Resources For ISO 27001 Requirement 7.1
What is covered under ISO 27001 Clause 7.1?
A requirement of ISO 27001 is to provide an adequate level of resource into the establishment, implementation, maintenance and continual improvement of the information security management system. As described before with the leadership resources in clause 5.3, ISO IEC 27001 does not actually mandate that the ISMS has to be staffed by full time resources, just that the roles, responsibilities and authorities are clearly defined and owned – assuming that the right level of resource will be applied as required. It is the same with clause 7.1, which acts as the summary point of ‘resources’ commitment which are then more fully described with requirements in:
- 7.2 – Competence of the support resources for ISO 27001
- 7.3 – Awareness of the people doing the work for the ISMS to meet ISO 27001
- 7.4 – Communication about the ISMS to the interested parties internally and externally about the ISMS
- 7.5 – Documented information about the ISMS to demonstrate it conforms to the ISO 27001 standardIt is also worth remembering that Annex A 6 dovetails into this requirement nicely too, so when building out the ISMS responsibilities each of those controls could be considered at the same time.
Planning resources and considering staffing requirements for ISO 27001 clause 7
As can be seen just from the references above, ISO drops in resource requirements across a number of different angles so it is easy to get confused about the level of investment in physical resources.
Viewing all of the people oriented requirements for implementing and running the ISMS makes sense, then the organisation can consider the capacity, confidence and capability of the people involved to do the work. Some of the resources may need to be more committed in time than others, for example legal and HR skills are important for some aspects of the ISMS during its implementation and reviews of risks, policies from time to time, but not the general ongoing administration and management.
There are many ISO 27001 information security training courses, and ISO 27001 lead auditor, ISO 27001 implementation and many other courses out there that can build confidence and capability. However our experience suggests that whilst they can sometimes be helpful, they don’t always deliver a return on investment and could be problematic too. Depending on the trainer the course might also teach old ways of working, impress counter cultural practices that won’t work for your organisation and can mean taking valuable time out for learning some things are pretty darn obvious when you start the implementation!
ISMS implementations to meet certification for ISO 27001 are far easier with an application that helps guide delivery, offers a map of what needs to get done and where progress is being made.
Alongside a preparation plan like that expressed in ISMS.online with the added benefit of the ISO 27001 Virtual Coach service which is always on, when and where it is needed, implementations are faster and lower total cost too. Working on an early morning, lunchtime or weekend to get something done – no problem, the Virtual Coach is inside the platform whilst you are considering that issue and that coupled with the tips, documentation to adopt, adapt and add to, as well as the easy to use technology solution itself, you’ll need less support resource than you had imagined. If capacity or capability is an issue in a particularly thorny area, then consider one of the ISMS.online expert partners to help by exception – just get in touch and we will introduce you to a partner that is a good fit for your organisation needs.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement