISMS).

The ISO 27001 standard defines ISO 27001 Clause 7.1 Resources as:

The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

ISO 27001:2022 Clause 7.1 Resources

ISO 27001 Clause 7.1 Requirement

Building on ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities this clause requires you to have the resources in place for an effective information security management system. This is about having the resources for the entire lifecycle of the information security management system (ISMS) not just the project to get the first ISO 27001 certification.

Applicability of ISO 27001 Clause 7.1 across different business models.

ISO 27001 Clause 7.1 Resource Requirements by Business Type

Business Type	Applicability of Clause 7.1	Why It Is Important	Resource Examples (Evidence)
Small Businesses	Resource provision is often about optimising limited staff bandwidth rather than hiring new teams. It typically involves multi-role assignment (e.g., the Office Manager also acting as the ISMS Manager).	Avoids Audit Failure: Auditors frequently flag “lack of time” as a major non-conformity. Demonstrating allocated time in a calendar is critical when budgets are tight.	CEO acts as Information Security Manager. Outsourced IT support contracts (managed services). Investment in an ISO 27001 Toolkit instead of a full-time consultant.
Tech Startups	Resources must be scalable to match rapid growth. Clause 7.1 requires provisioning for both personnel (developers) and infrastructure (cloud environments) that can expand with the product.	Investor Confidence: Investors perform due diligence on “Key Person Risk”. Documented resource planning proves the ISMS isn’t reliant on a single founder, ensuring continuity.	Budget for automated security scanning tools (SAST/DAST) in the CI/CD pipeline. Developer time allocated for secure coding training. Cloud infrastructure budget (AWS/Azure) specifically for security logging.
AI Companies	Requires specialised high-performance compute resources and niche expertise. Clause 7.1 extends to ensuring sufficient data processing capabilities and ethical governance structures.	Regulatory Alignment: With frameworks like the EU AI Act, proving you have “human oversight” resources and sufficient compute for model safety testing is mandatory.	Allocation of GPU budget for model robustness testing. Appointment of a Data Ethics Officer or Governance Board. Resources for vetting training data quality and bias.

How to Audit Clause 7.1 in an Agile/DevOps Environment

Tech companies often struggle to show “Resource Allocation” because they don’t have traditional project plans. In an Agile environment, you demonstrate Clause 7.1 compliance by using Security Story Points.

How to evidence this:

• Sprint Planning: Show evidence that “Security Refactoring” or “Pen Testing” tasks are assigned Story Points in Jira/Trello.
• Definition of Done (DoD): Include “Security Checks Passed” in your DoD. This proves that the resource of time is mandatorily allocated to security before code is released.
• The “Security Champion”: Allocate a specific developer in each squad as the “Security Champion.” This satisfies the “Human Resource” requirement without needing a dedicated security hire for every team.

Resource Allocation for AI & Machine Learning Teams

For AI companies, “Resources” (Clause 7.1) extends far beyond standard IT equipment. You must treat Data and Compute as critical resources that require availability guarantees, just like human staff.

Use this comparison to ensure your AI Resource Planning meets modern auditor expectations:

Traditional IT vs. AI/ML Resource Requirements

Resource Category	Traditional IT Requirement	AI / Machine Learning Requirement
Infrastructure	Servers, Firewalls, Laptops.	High-Performance Compute (HPC). You must prove budget allocation for GPU clusters (e.g., AWS p3 instances) to prevent model training failure.
Information	Policies, Procedures, Code.	Training Data Sets. Data is a resource. You must evidence “clean,” “licensed,” and “available” datasets for model retraining.
Human Competence	SysAdmins, Developers, CISO.	AI Ethicists & Data Scientists. Auditors will look for specific competence in “Bias Detection” and “Model Explainability.”
Tooling	Antivirus, SIEM, Jira.	MLOps Pipeline. Resources for “Model Registry” (e.g., MLflow) and “Drift Detection” tools are mandatory for maintaining the ISMS.

The Audit Trap: The “Model Training Cliff”

A common non-conformity for AI companies occurs when they run out of compute budget mid-year. If you cannot retrain your security model because you burned your Azure credits, you have failed Clause 7.1 (Availability of Resources).

The Fix: Your Clause 7.1 Budget Plan must include a line item for “Contingency Compute for Emergency Model Retraining” to satisfy the auditor that resources are sustainable.

How to Allocate Internal Resources for Your ISMS

If you are looking at gaining the skills and experience in house you have the option to consider ISO 27001 training.

There are many reputable ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses to choose from.

It is our experience that these can provide excellent book knowledge to the standard but are very light on how to implement it in the real world, don’t come with templates and don’t provide specific, tailored advice and templates.

If you want training then of course, consider the book training but also companies like High Table provide low cost, structured, 1 to 1 real world implementation training that runs alongside your actual implementation and trains your team.

There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free.

There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself.

If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.

How to Use External Resources for Your ISMS

Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.

If you are using external resources then be sure to conduct your due diligence and research. There is a guide – The Top 10 ISO 27001 Companies and Top 10 ISO 27001 Certification Bodies

Decision Guide: Hiring (FTE) vs. Outsourcing (Consultant)

Clause 7.1 allows you to use external resources, but when should you? Use this decision matrix to allocate your budget effectively.

Resource Allocation Strategy: FTE vs. Contractor

Resource Need	Recommended Model	Why? (The 7.1 Justification)
ISMS Manager	Internal (FTE)	Ownership. You need a permanent “face” of security for staff culture. External consultants struggle to enforce internal discipline daily.
Internal Auditor	External (Outsourced)	Independence (Clause 9.2). It is difficult for an internal employee to audit their own boss impartially. Outsourcing guarantees objectivity.
Penetration Tester	External (Outsourced)	Specialisation. A Pen Tester requires niche skills used only once a year. It is resource-inefficient to keep this skill on a full-time payroll.
Security Analyst (SOC)	Hybrid / MSP	Coverage. Providing 24/7 monitoring requires 5+ staff. For SMEs, outsourcing this to a Managed Security Provider (MSP) is the only viable Clause 7.1 solution.

Watch the ISO 27001 Clause 7.1 Video Tutorial

In the video How To Implement ISO 27001 Clause 7.1 Resources I show you how to implement it and how to pass the audit.

How to implement ISO 27001 Clause 7.1: Step-By-Step

In this step by step implementation checklist to ISO 27001 resource I show you, based on real world experience and best practice, the best way to implement Clause 7.1.

Implementing ISO 27001 Clause 7.1 requires a strategic approach to allocating budget, tools, and personnel across the different phases of your compliance journey. Follow this step-by-step guide to ensure you have the right resources in place at the right time.

Step 1: Allocate and Secure Your Budget

Secure the financial resources required for the entire ISO 27001 implementation lifecycle. This is the foundation of Clause 7.1. Ensure you understand the full scope of costs before starting:

• Budget Approval: specific funding must be signed off by Top Management to demonstrate leadership commitment.
• Cost Analysis: Review the guide on How much does ISO 27001 Certification Cost? to ensure your estimates are accurate.
• Resource Provision: Ensure funds are available for the toolkit, external auditing fees, and potential specialist consultancy.

Step 2: Get Your Information Security Management System (ISMS)

Do not attempt to build the documentation from scratch. Accelerate the process by deploying a pre-configured system that includes all necessary resources, guides, and templates:

• Toolkit Deployment: Download the ISO 27001 Toolkit to immediately access the required policies and controls.
• Video Walkthroughs: Utilise the included step-by-step video guides to train your team without hiring expensive external trainers.
• Template Adoption: Rapidly customise the templates to fit your organisation, saving months of drafting time.

Step 3: Identify the ISO 27001 People Resources You Need

Determining the exact roles required can be difficult. You can approach this in two ways:

• Formal Approach: Treat this as a formal project. Allocate a Project Manager, conduct a gap analysis against the standard’s requirements, and map these to available staff. Identify gaps and hire to fill them.
• Informal Approach: Use the ISO 27001 resources template. This document sets out common roles and responsibilities. Simply map your existing staff to these pre-defined roles to ensure coverage without over-engineering the process.

Step 4: Allocate the Mandatory People Resources

Regardless of your approach, ISO 27001 mandates specific roles that must be filled. You must assign names to the following positions:

• 1. The CEO: Ultimate accountability lies here.
• 2. The Leadership Team: To drive the ISMS from the top down.
• 3. Information Security Management Leadership: To oversee strategy.
• 4. The Information Security Manager: For operational management.
• 5. The Management Review Team: To conduct regular governance reviews.

Refer to ISO 27001 Clause 5.3 for detailed guidance on structuring these authorities.

Step 5: Optimise Resource Allocation by Project Phase

Your resource needs will change as you move from establishment to maintenance. Adapt your strategy for each phase:

• Establishment & Implementation Phase: Use specialist resources. It is appropriate to engage experts (consultants or specialized toolkits) here to provide knowledge, speed up the process, and ensure a lean implementation.
• Certification Phase: Use a partnership model. Combine specialist resources with your own staff to ensure knowledge transfer while navigating the audit.
• Maintenance & Improvement Phase: Transition to internal staff. Use your own team for daily operations, utilizing specialist resources only for “sense checking” and internal audits to prepare for recertification.

ISO 27001 Clause 7.1 Implementation Checklist

10-Step ISO 27001 Clause 7.1 Implementation Checklist (Challenges & Solutions)

Step	Action	Common Challenge (The SaaS Trap)	The Solution (Simplicity & Ownership)
1	Define Resource Roles	Role Confusion: SaaS platforms often assign generic “Admin” or “User” roles that don’t map to ISO 27001 requirements, leaving the C-Suite disconnected.	Accountability Matrix: Use a simple RACI matrix in Excel to explicitly assign “Accountability” to the C-Suite and “Responsibility” to the ISMS Manager.
2	Conduct Gap Analysis	Over-scoping: automated tools often suggest you need every resource for every control, bloating your budget estimates.	Risk-Based Approach: Only allocate resources to controls that mitigate actual risks identified in your Risk Register.
3	Secure Budget	OpEx Fatigue: Asking for £1,000/month for a SaaS tool creates friction with Finance every single year.	One-Off CapEx: Purchase a Toolkit for a fixed fee. Finance prefers a single “Project Cost” over an undefined “Ongoing Liability.”
4	Map Competencies (7.2)	Hidden Data: Storing staff skills in a proprietary HR portal that auditors can’t easily access without a login.	Excel Competency Matrix: A simple spreadsheet mapping names to skills. Instant access, zero login barriers, and you own the data forever.
5	Select Infrastructure	Vendor Lock-in: Building your ISMS on a platform that holds your data hostage if you stop paying the subscription.	Microsoft 365: Use the infrastructure you already pay for (SharePoint/Teams) to store your ISMS. You already have the resource; use it.
6	Develop Training Plan	Generic E-Learning: “Death by PowerPoint” subscriptions that staff ignore, resulting in zero actual competence transfer.	Role-Based Briefings: Short, specific training sessions delivered by the ISMS Manager. Higher engagement, zero cost.
7	Integrate with HR	Siloed Systems: Security software that doesn’t talk to HR software, meaning leavers retain access (a Clause 7.1 failure).	Unified Checklists: Add ISMS steps directly to the HR Onboarding/Offboarding Word documents.
8	Allocate Time	“Side of Desk” Syndrome: Management assumes the ISMS will run itself via software automation.	Calendar Blocking: Formally allocate 2-4 hours/week in the Information Security Manager’s job description and calendar.
9	Management Review	Dashboard Blindness: Executives gloss over complex SaaS dashboards they don’t understand.	Simple Minutes: A clear, one-page Word document agenda where Top Management formally approves resource adequacy.
10	Audit Preparation	Export Nightmares: Trying to export PDFs from a SaaS tool 24 hours before the audit, only to find the formatting is broken.	Ready-to-Show: Your ISMS is already in folders. You just open the folder. The auditor is happy, and you are stress-free.

Resource Optimisation: Using Microsoft 365 as Your Primary Tool

Auditors do not mandate expensive GRC software. Clause 7.1 is satisfied perfectly by tools you likely already own. Optimise your “Infrastructure Resource” by repurposing Microsoft 365:

Microsoft 365 Feature Mapping for Clause 7.1

ISO 27001 Resource Need	The Expensive Way (New Tool)	The Optimised Way (Microsoft 365)
Document Control System	Buying a SaaS GRC Platform (£5k/year).	SharePoint. Use Version History and Permissions to control policies.
Device Management	Buying a 3rd Party MDM solution.	Intune (Endpoint Manager). Manage company laptops and mobiles directly.
Data Classification	Buying a Data Discovery Tool.	Purview Information Protection. Label docs “Confidential” automatically.
Staff Training Log	Buying an LMS (Learning Management System).	Microsoft Lists. A simple tracker linked to HR profiles.

ISO 27001 Clause 7.1 Templates

For ISO 27001 Clause 7.1 Resources the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:

ISO 27001 Accountability Matrix Template

For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. You do this by completing an ISO 27001 Accountability Matrix.

ISO 27001 Competency Matrix Template

For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.

ISO 27001 Clause 7.1: A Pro Tip for Implementers Small Organisations

When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.

We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.

What you do have to bear in mind is the requirement that we saw earlier and that you will come to in Annex A in more detail on the Segregation of Duty. You have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.

How to audit ISO 27001 Clause 7.1

To conduct an internal audit of ISO 27001 Clause 7.1 Resources use the following audit checklist which sets out what to audit and how to audit it.

ISO 27001 Clause 7.1 Audit Checklist: Evidence & Objectives

Audit Area	Objective	Required Evidence & Audit Methods
1. Resource Identification	Verify the organisation has identified the resources needed to support the ISMS.	Document review (resource plans, budget documents, organisational charts) Interviews with management and resource owners Analysis of ISMS requirements and corresponding resource needs
2. Personnel Competence	Ensure personnel involved in the ISMS are competent.	Document review (job descriptions, training records, competency frameworks) Interviews with personnel; observation of personnel performing tasks Review of certifications and qualifications
3. Infrastructure Provision	Verify that necessary infrastructure (hardware, software, facilities) is provided.	Document review (asset inventory, infrastructure diagrams, maintenance records) Interviews with IT and facilities personnel Physical inspection of infrastructure Review of capacity planning documentation
4. Financial Allocation	Ensure sufficient financial resources are allocated to the ISMS.	Document review (budget documents, financial statements) Interviews with budget holders and finance personnel Analysis of ISMS spending and its alignment with planned activities
5. Management Support	Verify top management demonstrates commitment to the ISMS by providing resources.	Interviews with top management Review of management review meeting minutes Examination of resource allocation decisions and justification Observation of management involvement in ISMS activities
6. Resource Maintenance	Ensure resources are maintained and kept up-to-date.	Document review (maintenance schedules, upgrade plans, patch management records) Interviews with IT and facilities personnel Observation of maintenance activities Review of vendor contracts for support and maintenance
7. Outsourced Processes	Verify the provider has necessary resources and competence if outsourcing ISMS-related processes.	Document review (contracts with service providers, SLAs) Interviews with service provider management Review of service provider audit reports and certifications Analysis of service provider performance data
8. Allocation Documentation	Verify that records of resource allocation for the ISMS are maintained.	Document review (resource allocation records, asset registers) Interviews with resource owners and administrators Examination of resource tracking systems and databases
9. Resource Needs Review	Ensure resource needs are regularly reviewed.	Review of management review outputs Interviews with management and resource owners Examination of resource planning documents and their updates Analysis of changes in ISMS requirements and impact on resource needs
10. Utilisation Improvement	Verify the organisation seeks opportunities to improve resource utilisation efficiency.	Interviews with management and staff Review of process improvement initiatives related to resource management Analysis of resource usage data and metrics Examination of resource optimisation plans

ISO 27001 Clause 7.1 Audit Checklist

ISO 27001 Clause 7.1 Audit Checklist: Controls & Evidence Examples

Audit Focus Area	Audit Objective (The “Why”)	Required Evidence Examples	Common Non-Conformity Flags
1. Human Resources (Availability)	To verify that sufficient staff time is dedicated to the ISMS, ensuring it is not just a “side-of-desk” activity.	RACI Matrix: Clearly defining who is “Responsible” vs. “Accountable”. Job Descriptions: Updated to include specific security responsibilities (e.g., “Maintains Risk Register”). Project Plans: Showing allocated hours for internal audits.	Staff listed as key ISMS owners but having zero allocated time in their calendar or job description.
2. Financial Resources (Budget)	To confirm Top Management has put actual money behind their commitment (Clause 5.1), ensuring the ISMS is sustainable.	Approved Budget Plan (2026): Line items for “Security Training,” “Penetration Testing,” and “Auditing”. Purchase Orders: For security tools (e.g., EDR software, Firewall licenses). Meeting Minutes: Board approval of the security budget.	“Zero budget” implementations where the organisation claims no costs are associated with running the security program.
3. Infrastructure & Tools	To ensure the physical and digital tools required to secure data are present and maintained.	Asset Inventory (Annex A 5.9): Listing laptops, servers, and mobile devices. Software Licenses: Proof of active subscriptions for AV/Malware protection. Floor Plans: Showing secure zones or server room access controls.	Using expired trial versions of security software or “Free Tier” tools that lack necessary logging features.
4. Specialised Knowledge	To check access to necessary ISO 27001 expertise, whether internal or external.	Training Certificates: Lead Implementer or Lead Auditor certs for the ISMS Manager. Consultancy Contracts: SLAs with external ISO 27001 experts if internal skill is missing. Competency Matrix: Mapping staff skills to ISMS requirements.	Appointing an “IT Manager” as the ISMS lead without providing them any specific ISO 27001 training.
5. Ongoing Review (Clause 9.3)	To verify that resource adequacy is reviewed regularly, not just at the start of the project.	Management Review Minutes: Specific agenda item “Adequacy of Resources” with recorded decisions. Change Logs: Evidence that resources increased following a major change (e.g., acquisition or new product launch).	Management Review minutes that copy-paste “Resources are adequate” every quarter without any actual discussion or data.

How to pass the ISO 27001 Clause 7.1 audit

To pass an audit of ISO 27001 Clause 7.1 Resources you are going to

• Understand the requirements of ISO 27001 Clause 7.1 Resources
• Identify the resources that you need
• Aquire People Resources
• Get an Information Security Management System (ISMS)
• Assess the competency of people
• Address competency gaps through training or bringing in specialist help

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Clause 7.1 Resources. Lets go through them

What the ISO 27001 Auditor Will Check: Clause 7.1 Compliance

Audit Checkpoint	Auditor Expectation & Evidence
1. ISO 27001 Knowledge	The auditor will verify the presence of someone with specific ISO 27001 knowledge and experience. Essential for running an effective ISMS, avoiding failure due to a lack of basic resource investment.
2. Staff Competence	Regardless of the role identified, the auditor ensures allocated resources are competent to perform it. A competency matrix is required to demonstrate competence.
3. Control Resource Allocation	For the ISMS and all ISO 27001 Annex A controls listed in the Statement of Applicability (SOA), resources must be visibly allocated. It is not enough to document intent; active resource provision must be evident.

ISO 27001 Clause 7.1 Top Non Conformities

Top 3 Audit Non-Conformities for Clause 7.1 (and why SaaS is often the cause)

Audit Non-Conformity	The SaaS Trap (Root Cause)	The Auditor’s Finding	The Ownership Fix (Toolkit)
1. Insufficient Resource Availability	The “Subscription Cliff”: Critical security tools or training platforms were deactivated because the credit card expired, the user cap was hit, or the tier was downgraded to save OpEx.	“The organisation could not demonstrate the availability of required monitoring tools during the audit period due to licensing restrictions.”	Permanent Assets: You own the files and tools. There is no “subscription” to expire, ensuring resources are 100% available 365 days a year, regardless of cash flow.
2. Inaccessible Competence Records	The “Vendor Lock-Out”: Training records were stored in a third-party LMS that the company stopped paying for. When the auditor asked for history, the data was gone or behind a paywall.	“Evidence of competence (7.2) for the previous financial year was unavailable as the organisation no longer has access to the third-party platform.”	Local Control: Competence matrices are simple Excel files stored on your own secure server. You have total retention of staff records for 10, 20, or 30 years.
3. Lack of Historical Audit Trail	The “Retention Limit”: Many SaaS platforms auto-delete logs or project history after 30-90 days to save storage costs. You cannot prove you allocated resources 6 months ago.	“The organisation failed to provide evidence of resource allocation for the Q1 and Q2 periods due to data retention limitations of the supplier.”	Unlimited History: Since you control the file storage, you keep every version of every budget and resource plan forever. You define the retention policy, not a SaaS vendor.

Fast track ISO 27001 Clause 7.1 compliance with the ISO 27001 Toolkit

ISO 27001 Toolkit vs. SaaS: The Clause 7.1 Resource Advantage

Comparison Criteria	HighTable ISO 27001 Toolkit	Typical ISO 27001 SaaS Platform	Impact on Clause 7.1 (Resources)
Asset Ownership (Data Sovereignty)	Permanent Ownership. You download, store, and own every file forever. No ongoing payments required to access your own ISMS.	Rental Model. You only have access while you pay the subscription. Stop paying, and you lose access to your resource plans and evidence.	Audit Security. Ensures you always have the documented evidence required for audit, regardless of future budget cuts.
Competence & Training (Simplicity)	Zero Learning Curve. Built on Microsoft Word and Excel. Your staff already possess the competence to use these tools, requiring no additional training resources.	High Learning Curve. Requires training staff on new, complex proprietary software, consuming valuable time and training budgets.	Resource Optimisation. Minimises the “Competence” burden (Clause 7.2), allowing resources to focus on security, not software training.
Financial Allocation (Cost)	One-Off Investment. A single, fixed cost that fits easily into a yearly CapEx budget. View Toolkit Pricing.	Recurring Drain. Expensive monthly subscriptions (OpEx) that increase over time as you add users, draining the financial resources required by Clause 7.1.	Budget Efficiency. Frees up financial resources to be spent on actual security controls (e.g., firewalls, pentesting) rather than administrative tools.
Vendor Freedom (Lock-in)	Total Freedom. No vendor lock-in. You can move, edit, or migrate your ISMS files to any system or folder structure you choose.	High Friction. migrating away is often difficult, with data trapped in proprietary formats or messy PDF exports.	Agility. Ensures your ISMS infrastructure remains flexible and under your control, a key aspect of resource availability.

ISO 27001 Clause 7.1: Related Controls & Clauses

ISO 27001 Clause / Control	Name	Relationship to Clause 7.1 (Resources)
ISO 27001 Clause 5.1	Leadership and Commitment	Upstream Dependency: Top management is explicitly required to ensure that the resources for the ISMS are available. Without Clause 5.1 commitment, Clause 7.1 cannot be satisfied.
ISO 27001 Clause 6.3	Planning of Changes	Trigger: When the ISMS changes (e.g., new tech, growth), Clause 6.3 triggers a re-evaluation of Clause 7.1 to ensure resource availability matches the new scope.
ISO 27001 Clause 7.2	Competence	Direct Partner: Clause 7.1 provides the human resources (the people); Clause 7.2 ensures they have the skills to perform the role. You cannot have 7.2 without first satisfying 7.1.
ISO 27001 Clause 9.3	Management Review	Feedback Loop: Management must review the adequacy of resources during the formal management review meeting. This is the primary mechanism for requesting more resources.
ISO 27001 Annex A 5.3	Segregation of Duties	Resource Heavy: Requires sufficient headcount (Clause 7.1) to split conflicting roles (e.g., the person requesting access cannot be the one approving it).
ISO 27001 Annex A 5.7	Threat Intelligence	External Resources: Often requires financial resources (budget) for external threat feeds or specialist consultancy.
ISO 27001 Annex A 6.3	Information Security Awareness, Education and Training	Budget & Time: Requires financial resources for training platforms and, crucially, time resources for staff to actually attend the training.
ISO 27001 Annex A 7.1 – 7.14	Physical Controls	Infrastructure: These controls represent the “Physical Facilities” aspect of Clause 7.1. This includes secure areas, cabling, and entry systems.
ISO 27001 Annex A 8.1	User Endpoint Devices	Hardware Assets: The provision of laptops, mobiles, and tablets falls under the “Infrastructure” requirement of Clause 7.1.

ISO 27001 Clause 7.1 Resources vs ISO 27001 Clause 7.2 Competence

One of the most common points of confusion in ISO 27001 is the distinction and the dependency between Clause 7.1 and Clause 7.2. While they are distinct requirements, they are inextricably linked in the eyes of an auditor. You cannot satisfy one without the other.

The “Hardware vs. Software” Analogy:
Think of Clause 7.1 as the “Hardware” (the physical availability of a person, a budget, or a tool). Think of Clause 7.2 as the “Software” (the knowledge, skills, and experience installed in that person to make them effective).

Comparing Resource Provision vs. Competence

To differentiate clearly between these two clauses, use the comparison table below. This is particularly useful when categorizing non-conformities or preparing evidence folders.

Feature	Clause 7.1: Resources	Clause 7.2: Competence
Primary Focus	Availability & Capacity. Is the person/tool physically present and funded?	Capability & Skill. Does the person/tool actually know how to perform the task?
The Question it Asks	“Have you given us enough time and money to do the job?”	“Do we have the training and experience to do the job correctly?”
Key Evidence	Budgets, Org Charts, Job Descriptions, Project Plans.	CVs, Certificates, Training Logs, Competency Matrices.
Failure Example	The Security Manager has 0 hours allocated in their calendar for ISMS work.	The Security Manager has 40 hours allocated but doesn’t know what an ISMS is.
Corrective Action	Hire more staff, increase budget, buy better tools.	Provide training, hire a mentor, or replace the resource.

The Auditor’s View: The Dependency Loop

Auditors often find that a failure in Clause 7.2 (Competence) is actually a symptom of a root cause in Clause 7.1 (Resources).

For example, if an employee fails to follow a secure coding practice, the immediate non-conformity might seem like a competence issue (7.2). However, if the root cause analysis reveals that the organisation never allocated the budget for training or the time to attend the course, the non-conformity will be raised against Clause 7.1.

To pass your audit, you must demonstrate the flow:

1. Identify: We need a resource (7.1).
2. Define: That resource requires specific skills (7.2).
3. Provide: We have hired/allocated the person (7.1).
4. Verify: We have checked/trained their skills (7.2).

ISO 27001 Clause 7.1 Mapped to other Standards

Standard / Framework	Specific Reference	Relationship to ISO 27001 Clause 7.1 (Resources)
ISO/IEC 42001 (AI Management)	Clause 7.1	The “Twin” standard for AI. It mirrors Clause 7.1 but expands the scope of “resources” to explicitly include AI data, computing power, and specialised AI talent necessary to train and validate models.
EU AI Act	Article 17 (Quality Management System)	Explicitly lists “Resource Management” (Point l) as a mandatory component of the QMS for high-risk AI providers. Clause 7.1 provides the auditable mechanism to demonstrate these resources (human and technical) are in place.
EU NIS2 Directive	Article 21 (Risk Management Measures)	Mandates “Human resources security” (Point i) and “Security in… maintenance” (Point e). Clause 7.1 provides the governance evidence that sufficient staff and budget have been allocated to meet these legal obligations.
EU DORA (Digital Operational Resilience Act)	Article 5 (Governance and Organisation)	Explicitly places responsibility on the management body to allocate “appropriate budget and resources” for ICT risk management. Clause 7.1 is the direct compliance vehicle for financial entities to prove this budget allocation to regulators.
ISO 9001:2015 (Quality)	Clause 7.1	Shares the exact clause structure. Allows for a unified resource planning process that covers both information security (27001) and product quality (9001), preventing duplicated budget requests.
ISO 22301:2019 (BCMS)	Clause 7.1	Focuses on resilience resources. Requires evidence that resources (standby sites, recovery teams, backup hardware) are not just identified but actively “available” for activation during a disruption.
ISO 20000-1:2018 (ITSM)	Clause 7.1	Focuses on service delivery resources. Ensuring that the Service Desk and Technical Teams are sufficiently staffed to handle security incidents aligns directly with the “Human Resources” requirement of 27001.
SOC 2	Criteria CC1.4 (COSO Principle 4)	Requires the entity to “demonstrate a commitment to attract, develop, and retain competent individuals.” Clause 7.1 (Resources) combined with Clause 7.2 (Competence) generates the HR evidence (hiring plans, training budgets) required for this criteria.
NIST SP 800-53	Control PM-3 (Information Security Resources)	A prescriptive federal control that requires organisations to “ensure that all capital planning and investment requests include the resources needed” for security. This is the government-sector equivalent of Clause 7.1.
PCI DSS v4.0	Requirement 12.1.2 & 12.1.3	Mandates that security responsibilities are assigned to specific personnel (resources) and that they understand their roles. You cannot satisfy this without the “People” provision of Clause 7.1.
ITIL 4	Dimension: Organisations & People	Defines the “How-To” of resource structuring. Auditors often look for ITIL-aligned service desks as evidence that the “Human Resources” required by Clause 7.1 are organised effectively.
GDPR	Article 38(2)	Requires the controller to support the Data Protection Officer (DPO) by “providing resources necessary to carry out those tasks.” Clause 7.1 is the mechanism to document and prove this support exists.

Efficiency Hack: “Double Dipping” with ISO 9001/14001

If your organisation already holds ISO 9001 (Quality), you do not need to duplicate resources. Clause 7.1 in ISO 27001 is structurally identical to Clause 7.1 in ISO 9001. You can “Double Dip” your resources to save money.

• Shared Management Review: Use the same Management Review Team (Resource) to cover both Quality and Security agendas in a single meeting.
• Shared Audit Team: Train your Internal Quality Auditors to also audit Information Security. This avoids hiring a separate team.
• Shared Induction Platform: Use your existing HR Onboarding platform (Resource) to deliver the ISO 27001 awareness training alongside the Health & Safety training.

How to Calculate “Adequacy”: Moving from Guesswork to Data

The most common question auditors ask is, “How did you determine this was enough?” If your answer is “It felt about right,” you risk a non-conformity. You must demonstrate a data-driven approach to resource calculation.

Use the following metrics to justify your resource allocation in your Management Review meetings:

Metric	What it Indicates	Resource Implication
Risk Register Volume	High number of risks requiring “Treatment”.	More Budget. Each treatment plan (e.g., encryption, new firewalls) requires specific financial or technical implementation resources.
Incident Response Time	Time taken to close security tickets or incidents.	More Headcount. If MTTR (Mean Time To Resolve) is increasing, you have evidence that your current human resources are stretched too thin.
Audit Findings (Non-Conformities)	Number of minor NCs related to process delays.	Process/Tooling Gap. Repeated delays suggest manual processes are failing; investment in automation (Tools) is required.
Change Frequency	Rate of new code releases or infrastructure changes.	Scalability. High velocity requires automated testing tools (SAST/DAST) as human review cannot keep pace.

The Business Risks of Under-Resourcing (Why “Cheap” is Expensive)

Failing to allocate sufficient resources to Clause 7.1 doesn’t just risk a failed audit; it introduces significant business risks.

Risk Area	Scenario	Business Impact
Legal & Regulatory	Breach of GDPR or Contractual SLAs due to slow incident response.	Fines (up to 4% turnover) and immediate loss of client trust.
Audit Failure	Major Non-Conformity raised for “Lack of Capacity”.	Certification suspended or revoked; inability to tender for new contracts.
Burnout & Churn	Key staff member (Single Point of Failure) leaves due to overwork.	Loss of institutional knowledge; high recruitment fees to replace skilled staff.

Passing the “Hallway Test”: The Auditor’s Secret Weapon

Auditors don’t just look at your budget spreadsheets. They perform what we call the “Hallway Test” (or “Water Cooler Test”). They will casually ask your staff questions to test the reality of your resource allocation.

Common “Trap” Questions Auditors Ask Staff:

• “Do you feel you have enough time to do these security checks properly, or are you rushing?”
• “When was the last time you had to skip a security step to meet a deadline?”
• “Do you have the tools you need, or are you using your own workarounds?”

The Danger: If your staff answer “I’m swamped” or “I just bypass that to get it done,” you will receive a Non-Conformity for Clause 7.1, even if you have a million-pound budget. Solution: Ensure you have genuinely discussed workload capacity with teams before the audit.

The “Shadow Resource” Risk: Controlling Shadow IT

In modern organisations, “Resources” often appear without IT’s permission. Marketing might buy a mailing tool; Developers might spin up a cloud server. ISO 27001 Clause 7.1 requires you to identify and provide resources—but you cannot manage what you cannot see.

The Clause 7.1 Shadow IT Fix:

• Policy: Explicitly ban the purchase of “Shadow Resources” (software/hardware) on personal expenses.
• Discovery: Regularly review financial accounts for “unidentified software subscriptions” (a key indicator of hidden resources).
• Centralisation: Bring these “Shadow Resources” into the official Asset Register so they can be properly resourced, maintained, and secured.

What if we can’t afford it? The “Resource Refusal” Process

ISO 27001 does not require you to have an infinite budget. It requires you to manage risk. If a request for resources (Clause 7.1) is denied due to budget constraints, you must follow this “Safe Refusal” process to avoid a non-conformity.

1. Document the Request: Ensure the request for the tool/staff is recorded in meeting minutes.
2. Record the Decision: Explicitly minute the refusal: “Request for [Tool X] declined due to budget constraints.”
3. Update the Risk Register (CRITICAL): This is the step most people miss. If you refuse the resource that treats a risk, the risk has increased. You must update the Risk Register to show you are “Accepting” the higher risk level.
4. Management Sign-Off: Top Management must sign off on this “Risk Acceptance.” This proves they own the decision (Clause 5.1), satisfying the auditor.

The Budget Lifecycle: Year 1 (Build) vs. Year 2 (Maintain)

A common mistake is assuming the resource cost is flat. ISO 27001 follows a “Front-Loaded” resource model. Use this guide to forecast your financial resources accurately.

Resource Category	Year 1 (Implementation)	Year 2+ (Maintenance)	The Shift
Consultancy / Toolkits	High. Heavy investment in templates, gap analysis, and policy writing.	Low. Shift to “light touch” advisory or specific problem-solving.	CapEx → OpEx
Internal Staff Time	Intense. Project teams, risk workshops, and new process adoption.	Steady State. Monthly meetings, quarterly reviews, and audit support.	Project → BAU
Auditing Fees	Stage 1 & 2 Audit. (Typically higher cost due to duration).	Surveillance Audits. (Typically 30-50% cheaper than initial cert).	Cost Reduction
Penetration Testing	Baseline. Initial testing of all critical scope items.	Annual. Recurring cost that must be protected in the budget annually.	Recurring

The Clause 7.1 “Shopping List”

To ensure you haven’t missed a resource category, check off these department-specific requirements before your audit.

• Legal / Compliance
  • Data Protection Officer (DPO) access (internal or external).
  • Cyber Liability Insurance policy.
  • Access to legislation registers (e.g., updates on AI Act/GDPR).
• IT / Operations
  • Log storage capacity (SIEM retention costs).
  • Backup storage (Cloud/Tape costs).
  • Vulnerability scanning licenses.
• HR / People
  • Background check provider (Screening).
  • Security Awareness Training platform subscription.
  • Disciplinary process (legal support).
• Facilities
  • Secure shredding bins/service.
  • Access control maintenance (Keycards/Biometrics).
  • CCTV storage and maintenance.

Audit Trap: The “Key Person Risk” (Succession Planning)

Auditors test Clause 7.1 not just for current availability, but for continuity. If your entire ISMS exists in the head of one “Security Hero,” you have a Single Point of Failure (SPoF). This is a Clause 7.1 non-conformity waiting to happen.

The Fix: The “Deputy” System
You do not need to hire two managers. You simply need a documented “Deputy” protocol:

• Primary Resource: Information Security Manager (Runs the ISMS).
• Secondary Resource (The Deputy): COO or IT Director (Allocated 2 hours/month to “shadow” the ISMS process so they can step in during an emergency).
• Evidence: Document this arrangement in the ISO 27001 Roles & Responsibilities document.

Visual Audit “Red Flags”: What Auditors Notice Immediately

Auditors are trained to spot visual cues that suggest under-resourcing. Ensure you don’t display these “Red Flags” on audit day.

Visual Indicators of Clause 7.1 Failure

The Visual Cue	What it tells the Auditor
“Trial Mode” Watermarks	You are using unpaid/evaluation versions of security software, implying zero budget.
Outdated Hardware	Windows 10/Server 2012 screens visible in the office imply a lack of “Infrastructure Resource” renewal.
Harried Staff	Staff eating lunch at desks while working on security tickets implies a “Human Resource” capacity failure.
Excel vs. Tools	Managing 500 assets in a manual spreadsheet (and failing) suggests a refusal to invest in proper tooling.

The WFH Resource Trap: Extending “Infrastructure” to the Home

Since the shift to remote work, the definition of “Infrastructure” (Clause 7.1) has expanded. You cannot demand secure working practices if you have not provided the resources to enable them.

Auditors will check if you have provided (or verified) the following WFH resources:

• Privacy Screens: If staff work in shared spaces (e.g., coffee shops, flatshares), have you provided filters?
• Secure Destruction: If staff print documents at home, have you provided a shredder or a “secure return” bag service?
• Connectivity: Have you provided a corporate VPN or 4G Dongle, or are you relying on their (potentially insecure) shared ISP router?

Auditing Your Supplier’s Resources (MSP Assurance)

If you outsource your IT to a Managed Service Provider (MSP), they are your resource. You must verify their capacity just as you would an internal employee.

The “Resource Assurance” Checklist for MSPs:

• SLA vs. Resource: Does their contract guarantee specific response times (e.g., “1 hour response”)? This is your evidence of “Availability.”
• Staff Continuity: Do they have enough staff to cover holidays/sickness, or is your support dependent on one specific engineer?
• Tooling: Are they using enterprise-grade RMM (Remote Monitoring) tools, or manual checks? (Ask for a screenshot of their dashboard as evidence).

How to Fix a Clause 7.1 Non-Conformity (Remediation)

If an auditor flags a “Lack of Resources” (Minor Non-Conformity), do not panic. Follow this Corrective Action plan to close it quickly:

1. Immediate Fix (Correction): If the issue is a missing tool/person, get a quote or job description approved immediately to show “Intent.”
2. Root Cause Analysis (The “Why”): Ask why the resource was missing. Was it budget denial? Oversight? Process failure?
3. System Fix (Prevention): Update your Management Review Agenda to include a mandatory “Resource Check” question to prevent recurrence.
4. Evidence Submission: Send the auditor the Management Review minutes showing the new check is in place.

Resource Spending Timeline: When Does the Cost Hit?

You do not need to spend your entire ISO 27001 budget on Day 1. Use this timeline to manage your cash flow effectively across the implementation lifecycle.

Cash Flow Guide: Phased Resource Expenditure

Phase	Timing (Typical)	Primary Resource Cost	% of Total Budget
Phase 1: Initiation	Months 1-2	Toolkit & Training. Purchasing the document framework and training the ISMS Manager.	15%
Phase 2: Implementation	Months 3-6	Tools & Infrastructure. Buying/upgrading software (e.g., Endpoint Protection, Asset Management) and fixing gaps.	30%
Phase 3: Pre-Audit	Month 8	Penetration Testing. Hiring external testers to validate controls before the audit.	20%
Phase 4: Certification	Month 9-12	Auditor Fees. The Stage 1 and Stage 2 certification body fees (the largest single invoice).	35%

The “Zero-Cost” Resource Strategy: Cross-Training Champions

If you have no budget to hire new staff, you must manufacture resources internally through Cross-Training. This satisfies Clause 7.1 by increasing availability without increasing headcount.

How to manufacture resources:

• The Office Manager → Document Controller: Train your Admin to handle version control (allocating 2 hours/week).
• The Developer → Internal Auditor: Train a Senior Dev to audit the HR department (they are independent of HR, satisfying Clause 9.2).
• The CFO → Risk Owner: Train the Finance Lead to own the “Supplier Risk” process, removing the burden from IT.

ISO 27001 Clause 7.1: Resources FAQ

About the author