ISO 27001 Resources – Tutorial

Home / ISO 27001 Tutorials / ISO 27001 Resources – Tutorial

In this tutorial we are going to cover ISO 27001 Resources.

You will learn

  • What it is ISO 27001 Resources
  • How to implement ISO 27001 Resources

ISO 27001 Resources

For resources you are going to understand the resources that you need and the provide those resources. This pays particular attention to the management system and the following phases:

  • Setting up the management system
  • Implementing the management system
  • Maintaining the management system
  • Continual improving the management system

Implementation Guide

Work out what roles you need

You need the resources to manage the management system but you might not know what the roles are that you need, it’s a bit of a catch22, so the assigned roles and responsibilities document does that.

What this has done is it has provided you all of the roles that are required within the information security management system (ISMS), it has set out for you what those roles and accountabilities are and then it allows you to assign people to those individual roles.

It has a position and a placeholder where you can allocate resources.

It goes through the various mandatory roles of

  • the CEO
  • the leadership team
  • Information Security Management Leadership
  • the Information Security Manager
  • the Management Review Team

You need to establish what your structure is going to be, establish what roles you need and allocate people to those roles.

Roles can be allocated to internal or external people.

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities Template

Decide what resource you need

There are several ways to allocating resource.

You can:

  • get external help
  • get the help of a consultant or a contractor
  • send people from your organisation onto ISO 27001 training courses
  • go through the resources that are provided on the free YouTube channel, the ISO 27001 YouTube channel, and learn it.

The requirement is that the resources should understand and have competence in an effective information security management system (ISMS).

Different people, with different skills and experience will be required at different phases within the project.

Allocate Resources to the Standard

At this point you have built up your team and you have built up your structure. You understand what it is that you need and have found those resources.

The next step is to then take the standard itself and allocate the resources to the requirements of the standard.

This will require an a ISO 27001 Accountability Matrix.

ISO 27001 RASCI Matrix Free PDF Example 3
ISO 27001 ISMS Rasci Matrix Template

In your Accountability Matrix you list the requirements, what it is that needs to be done, and allocate who is accountable for it.

You do this for both the information security management system (ISMS) and for the ISO 27001 Annex A Controls.

A point to note is that you can outsource the doing of the work but you can outsource the accountability.

Implementation Summary

In summary the steps are:

define the roles you need

  • define the structure of those roles
  • define resource requirements
  • identify the resources needed to meet the requirements
  • allocate people
  • document it

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Toolkit Business Edition

Small Organisations

When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.

We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.

What you do have to bear in mind is the requirement that we saw earlier and that you will come to in Annex A in more detail on the Segregation of Duty. You have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.

Resources by Implementation Phase

Think about the phases of your project on where resources may be required.

Establishment

It is appropriate to use a specialist resource at this phase of the project. You’re going to want people that understand the standard, understand the requirement and help you in that establishment phase.

Implementation

It is appropriate to use a specialist resource at this phase of the project. Specialist resource is going to provide you with knowledge, experience, make the process faster, make the process leaner and get you to certification quicker.

ISO 27001 Certification

At this phase of the project use a combination of specialist resource and your own staff. Taking the certification is going to be a combination of resource and it’s going to be a partnership.

Maintenance

For maintenance of your ISO 27001 you have options. Where possible use your own staff and use a specialist resource to sense check the work that you’re doing.

Continual Improvement

Continual improvement for a smaller organisation can use your own staff with the sense checking of a specialist resource. Use that specialist resource to conduct your Internal Audits and get you ready for your continuing audit and then your recertification.

ISO 27001 Resources – Training Video

If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.1 Resources | Step-by-Step Guide

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing