ISO 27001 Resources

Home / ISO 27001 / ISO 27001 Resources

In this tutorial we are going to cover ISO 27001 Resources.

You will learn

  • What it is ISO 27001 Resources
  • How to implement ISO 27001 Resources


If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.1 Resources | Step-by-Step Guide


So, let’s start off by understanding the requirement and look at the definition. That way I can dig deeper and I can show you exactly how you can satisfy this for compliance, for audit and for certification.

The standard defines ISO 27001 Resources as:

The organisation shall determine and provide the resources needed for the establishment, the implementation, the maintenance and the continual Improvement of the information security management system.

Implementation Guide

Let’s take a look at how we can implement that.

ISO 27001 Toolkit

We can interpret resources as being people but the first thing that I want to do is I want to look at the resources that are available to you in terms of the ISO 27001 Toolkit. The ISO 27001 Toolkit is the resources that you need. It provides you everything that you need to implement the information security management system (ISMS). As a resource it has videos and guides, it has checklists, it has implementation step by steps, it has a weekly Q&A call built into it and it has a consultation call built into it. This isn’t by way of a sale, this is by way of saying to you that there are resources out there that are available to you.

So, the first resources that you’ve got is you’ve got the ISO 27001 Toolkit that’s available to you that provides you everything you need but then what we need to do is we need to look at the resources that we need in terms of people.


Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition


Now we have different approaches to this. We can seek external help, we can seek the help of a consultant or a contractor, and that’s a very, very valid thing to do. We can send people from our organisation onto ISO 27001 training courses, that is a very valuable and valid thing to do, or we can go through the resources that are provided on the free YouTube channel, the ISO 27001 YouTube channel, and we can learn it but what we need is we need people that understand an effective information security management system (ISMS) and we need different people at different phases within that project.

Once we’ve got that we need to establish what are the roles that we need are, so one of the things that I provide for you, one of the ISO 27001 templates that I provide on High Table and as part of the ISO 27001 Toolkit is this, document which is the information security roles and assigned responsibilities document.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

Roles and Responsibilities Document

What this has done is it has provided you all of the roles that are required within the information security management system (ISMS), it has set out for you what those roles and accountabilities are and then it allows you to assign people to those individual roles.

We need the resources to manage the management system but you might not know what the roles are that you need, it’s a bit of a catch22, so the assigned roles and responsibilities document does that.

It has a position and a placeholder where we can allocate resources. It goes through the various roles, so, it goes through the role of the CEO, it goes through the leadership team and the leadership role, it goes through the Information Security Management Leadership, Information Security Manager and the Management Review Team.

We need to establish what our structure is going to be, then we need to establish what those roles are and then we need to allocate people to those roles, be they internal people or external people, specialist resource, whatever it may be.

Allocate Resources to the Standard

So, we’ve built up our team and we’ve built up our structure, we understand what it is that we need. We found those resources. Then what we need to do is we need to take the standard itself and we need to allocate the resources that we have to the requirements of the standard.

The way that we’re going to do that is we’re going to use an ISO 27001 Accountability Matrix. Now within ISO 27001 Accountability Matrix the ISO 27001 template that I provide for you, downloadable individually but it is also downloadable as part of the ISO 27001 Toolkit, we’ve got two versions of the accountability matrix.

ISO 27001 ISMS Rasci Matrix Template

We’ve got a very, very basic version, the basic version is more than adequate, meets the requirements of the standard and is used by smaller businesses but what is it and what is it doing?

Well here what you can see is we have an accountability matrix for each version of the standard, the 2013/17 version and the 2022, the latest, version.

ISO 27001 RASCI Matrix Free PDF Example 3

What we’re doing within our Accountability Matrix is we are listing the requirements, what it is that needs to get done and then we’re going to allocate who is accountable for it, where does the buck stop and then who is responsible for it, who is the person that’s going to be doing the work.

You can see that we do that for the information security management system (ISMS) and we do it for the ISO 27001 Annex A Controls.

Now there are other blogs and videos and guides about the ISO 27001 Annex A Controls, about how you select which controls you need but go with me here, what we’re doing is we’re listing out each of the controls and we’re allocating people to be accountable for it and we’re allocating people to be responsible for the doing. Now the doing can be an external third party, you can have somebody internal who’s accountable for it and then you outsource that to a third party, no problem at all and that is handled within the standard.

What you can also see is that within the ISO 27001 Toolkit and depending on how you want to operate we also, or, I also provide for you a ISO 27001 RASCI Matrix. This is a little bit more advanced, above, and beyond the accountability matrix.


You can Google the RASCI tables and get more knowledge on that, this isn’t a tutorial on how to perform a RASCI Matrix but what I can show you in there is it’s exactly the same, we have for the management system (ISMS), we have for the Annex A controls. Now we have more columns because we’re now looking at people that are consulted, people that are informed and people that support, so, if a RASCI is your bag and a RASCI is something that you need, then turn your accountability matrix into that RASCI Matrix.

Implementation Recap

So, what you can see there is we have defined our requirements, we have identified the resources that we’re going to need, we have allocated those resources to the roles that we have documented, we have then taken the standard and broken the standard down into the management system (ISMS) and the Annex A controls and for the management system (ISMS) in the Annex A Controls we have allocated people to that.

Small Organisations

When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.

We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.

What you do have to bear in mind is the requirement that we saw earlier and that we will come to in Annex A in more detail on the Segregation of Duty. We have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.

Resources by Implementation Phase

Another top tip that I would provide for you when it comes to Resource other than getting the ISO 27001 Toolkit, is, think about the phases of your project on where resources may be required.


So, if I look at the establishment of ISO 27001, at that point it is probably and is more appropriate to use a specialist resource. You’re going to want people that understand the standard, understand the requirement and help you in that establishment phase.


When it comes to the implementation, again, my top tip would be to use specialist resource. Specialist resource is going to provide you with all knowledge, experience, make the process faster, make the process leaner and get you to certification quicker.

ISO 27001 Certification

When it comes to the certification step I would say use a combination of specialist resource, clearly, and your own staff. Taking the certification is going to be a combination. It’s going to be a partnership.


When it comes to the maintenance of your ISO 27001, going forward, you have options, and again, my tips would be to use your own staff. I would, if I was on the engagement, I would train up your staff so that they could do it and then use a specialist resource to sense check the work that you’re doing. That’s going to come down to timing and budget and requirement and what your resources are doing but for the maintenance of it, you can use your own staff with some oversight and you know some touch points with a specialist.

Continual Improvement

When it comes to the continual improvement phase of ISO 27001, I would, for a smaller organisation, say use your own staff, use your own staff with the sense checking of a specialist resource and then use that specialist resource to conduct your Internal Audits and get you ready for your continuing audit and then your recertification.

Common Mistakes

What are the common mistakes that we see? What are the common mistakes that we see when people go for audit? I think probably the biggest one is that you don’t have anybody that has any knowledge or experience. In the next blog and video we’re going to look at ISO 27001 Clause 7.2 Competence and we will touch on that in more detail, so please check that video out and that blog and understand why having somebody that is competent is important to your certification.

I think that using specialist resource in a way that they were not designed to be used, again, that can be a mistake that people make. They spend too much money, you know, it takes too long because they engage with a consultant but then they don’t take the reigns themselves and they don’t take some responsibility and accountability themselves.


So quite a deep dive today into ISO 27001 Clause 7.1 Resource. A few pointers a few things that you can use, a few top tips.

You are going to be successful.

  • Design and define the structure of your management resources
  • Document what the roles are that make up that management system structure
  • Allocate people to those roles
  • Create your accountability matrix that covers the isms and the Annex A Controls
  • and then allocate as a minimum somebody who is accountable, where the buck stops and somebody who is responsible, who is going to do the work

You are going to be absolutely golden when it comes to your certification. So, I am Stuart Barker. I am Conclusion the ISO 27001 Ninja that was ISO 27001 Clause 7.1 and until the next blog and video, peas out

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing