ISO/IEC 27001 •

ISO 27001 Requirement 7.1 – Resources for ISO 27001

See how you can achieve ISO 27001 faster with ISMS.online

See it in action
By Mark Sharron | Updated 14 December 2023

A requirement of ISO 27001 is to provide an adequate level of resource into the establishment, implementation, maintenance and continual improvement of the information security management system.

Jump to topic


What does Clause 7.1 involve?

As described before with the leadership resources in clause 5.3, ISO 27001 does not actually mandate that the ISMS has to be staffed by full time resources, just that the roles, responsibilities and authorities are clearly defined and owned – assuming that the right level of resource will be applied as required.

It is the same with clause 7.1, which acts as the summary point of ‘resources’ commitment which are then more fully described with requirements in:

  • 7.2 – Competence of the support resources for ISO 27001
  • 7.3 – Awareness of the people doing the work for the ISMS to meet ISO 27001
  • 7.4 – Communication about the ISMS to the interested parties internally and externally about the ISMS
  • 7.5 – Documented information about the ISMS to demonstrate it conforms to the ISO 27001 standard. It is also worth remembering that Annex A 6 dovetails into this requirement nicely too, so when building out the ISMS responsibilities each of those controls could be considered at the same time.

Planning resources and considering staffing requirements

As can be seen just from the references above, ISO drops in resource requirements across a number of different angles so it is easy to get confused about the level of investment in physical resources.

Viewing all of the people oriented requirements for implementing and running the ISMS makes sense, then the organisation can consider the capacity, confidence and capability of the people involved to do the work.

Some of the resources may need to be more committed in time than others, for example legal and HR skills are important for some aspects of the ISMS during its implementation and reviews of risks, policies from time to time, but not the general ongoing administration and management.

There are many ISO 27001 information security training courses, and ISO 27001 lead auditor, ISO 27001 implementation and many other courses out there that can build confidence and capability. However our experience suggests that whilst they can sometimes be helpful, they don’t always deliver a return on investment and could be problematic too.

Depending on the trainer the course might also teach old ways of working, impress counter cultural practices that won’t work for your organisation and can mean taking valuable time out for learning some things are pretty darn obvious when you start the implementation!

ISMS implementations to meet certification for ISO 27001 are far easier with an application that helps guide delivery, offers a map of what needs to get done and where progress is being made.


Get certified up to 5x faster with ISMS.online

Compliance doesn’t need to be complicated – ISMS.online is designed to help you achieve ISO 27001 certification quickly and affordably with no training required.
We’ve streamlined the ISO 27001 process with our Assured Results Method, an 80% Headstart, your own 24/7 Virtual Coach, easy onboarding and expert support.

Book a platform demo to see how ISMS.online can help your business

Book a demo

Get an 81% headstart

We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.

Book a demo

ISO 27001:2022 requirements


ISO 27001:2022 Annex A Controls

Organisational Controls


People Controls


Physical Controls


Technological Controls


About ISO 27001


ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more