ISO 27001 Clause 7.1 Resources

Home / ISO 27001 Clauses / ISO 27001 Clause 7.1 Resources

ISO 27001 Resources

To build and implement an Information Security Management System (ISMS) will require resources. We are going to look at exactly what resources you need.

What is ISO 27001 Clause 7.1?

ISO 27001 Clause 7.1 is resources and it requires an organisation to provide the resources needed to establish, implement, maintain and continually improve the information security management system.

The ISO 27001 standard for ISO 27001 certification wants you to have the right people available for running ISO 27001.

Purpose

The purpose of ISO 27001 clause 7.1 Resources is to make sure you have the resources you need for an effective information security management system (ISMS).

Definition

ISO 27001 defines ISO 27001 Clause 7.1 as:

The organisation shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system.

ISO 27001:2022 Clause 7.1 Resources

Requirement

Building on ISO 27001 Clause 5.3 Organisational Roles, Responsibilities and Authorities this clause requires you to have the resources in place for an effective information security management system. This is about having the resources for the entire lifecycle of the information security management system (ISMS) not just the project to get the first ISO 27001 certification.

ISO 27001 Toolkit

Implementation Guide

How to identify the ISO 27001 resources you need

You need the resources to manage the management system but you might not know what the roles are that you need. It is a bit of a catch22.

Formal Approach

The formal approach to identifying what resources you need would be to

  • set up a project
  • allocate a project manager
  • do a project analysis that looks at what the standard requires
  • map that requirement to your available resources
  • identify resource gaps and plan to fill the gaps

Informal Approach

Use the ISO 27001 resources template that sets out the common roles that you need and the responsibilities of those roles. Using this assigned roles and responsibilities template you allocate the resources that you have to those roles.

The ISO 27001 Mandatory Resources

The list of mandatory ISO 27001 resources:

  • the CEO
  • the leadership team
  • Information Security Management Leadership
  • the Information Security Manager
  • the Management Review Team

In addition to this there are optional resources that you will require based on your approach and needs. These are all documented in the ISO 27001 resources template.

You need to establish what your structure is going to be, establish what roles you need and allocate people to those roles.

Roles can be allocated to internal or external people.

Which resources to use and when

There are distinct phases in the process of ISO 27001 certification.

Each of those phases potentially requires a different level of skill, knowledge and experience.

It is possible that this is one person but the likelihood is you are going to get specialist help for the establishment and implementation phase.

It can make sense to reduce the reliance on that specialist help when it comes to maintenance and continual improvement. Only using that knowledge and expertise for training and sense checking.

Our guide would be

  • ISO 27001 Establishment: use specialist resource. It is appropriate to use a specialist resource at this phase of the project. You’re going to want people that understand the standard, understand the requirement and help you in that establishment phase.
  • ISO 27001 Implementation: use specialist resource. It is appropriate to use a specialist resource at this phase of the project. Specialist resource is going to provide you with knowledge, experience, make the process faster, make the process leaner and get you to certification quicker.
  • ISO 27001 Certification: use specialist resource in combination with your own staff. At this phase of the project use a combination of specialist resource and your own staff. Taking the certification is going to be a combination of resource and it’s going to be a partnership.
  • ISO 27001 Maintenance: use your own staff with training and sense checking by specialist resource. For maintenance of your ISO 27001 you have options. Where possible use your own staff and use a specialist resource to sense check the work that you’re doing.
  • ISO 27001 Continual Improvement: use your own staff with training and sense checking by specialist resource. Continual improvement for a smaller organisation can use your own staff with the sense checking of a specialist resource. Use that specialist resource to conduct your Internal Audits and get you ready for your continuing audit and then your recertification.

Of course you can do ALL of it with the ISO 27001 Toolkit which includes all of the resources, step by step guides and video walkthroughs you will need with the ability to by specialist help by the hour.

Outside of the specifics of ISO 27001 resources there is an expectation that your business will have appropriate departmental expertise. What do we mean by that? Well, for example, you will have a HR function with appropriate HR controls and appropriately skilled and trained HR professionals.

ISO 27001 Accountability matrix

For each of the ISO 27001 clauses and the ISO 27001 Annex A controls you need to allocate and record who is responsible for that clause and control. You do this by completing an ISO 27001 Accountability Matrix.

ISO 27001 RASCI Matrix Free PDF Example 3

ISO 27001 Accountability Matrix Template

ISO 27001 ISMS Rasci Matrix Template

ISO 27001 Competency matrix

For each person involved in the operation of the Information Security Management System be sure to record them in them in the competency matrix. The competency matrix allows you to identify and demonstrate that you have the required competencies to run the information security management system. It also identifies gaps that you can plan to address.

ISO 27001 Competence Matrix Example

ISO 27001 Competency Matrix Template

ISO 27001 Competency Matrix Template

ISO 27001 Internal Resources

If you are looking at gaining the skills and experience in house you have the option to consider ISO 27001 training.

There are many reputable ISO 27001 lead auditor training, ISO 27001 lead implementor training and associated courses to choose from.

It is our experience that these can provide excellent book knowledge to the standard but are very light on how to implement it in the real world, don’t come with templates and don’t provide specific, tailored advice and templates.

If you want training then of course, consider the book training but also companies like High Table provide low cost, structured, 1 to 1 real world implementation training that runs alongside your actual implementation and trains your team.

There is a wealth of training and guidance provided as part of the ISO 27001 Toolkit for free.

There are also free resources on the Internet such as this excellent YouTube Channel dedicated to ISO 27001 and showing you how to do it yourself.

If we were going to start anywhere we would start with this Essential Step By Step Guide to Implementing ISO 27001.

ISO 27001 External Resources

Whether you look to engage a professional such as a High Table ISO 27001 Consultant, hire someone full-time or train up internal staff on ISO 27001 lead auditor or ISO 27001 lead implementor courses you need to engage with trained and experienced resource for your ISO 27001 certification.

If you are using external resources then be sure to conduct your due diligence and research. There is a guide – The Top 10 ISO 27001 Companies and Top 10 ISO 27001 Certification Bodies

The role of training and awareness

Implement and effective process of training and awareness that directly meets the needs of the organisation and the risk the organisation faces. This should ensure that the resources required have the skills and competence to perform their roles and where there are gaps it should provide a plan to fill those gaps.

Tips for Small Organisations

When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.

We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.

What you do have to bear in mind is the requirement that we saw earlier and that you will come to in Annex A in more detail on the Segregation of Duty. You have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.

Implementation Checklist

Resources ISO 27001 Clause 7.1 Implementation Checklist

Determine the Resources Needed

Identify the necessary resources (people, infrastructure, funding) to support the ISMS.

Challenge:

Difficulty in accurately estimating resource needs, especially for long-term initiatives. Underestimating requirements.

Solution:

Conduct a thorough needs assessment involving all relevant departments. Consider future growth and potential changes in the ISMS. Use historical data and industry benchmarks.

Provide Competent Personnel

Ensure that personnel involved in the ISMS are competent and have the necessary skills and experience.

Challenge:

Difficulty in finding and retaining qualified personnel. Skills gaps within the team.

Solution:

Develop a competency framework for ISMS roles. Provide regular training and development opportunities. Consider outsourcing or contracting specialised skills when needed. Implement succession planning.

Provide Necessary Infrastructure

Ensure that the necessary infrastructure (hardware, software, facilities) is available to support the ISMS.

Challenge:

Difficulty in keeping infrastructure up-to-date. Budget constraints.

Solution:

Develop an infrastructure roadmap aligned with ISMS objectives. Implement a robust asset management process. Explore cloud-based solutions or managed services to optimise costs.

Allocate Financial Resources

Allocate sufficient financial resources to support the ISMS.

Challenge:

Difficulty in justifying ISMS investments to management. Budget cuts.

Solution:

Develop a clear business case for ISMS investments. Demonstrate the return on investment (ROI) of security measures. Integrate ISMS budgeting with overall organisational budgeting.

Support the ISMS

Top management shall demonstrate their commitment to the ISMS by providing the necessary resources.

Challenge:

Lack of management buy-in or support. Competing priorities.

Solution:

Communicate the importance of the ISMS to top management. Regularly report on the performance of the ISMS. Involve top management in key ISMS decisions.

Maintain Resources

Ensure that resources are maintained and kept up-to-date.

Challenge:

Difficulty in keeping pace with technological advancements. Resource depletion due to attrition or budget cuts.

Solution:

Implement a resource management plan. Regularly review and update resource requirements. Establish processes for acquiring and maintaining resources.

Outsource Processes

If outsourcing any ISMS-related processes, ensure that the service provider has the necessary resources and competence.

Challenge:

Difficulty in managing outsourced providers. Risk of data breaches or service disruptions.

Solution:

Conduct thorough due diligence of potential providers. Establish clear service level agreements (SLAs). Regularly monitor provider performance.

Document Resource Allocation

Maintain records of resource allocation for the ISMS.

Challenge:

Difficulty in tracking resource usage. Lack of clear documentation.

Solution:

Use a centralised resource management system. Regularly update resource allocation records.

Regularly Review Resource Needs

Regularly review resource needs to ensure they remain aligned with the ISMS.

Challenge:

Difficulty in anticipating future resource requirements. Changes in the business environment.

Solution:

Integrate resource reviews with other ISMS processes, such as management review. Conduct regular capacity planning exercises.

Improve Resource Utilisation

Seek opportunities to improve the efficiency and effectiveness of resource utilisation.

Challenge:

Wasting resources due to inefficient processes. Lack of awareness of resource optimisation opportunities.

Solution:

Implement process improvement initiatives. Encourage staff to identify resource optimisation opportunities. Use resource management tools to track and analyse resource usage.

Audit Checklist

The following is a summary of the ISO 27001 Clause 7.1 Audit Checklist:

Review Resource Identification

Verify the organisation has identified the resources needed to support the ISMS.

Audit Techniques: Document review (resource plans, budget documents, organisational charts), interviews with management and resource owners, analysis of ISMS requirements and their corresponding resource needs.

Assess Personnel Competence

Ensure personnel involved in the ISMS are competent.

Audit Techniques: Document review (job descriptions, training records, competency frameworks), interviews with personnel, observation of personnel performing tasks, review of certifications and qualifications.

Evaluate Infrastructure Provision

Verify that necessary infrastructure (hardware, software, facilities) is provided.

Audit Techniques: Document review (asset inventory, infrastructure diagrams, maintenance records), interviews with IT and facilities personnel, physical inspection of infrastructure, review of capacity planning documentation.

Examine Financial Resource Allocation

Ensure sufficient financial resources are allocated to the ISMS.

Audit Techniques: Document review (budget documents, financial statements), interviews with budget holders and finance personnel, analysis of ISMS spending and its alignment with planned activities.

Assess Management Support

Verify top management demonstrates commitment to the ISMS by providing resources.

Audit Techniques: Interviews with top management, review of management review meeting minutes, examination of resource allocation decisions and their justification, observation of management involvement in ISMS activities.

Evaluate Resource Maintenance

Ensure resources are maintained and kept up-to-date.

Audit Techniques: Document review (maintenance schedules, upgrade plans, patch management records), interviews with IT and facilities personnel, observation of maintenance activities, review of vendor contracts for support and maintenance.

Examine Outsourced Processes

If outsourcing ISMS-related processes, verify the provider has necessary resources and competence.

Audit Techniques: Document review (contracts with service providers, SLAs), interviews with service provider management, review of service provider audit reports and certifications, analysis of service provider performance data.

Assess Resource Allocation Documentation

Verify that records of resource allocation for the ISMS are maintained.

Audit Techniques: Document review (resource allocation records, asset registers), interviews with resource owners and administrators, examination of resource tracking systems and databases.

Evaluate Resource Needs Review

Ensure resource needs are regularly reviewed.

Audit Techniques: Review of management review outputs, interviews with management and resource owners, examination of resource planning documents and their updates, analysis of changes in ISMS requirements and their impact on resource needs.

Assess Resource Utilisation Improvement

Verify the organization seeks opportunities to improve resource utilisation efficiency.

Audit Techniques: Interviews with management and staff, review of process improvement initiatives related to resource management, analysis of resource usage data and metrics, examination of resource optimisation plans.

Watch the Tutorial

Watch the ISO 27001 tutorial How To Implement ISO 27001 Clause 7.1 Resources

How to pass an audit

To pass an audit of ISO 27001 Clause 7.1 Resources you are going to

  • Understand the requirements of ISO 27001 Clause 7.1 Resources
  • Identify the resources that you need
  • Aquire People Resources
  • Get an Information Security Management System (ISMS)
  • Assess the competency of people
  • Address competency gaps through training or bringing in specialist help

What the auditor will check

The audit is going to check a number of areas for compliance with ISO 27001 Resources. Lets go through them

That you have someone that knows ISO 27001

This should go without saying but to run an effective information security management system (ISMS) that meets the requirements of ISO 27001 requires someone with knowledge and experience of ISO 27001. This is not always obvious and we see many audits fail as people do not invest in this most basic of resource requirement.

The competence of staff

What ever the role that you have identified for your management system the auditor is going to make sure that the people and resources allocated to that role are competent to perform it. The competency matrix is a great tool here to demonstrate competence.

All controls have resources allocated

For the information security management system (ISMS) and the ISO 27001 Annex A controls that you have chosen that are on your Statement of Applicability (SOA) the auditor will check that resources are allocated. It is not enough to say that you do something, you must actually do it and have resources allocated to make sure that it gets done.

ISO 27001 Templates

ISO 27001 templates are a great way to fast track your implementation and leverage industry best practice.

Available as individual downloads they are also part of the internationally best selling and award winning ISO 27001 Toolkit.

ISO 27001 Resources FAQ

What are the ISO 27001:2022 Changes to Clause 7.1 Resources?

Great news. There are no changes to ISO 27001 Clause 7.1 Resources in the 2022 update.

Who is responsible for ISO 27001 Clause 7.1?

Senior management are responsible for ensuring that ISO 27001 Clause 7.1 Resources is implemented and maintained.

Why is ISO 27001 Clause 7.1 Resources important?

In any organisation there are competing priorities for resources. An information security management system (ISMS) can take considerable resources at all stages from implementation to operation. Without having the required resources allocated to it the project will fail and the information security management will not be effective and will not meet it’s stated information security objectives.

Further Reading

ISO 27001 Clause 7.1 Audit Checklist

ISO 27001 Toolkit

Stop Spanking £10,000s on consultants and ISMS online-tools

Share to...