What is covered under ISO 27001 Clause 7.2?
ISO IEC 27001 for clause 7.2 basically says that the organisation will ensure that it has :
- determined the competence of the people doing the work on the ISMS that could affect its performance
- people that are deemed competent on the basis of the relevant education, training or experience
- where required, take action to acquire the necessary competence and evaluated the effectiveness of the actions
- retained evidence of the above for audit purposes
On the basis of these requirements, it is easy to think the answer for 7.2 might be hiring in an information security expert – but that is not always necessary! There are a whole bunch of skills and experiences required for a successful implementation and ongoing management of an ISMS that is certified to ISO 27001, beyond expertise in physical security, cyber security, computer security or other forms of information security per se. Those include: commercial, legal, HR, IT, as well as the relevant products & services expertise for the work in scope. Building and running an ISMS is usually a collaborative team job. The most important thing is an understanding of the organisation, its purpose and goals, its culture, risk appetite and the requirements expressed in clauses 4.1, 4.2, 4.3, 6.1, 6.2.
So how do you demonstrate compliance to clause 7.2 of ISO 27001?
Alongside the 7.3 awareness and 7.4 communication clauses, 7.2 can be demonstrated with a blanket statement about the team involved and their credibility, with links across the ISMS to demonstrate their work as evidence to save time (if you are using a joined-up platform like ISMS.online).
Additionally, a simple table for showing the people involved, the role they are performing with notes alongside their relevant experience, training or education is helpful and some auditors like to see that detail. It does not have to be a CV, just show why they are involved e.g. Fred Bloggs – implementation leader with a day job of service delivery and IT manager. Has 5 years experience in both fields, and relevant training or education e.g. attended cyber security online courses, undertook a masters in computer science.
This can be kept very simple, it is not an information security training needs analysis or detailed action plan (although you might want one of those too depending on the organisation style and its approach to HR development plans). All the external auditor will want to know is that the team involved are competent and it’s likely that some or all of the team will be involved in the audit process anyway, at which point the auditor will form their own opinion anyway.
Remember, information security done with a business led approach is about running the business better, not just implementing 114 controls for the sake of it. Therefore it is unlikely there will be gaps in the core skills and understanding of your organisation, otherwise it’s unlikely to be operating! If however there are gaps in the competence, skills and experiences around implementing and running an information security management system to meet this clause, they can be closed in a number of ways:
- Sending the staff involved on ISO 27001 lead auditor, lead implementer, and implementation training courses, or one of the many other information security courses out there. This can, however, become expensive for one person let alone a team both in terms of cost and time out the office. It might lead to implementation issues in its own right if the trainer or programme is too general, old fashioned or fails to understand the organisation culture, ways of working, etc.
- Reading around many of the free resources on the internet like this website resources, sites like the National Cyber Security Centre (NCSC) with its specialist guides and checklists, and digesting the ISO 27001 and ISO 27002 standards is going to show the auditor a level of competence too. That dovetails with Annex A 6.1.4 for staying aware of and involved in specialist information security forums and professional associations.
- Hire in specialist physical resources to help build competence – there is a growing market for virtual CISO (Chief Information Security Officers) and teams around them. This can certainly make sense and we recommend it for targeted work alongside the internal resources who are specialist in their fields when the organisation has capacity and capability issues and budget is less of a problem. Many of the ISMS.online partners offer such a service and we are very happy to suggest a partner who can help close these gaps and add even more value on top of ISMS.online.
- Use the Virtual Coach service inside ISMS.online to build and grow competence across the implementation team and show the auditor that each member of the team has been through some information security coaching/mentoring and been trained on the preparation plan so they know from the ground up what an information security management system is, why it is required and what their job is on the team. They can also demonstrate working confidently and consistently to a level that follows the Virtual Coach guides, tips and videos inside each of the requirements and Annex A controls areas.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement