ISO 27001 Resources
ISO 27001 Resources is the requirement to identify the resources you need to build an information security management and then to provide them.
In ISO 27001 this is known as ISO27001:2022 Clause 7.1 Resources. It is one of the mandatory ISO 27001 clauses.
To build and implement an Information Security Management System (ISMS) will require resources. We are going to look at exactly what resources you need.
Key Takeaways
- Mandatory Requirement: Clause 7.1 is a mandatory part of the ISO 27001 standard that requires organisations to identify and provide the necessary resources to establish, maintain, and continually improve their Information Security Management System (ISMS).
- Senior Management Responsibility: The ultimate responsibility for ensuring these resources are in place lies with senior management.
- Comprehensive Resource Planning: Resources include more than just a budget. They encompass people, an ISMS (like a toolkit), and other tools needed for the entire lifecycle of the ISMS, not just the initial certification.
- Internal and External Options: Organisations can use a mix of internal staff and external consultants to fulfill the resource requirements for their ISMS.
Table of contents
- ISO 27001 Resources
- Key Takeaways
- What is ISO 27001 Clause 7.1 and Why is it Important?
- How to Allocate Internal Resources for Your ISMS
- How to Use External Resources for Your ISMS
- ISO 27001 Clause 7.1 Explained: A Complete Guide
- How to implement ISO 27001 Clause 7.1: Step-By-Step
- How to audit ISO 27001 Clause 7.1
- How to pass the ISO 27001 Clause 7.1 audit
- ISO 27001 Clause 7.1: Resources FAQ
What is ISO 27001 Clause 7.1 and Why is it Important?
ISO 27001 Clause 7.1 is resources and it requires an organisation to provide the resources needed to establish, implement, maintain and continually improve the information security management system.
The ISO 27001 standard for ISO 27001 certification wants you to have the right people available for running ISO 27001.
Purpose and Definition
The purpose of ISO 27001 clause 7.1 Resources is to make sure you have the resources you need for an effective information security management system (ISMS).
The ISO 27001 standard defines ISO 27001 Clause 7.1 Resources as:
The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.
ISO 27001:2022 Clause 7.1 Resources
ISO 27001 Clause 7.1 Requirement
Building on ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities this clause requires you to have the resources in place for an effective information security management system. This is about having the resources for the entire lifecycle of the information security management system (ISMS) not just the project to get the first ISO 27001 certification.
How to Allocate Internal Resources for Your ISMS
If you are looking at gaining the skills and experience in house you have the option to consider ISO 27001 training.
There are many reputable ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses to choose from.
It is our experience that these can provide excellent book knowledge to the standard but are very light on how to implement it in the real world, don’t come with templates and don’t provide specific, tailored advice and templates.
If you want training then of course, consider the book training but also companies like High Table provide low cost, structured, 1 to 1 real world implementation training that runs alongside your actual implementation and trains your team.
There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free.
There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself.
If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.
How to Use External Resources for Your ISMS
Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.
If you are using external resources then be sure to conduct your due diligence and research. There is a guide – The Top 10 ISO 27001 Companies and Top 10 ISO 27001 Certification Bodies
ISO 27001 Clause 7.1 Explained: A Complete Guide
In the video How To Implement ISO 27001 Clause 7.1 Resources I show you how to implement it and how to pass the audit.
How to implement ISO 27001 Clause 7.1: Step-By-Step
In this step by step implementation checklist to ISO 27001 resource I show you, based on real world experience and best practice, the best way to implement Clause 7.1.
Time needed: 1 hour and 30 minutes
How to implement ISO 27001 Clause 7.1 Resources
- Allocate your budget
Secure the budget for your ISO 27001 implementation. Further reading on the ISO 27001 costs: How much does ISO 27001 Certification Cost?
- Get your information security management system (ISMS)
Download the ISO 27001 Toolkit which includes all of the resources, step by step guides and video walkthroughs you will need.
- Identify the ISO 27001 people resources you need
You need the resources to manage the management system but you might not know what the roles are that you need. It is a bit of a catch22.
Formal Approach
The formal approach to identifying what resources you need would be to set up a project, allocate a project manager, do a project analysis that looks at what the standard requires, map that requirement to your available resources, identify resource gaps and plan to fill the gaps.
Informal Approach
Use the ISO 27001 resources template that sets out the common roles that you need and the responsibilities of those roles. Using this assigned roles and responsibilities template you allocate the resources that you have to those roles. - Allocate the mandatory people resources
The list of mandatory ISO 27001 resources:
1. the CEO
2. the leadership team
3. Information Security Management Leadership
4. the Information Security Manager
5. the Management Review Team
In addition to this there are optional resources that you will require based on your approach and needs. These are all documented in the ISO 27001 resources template. You need to establish what your structure is going to be, establish what roles you need and allocate people to those roles. Further reading ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities/ - During the ISO 27001 establishment phase
Use specialist resource. It is appropriate to use a specialist resource at this phase of the project. You’re going to want people that understand the standard, understand the requirement and help you in that establishment phase.
- During the ISO 27001 implementation phase
Use specialist resource. It is appropriate to use a specialist resource at this phase of the project. Specialist resource is going to provide you with knowledge, experience, make the process faster, make the process leaner and get you to certification quicker.
- During the ISO 27001 certification phase
Use specialist resource in combination with your own staff. At this phase of the project use a combination of specialist resource and your own staff. Taking the certification is going to be a combination of resource and it’s going to be a partnership.
- During the ISO 27001 maintenance phase
Use your own staff with training and sense checking by specialist resource. For maintenance of your ISO 27001 you have options. Where possible use your own staff and use a specialist resource to sense check the work that you’re doing.
- During the ISO 27001 continual improvement phase
Use your own staff with training and sense checking by specialist resource. Continual improvement for a smaller organisation can use your own staff with the sense checking of a specialist resource. Use that specialist resource to conduct your Internal Audits and get you ready for your continuing audit and then your recertification.
How can an ISO 27001 Toolkit help with ISO 27001 Clause 7.1 Resources?
For ISO 27001 Clause 7.1 Resources the entire ISO 27001 toolkit is relevant but in particular the following templates directly support this ISO 27001 clause:
ISO 27001 Accountability Matrix Template
For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. You do this by completing an ISO 27001 Accountability Matrix.
ISO 27001 Competency Matrix Template
For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.
ISO 27001 Clause 7.1: A Pro Tip for Implementers Small Organisations
When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.
We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.
What you do have to bear in mind is the requirement that we saw earlier and that you will come to in Annex A in more detail on the Segregation of Duty. You have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.
How to audit ISO 27001 Clause 7.1
To conduct an internal audit of ISO 27001 Clause 7.1 Resources use the following audit checklist which sets out what to audit and how to audit it.
1. Review Resource Identification
Verify the organisation has identified the resources needed to support the ISMS.
- Document review (resource plans, budget documents, organisational charts)
- interviews with management and resource owners
- analysis of ISMS requirements and their corresponding resource needs
2. Assess Personnel Competence
Ensure personnel involved in the ISMS are competent.
- Document review (job descriptions, training records, competency frameworks)
- interviews with personnel, observation of personnel performing tasks
- review of certifications and qualifications
3. Evaluate Infrastructure Provision
Verify that necessary infrastructure (hardware, software, facilities) is provided.
- Document review (asset inventory infrastructure diagrams, maintenance records)
- interviews with IT and facilities personnel
- physical inspection of infrastructure
- review of capacity planning documentation
4. Examine Financial Resource Allocation
Ensure sufficient financial resources are allocated to the ISMS.
- Document review (budget documents, financial statements)
- interviews with budget holders and finance personnel
- analysis of ISMS spending and its alignment with planned activities
5. Assess Management Support
Verify top management demonstrates commitment to the ISMS by providing resources.
- Interviews with top management
- review of management review meeting minutes
- examination of resource allocation decisions and their justification
- observation of management involvement in ISMS activities
6. Evaluate Resource Maintenance
Ensure resources are maintained and kept up-to-date.
- Document review (maintenance schedules, upgrade plans, patch management records)
- interviews with IT and facilities personnel
- observation of maintenance activities
- review of vendor contracts for support and maintenance
7. Examine Outsourced Processes
If outsourcing ISMS-related processes, verify the provider has necessary resources and competence.
- Document review (contracts with service providers, SLAs)
- interviews with service provider management
- review of service provider audit reports and certifications
- analysis of service provider performance data
8. Assess Resource Allocation Documentation
Verify that records of resource allocation for the ISMS are maintained.
- Document review (resource allocation records, asset registers)
- interviews with resource owners and administrators
- examination of resource tracking systems and databases
9. Evaluate Resource Needs Review
Ensure resource needs are regularly reviewed.
- Review of management review outputs
- interviews with management and resource owners
- examination of resource planning documents and their updates
- analysis of changes in ISMS requirements and their impact on resource needs
10. Assess Resource Utilisation Improvement
Verify the organisation seeks opportunities to improve resource utilisation efficiency.
- Interviews with management and staff
- review of process improvement initiatives related to resource management
- analysis of resource usage data and metrics
- examination of resource optimisation plans
How to pass the ISO 27001 Clause 7.1 audit
To pass an audit of ISO 27001 Clause 7.1 Resources you are going to
- Understand the requirements of ISO 27001 Clause 7.1 Resources
- Identify the resources that you need
- Aquire People Resources
- Get an Information Security Management System (ISMS)
- Assess the competency of people
- Address competency gaps through training or bringing in specialist help
What the auditor will check
The audit is going to check a number of areas for compliance with ISO 27001 Clause 7.1 Resources. Lets go through them
1. That you have someone that knows ISO 27001
This should go without saying but to run an effective information security management system (ISMS) that meets the requirements of ISO 27001 requires someone with knowledge and experience of ISO 27001. This is not always obvious and we see many audits fail as people do not invest in this most basic of resource requirement.
2. The competence of staff
What ever the role that you have identified for your management system the auditor is going to make sure that the people and resources allocated to that role are competent to perform it. The competency matrix is a great tool here to demonstrate competence.
3. All controls have resources allocated
For the information security management system (ISMS) and the ISO 27001 Annex A controls that you have chosen that are on your Statement of Applicability (SOA) the auditor will check that resources are allocated. It is not enough to say that you do something, you must actually do it and have resources allocated to make sure that it gets done.
ISO 27001 Clause 7.1: Resources FAQ
Great news. There are no changes to ISO 27001 Clause 7.1 Resources in the 2022 update.
The purpose of ISO 27001 Clause 7.1 is to ensure an organisation has the adequate resources needed to effectively manage its information security. It formalises a commitment from top management to provide the necessary support for the ISMS, which is vital for long-term success.
Clause 7.1 requires an organisation to consider and provide a range of resources, including:
1. Human Resources: The right people with the necessary skills, knowledge, and time.
2. Financial Resources: Sufficient budget for tools, training, and external expertise.
3. Infrastructure: Necessary IT systems, software, and physical facilities.
To demonstrate compliance, you should have documented evidence that you have identified and provided the required resources. This can include:
1. Budget documents and resource plans.
2. Organisational charts and job descriptions.
3. Training records and competency matrices.
4. Minutes from management review meetings where resource allocation was discussed.
Clause 7.1 focuses on the availability of resources in general, such as budget, technology, and people. Clause 7.2, in contrast, specifically addresses competence. It requires that the people working on the ISMS have the necessary skills and knowledge for their roles.
Yes, in a small organisation, it’s common and acceptable for one person to have multiple roles and responsibilities related to the ISMS. The key is to ensure that the individual has the competence and time to fulfil all these roles effectively, and that this is clearly documented.
Determining resource needs should be a risk-based process. Start by conducting a thorough risk assessment to identify potential threats and vulnerabilities to your information assets. The resources you allocate should be proportionate to the risks you face and the security objectives you’ve set.
Common mistakes include:
1. Insufficient budget or failing to allocate a dedicated budget for security initiatives.
2. Not providing enough staff time for ISMS-related activities.
3. Neglecting to get top management buy-in and formal approval for resource commitments.
4. Not documenting how resources are identified and provided.
While the clause itself doesn’t mandate a specific document called a “resource plan,” it’s highly recommended to have documented information that shows how you’ve met the requirements. This could be in the form of meeting minutes, a budget spreadsheet, or a resource plan.
Clause 7.1 is critical for continual improvement because it ensures that you have the resources to not just implement but also maintain and improve the ISMS over time. This includes allocating resources for audits, corrective actions, and new security initiatives as risks evolve.
Senior management are responsible for ensuring that ISO 27001 Clause 7.1 Resources is implemented and maintained.
In any organisation there are competing priorities for resources. An information security management system (ISMS) can take considerable resources at all stages from implementation to operation. Without having the required resources allocated to it the project will fail and the information security management will not be effective and will not meet it’s stated information security objectives.
Yes, external resources such as consultants, outsourced IT services, and managed security providers can be used to meet the requirements of Clause 7.1. The organisation is still responsible for managing these external resources and ensuring they meet the ISMS objectives.
