ISO 27001 Section 7.2 – Competence
The aim here is to demonstrate an adequate and proportionate level of information security knowledge and competence. These can be internal or external resources, for example, if you had an information security advisor coming into the company for a short period of time.
Competence of the individuals involved with the ISMS should be assessed, the organisation’s requirements identified and agreed what is adequate competence. Then you should identify how to fill any gaps.
The organisation should commit to providing training, education or mentoring to any individual tasked with maintaining information security.
ISO 27001 Section 7.3 – Awareness
The person responsible for managing the information security management system should be aware of everything concerned with the policies and controls held within it.
- Have they read and understood the organisation’s information_security”>information security policy?
- Do they understand the importance of maintaining and continually improving an ISMS?
- Do they understand the implications o not maintaining the ISMS and meeting the requirements of ISO 27001?
ISO 27001 Section 7.4 – Communication
The organisation should have a plan in place for communicating, internally and externally, information about the information security management system – this could include the benefits of using an ISMS. A formal process of communication should be agreed and documented.
The process could include the following:
- what will be communicated;
- when it will be communicated;
- with whom;
- who shall own the communication; and
- the process
How to easily demonstrate 7.1 – 7.4 Resources
The ISMS.online platform makes it easy for you to determine and provide the necessary resources, competencies, awareness and communication capabilities for establishing and implementing an ISMS.
- Step 1 : Adopt, adapt and add
- Step 2 : Demonstrate to your auditors
- Step 3 : A time-saving path to certification
- Step 4 : Extra support whenever you need it
Step 1 : Adopt, adapt and add
The AAA framework for 7.1-7.4 can be adapted to reflect any additional training, coaching or consulting that your organisation has invested in, including the Virtual Coach programme.
You are provided with ready-made controls and references to subordinate policies that can be adopted, adapted, or added to out of the box.
This means that you have ready-made simple to follow foundation for ISO 27001 compliance or certification giving you a 77% head start.
Step 2 : Demonstrate to your auditors
Step 3 : A time-saving path to certification
Step 4 : Extra support whenever you need it
ISO 27001 Annex A Controls
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
About ISO 27001
ISO 27001 requirements
- 4.1 Understanding the organisation and its context
- 4.2 Understanding the needs and expectations of interested parties
- 4.3 Determining the scope of the information security management system
- 4.4 Information security management system
- 5.1 Leadership and commitment
- 5.2 Information Security Policy
- 5.3 Organizational roles, responsibilities and authorities
- 6.1 Actions to address risks and opportunities
- 6.2 Information security objectives and planning to achieve them
- 7.1 Resources
- 7.2 Competence
- 7.3 Awareness
- 7.4 Communication
- 7.5 Documented information
- 8.1 Operational planning and control
- 8.2 Information security risk assessment
- 8.3 Information security risk treatment
- 9.1 Monitoring, measurement, analysis and evaluation
- 9.2 Internal audit
- 9.3 Management review
- 10.1 Nonconformity and corrective action
- 10.2 Continual improvement
Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.
Policies & Controls Management
Easily collaborate, create and show you are on top of your documentation at all times
Measurement & Automated Reporting
Make better decisions and show you are in control with dashboards, KPIs and related reporting
Audits, Actions & Reviews
Reduce the effort and make light work of corrective actions, improvements, audits and management reviews
Mapping & Linking Work
Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Interested Party Management
Visually map and manage interested parties to ensure their needs are clearly addressed
Simply document, easily control and publish your procedures to ensure stakeholders follow them
Other Standards & Regulations
Neatly add in other areas of compliance affecting your organisation to achieve even more for less
Staff Awareness & Compliance Assurance
Engage staff, suppliers and others with dynamic end-to-end compliance at all times
Supply Chain Management
Manage due diligence, contracts, contacts and relationships over their lifecycle
User Management & Permissions
Practical permissions with low cost plans for more regular and occasional users