In this tutorial we are going to cover ISO 27001 Resources.
You will learn
- What it is ISO 27001 Resources
- How to implement ISO 27001 Resources
Watch
If you prefer to watch rather than read you can watch: How to implement ISO 27001 Clause 7.1 Resources | Step-by-Step Guide
Definition
So, let’s start off by understanding the requirement and look at the definition. That way I can dig deeper and I can show you exactly how you can satisfy this for compliance, for audit and for certification.
The standard defines ISO 27001 Resources as:
The organisation shall determine and provide the resources needed for the establishment, the implementation, the maintenance and the continual Improvement of the information security management system.
Implementation Guide
Let’s take a look at how we can implement that.
ISO 27001 Toolkit
We can interpret resources as being people but the first thing that I want to do is I want to look at the resources that are available to you in terms of the ISO 27001 Toolkit. The ISO 27001 Toolkit is the resources that you need. It provides you everything that you need to implement the information security management system (ISMS). As a resource it has videos and guides, it has checklists, it has implementation step by steps, it has a weekly Q&A call built into it and it has a consultation call built into it. This isn’t by way of a sale, this is by way of saying to you that there are resources out there that are available to you.
So, the first resources that you’ve got is you’ve got the ISO 27001 Toolkit that’s available to you that provides you everything you need but then what we need to do is we need to look at the resources that we need in terms of people.
DO IT YOURSELF
ISO 27001
People
Now we have different approaches to this. We can seek external help, we can seek the help of a consultant or a contractor, and that’s a very, very valid thing to do. We can send people from our organisation onto ISO 27001 training courses, that is a very valuable and valid thing to do, or we can go through the resources that are provided on the free YouTube channel, the ISO 27001 YouTube channel, and we can learn it but what we need is we need people that understand an effective information security management system (ISMS) and we need different people at different phases within that project.
Once we’ve got that we need to establish what are the roles that we need are, so one of the things that I provide for you, one of the ISO 27001 templates that I provide on High Table and as part of the ISO 27001 Toolkit is this, document which is the information security roles and assigned responsibilities document.
Roles and Responsibilities Document
What this has done is it has provided you all of the roles that are required within the information security management system (ISMS), it has set out for you what those roles and accountabilities are and then it allows you to assign people to those individual roles.
We need the resources to manage the management system but you might not know what the roles are that you need, it’s a bit of a catch22, so the assigned roles and responsibilities document does that.
It has a position and a placeholder where we can allocate resources. It goes through the various roles, so, it goes through the role of the CEO, it goes through the leadership team and the leadership role, it goes through the Information Security Management Leadership, Information Security Manager and the Management Review Team.
We need to establish what our structure is going to be, then we need to establish what those roles are and then we need to allocate people to those roles, be they internal people or external people, specialist resource, whatever it may be.
Allocate Resources to the Standard
So, we’ve built up our team and we’ve built up our structure, we understand what it is that we need. We found those resources. Then what we need to do is we need to take the standard itself and we need to allocate the resources that we have to the requirements of the standard.
The way that we’re going to do that is we’re going to use an ISO 27001 Accountability Matrix. Now within ISO 27001 Accountability Matrix the ISO 27001 template that I provide for you, downloadable individually but it is also downloadable as part of the ISO 27001 Toolkit, we’ve got two versions of the accountability matrix.
We’ve got a very, very basic version, the basic version is more than adequate, meets the requirements of the standard and is used by smaller businesses but what is it and what is it doing?
Well here what you can see is we have an accountability matrix for each version of the standard, the 2013/17 version and the 2022, the latest, version.
What we’re doing within our Accountability Matrix is we are listing the requirements, what it is that needs to get done and then we’re going to allocate who is accountable for it, where does the buck stop and then who is responsible for it, who is the person that’s going to be doing the work.
You can see that we do that for the information security management system (ISMS) and we do it for the ISO 27001 Annex A Controls.
Now there are other blogs and videos and guides about the ISO 27001 Annex A Controls, about how you select which controls you need but go with me here, what we’re doing is we’re listing out each of the controls and we’re allocating people to be accountable for it and we’re allocating people to be responsible for the doing. Now the doing can be an external third party, you can have somebody internal who’s accountable for it and then you outsource that to a third party, no problem at all and that is handled within the standard.
What you can also see is that within the ISO 27001 Toolkit and depending on how you want to operate we also, or, I also provide for you a ISO 27001 RASCI Matrix. This is a little bit more advanced, above, and beyond the accountability matrix.
You can Google the RASCI tables and get more knowledge on that, this isn’t a tutorial on how to perform a RASCI Matrix but what I can show you in there is it’s exactly the same, we have for the management system (ISMS), we have for the Annex A controls. Now we have more columns because we’re now looking at people that are consulted, people that are informed and people that support, so, if a RASCI is your bag and a RASCI is something that you need, then turn your accountability matrix into that RASCI Matrix.
Implementation Recap
So, what you can see there is we have defined our requirements, we have identified the resources that we’re going to need, we have allocated those resources to the roles that we have documented, we have then taken the standard and broken the standard down into the management system (ISMS) and the Annex A controls and for the management system (ISMS) in the Annex A Controls we have allocated people to that.
Small Organisations
When it comes to resources there are a couple of things that come up and people ask. One of those is – we’re a very small team, can one person have more than one role? Can one resource be allocated more than one role? and the answer to that is yes.
We often find in smaller organisations that one or two people are responsible and are assigned to multiple controls. Absolutely no problem at all.
What you do have to bear in mind is the requirement that we saw earlier and that we will come to in Annex A in more detail on the Segregation of Duty. We have to segregate out duties. What that normally means is authorisation isn’t provided by the person requesting the authority. We do a lot more deep dive into that in the annex A controls.
Resources by Implementation Phase
Another top tip that I would provide for you when it comes to Resource other than getting the ISO 27001 Toolkit, is, think about the phases of your project on where resources may be required.
Establishment
So, if I look at the establishment of ISO 27001, at that point it is probably and is more appropriate to use a specialist resource. You’re going to want people that understand the standard, understand the requirement and help you in that establishment phase.
Implementation
When it comes to the implementation, again, my top tip would be to use specialist resource. Specialist resource is going to provide you with all knowledge, experience, make the process faster, make the process leaner and get you to certification quicker.
ISO 27001 Certification
When it comes to the certification step I would say use a combination of specialist resource, clearly, and your own staff. Taking the certification is going to be a combination. It’s going to be a partnership.
Maintenance
When it comes to the maintenance of your ISO 27001, going forward, you have options, and again, my tips would be to use your own staff. I would, if I was on the engagement, I would train up your staff so that they could do it and then use a specialist resource to sense check the work that you’re doing. That’s going to come down to timing and budget and requirement and what your resources are doing but for the maintenance of it, you can use your own staff with some oversight and you know some touch points with a specialist.
Continual Improvement
When it comes to the continual improvement phase of ISO 27001, I would, for a smaller organisation, say use your own staff, use your own staff with the sense checking of a specialist resource and then use that specialist resource to conduct your Internal Audits and get you ready for your continuing audit and then your recertification.
Common Mistakes
What are the common mistakes that we see? What are the common mistakes that we see when people go for audit? I think probably the biggest one is that you don’t have anybody that has any knowledge or experience. In the next blog and video we’re going to look at ISO 27001 Clause 7.2 Competence and we will touch on that in more detail, so please check that video out and that blog and understand why having somebody that is competent is important to your certification.
I think that using specialist resource in a way that they were not designed to be used, again, that can be a mistake that people make. They spend too much money, you know, it takes too long because they engage with a consultant but then they don’t take the reigns themselves and they don’t take some responsibility and accountability themselves.
Conclusion
So quite a deep dive today into ISO 27001 Clause 7.1 Resource. A few pointers a few things that you can use, a few top tips.
You are going to be successful.
- Design and define the structure of your management resources
- Document what the roles are that make up that management system structure
- Allocate people to those roles
- Create your accountability matrix that covers the isms and the Annex A Controls
- and then allocate as a minimum somebody who is accountable, where the buck stops and somebody who is responsible, who is going to do the work
You are going to be absolutely golden when it comes to your certification. So, I am Stuart Barker. I am Conclusion the ISO 27001 Ninja that was ISO 27001 Clause 7.1 and until the next blog and video, peas out