What is covered under ISO 27001 Clause 7.3?
Clause 7.3 of ISO IEC 27001 is a simple one to dovetail in with clause 7.2 around competence and 7.4 around broader communication about the information security management system to all the relevant interested parties.
ISO 27001 is seeking confirmation that the persons doing the work are aware of:
the information security policy
their contribution to the effectiveness of the ISMS including benefits from its improved performance
what happens when the information security management system does not conform to its requirements
How to demonstrate awareness for clause 7.2 of the ISO 27001 standard
As part of a joined up implementation of the ISMS, the resources involved in its building will have participated in the creation of the information security policy for top management to approve (clause 5.2). They would have a good understanding of their role because it would have been agreed and documented as part of clause 7.1 (and other areas already noted before).
We also recommend that:
- Anyone involved in an ISMS implementation reads the ISO 27001 standard to understand the requirements and then is shown how they are being addressed in practice (which is easy in ISMS.online). This would include awareness and understanding for 6.1 risk management, 6.2 ISMS objectives and 9.1 broader measurement & evaluation, 9.2 internal audits, 9.3 management reviews, 10.1 non conformities and corrective actions, as well as continual improvements in line with 10.2.
- In addition to the specific awareness of the ISMS administration and operation above, we also highly recommend that staff involved in the ISMS follow the same path as those who are part of the broader communication in line with clause 7.4 where staff communication, engagement and compliance are considered, which also dovetails into the HR security lifecycle, in particular with Annex A 7.2.2. information security awareness, education and training.
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement